Iâve been wrestling with passkeys. I get them, but I donât really get get them. HDâs recent keynote at SecTor has some words about passkeys and how you really should use them. But, itâs a keynote, meant to be broad, and pointedly not a deep dive on the technical details of this one technology.
And, since National Cybersecurity Awareness Month coincides with Halloween-time, this blog seems like the perfect time to peer into the crypt, dust off the cobwebs, and explore the weirdness (and spookiness) of passkeys, and why they make me uncomfortable.
Why the discomfort? #
Most guides and explainers involving passkeys tend to elide over the details, and just assure you that passkeys are great. They stop phishing, theyâre more secure than passwords, and theyâre easier to use. No longer are you burdened with remembering and reusing passwords for logins.
> Weâve got passkeys! Donât you want a passkey? Hey, stop what you were trying to do and take a second to generate a passkey!
This pushiness is mostly what makes me suspicious. It sounds an awful lot like the pitches you hear for consumer VPNs â a cryptographic technology that promises to secure what ails you, from nosey spouses to sneaky ransomware ghouls to tyrannical governments. But of course, VPNs donât actually help you with most threats; theyâre mostly good for evading region locks on content, like watching Doctor Who outside of the UK.
But are passkeys actually great? #
Despite my marketing spidey-sense, passkeys are pretty great. Theyâre built on public key cryptography, which is a truly incredible mathematical trick. PGP, in particular, was a watershed moment in infosec, and passkeys have a direct lineage to PGP.
Hereâs an extremely simplified explainer of public key cryptography: when youâre using a passkey, youâre not transmitting or sharing a secret with the website youâre authenticating to. Instead, you first let the website know who you are (represented by the public key part of the passkey), then prove that you are who you say you are (represented by using the private key part to solve a puzzle offered which is based on your public key part).
Since you never transmit the secret part, thereâs nothing to steal if bad guys intercept the communication or make off with the entire authentication database. (There are ways the bad guys could still steal your private key, but that means the call is coming from inside the house.)
You canât even share passkeys between sites, even if you wanted to, since every passkey is inexorably wrapped up with the site that it was generated for (itâs part of the puzzle mentioned earlier). You canât tell someone your passkey over the phone, no matter how insistent or threatening they are. You canât share it with your adult kids who continue to leech off Netflix from you. The public part is public, and the private part is safely stored away.
All that said, it turns out that PGP is actually awful, mostly for usability reasons, and Iâm worried that passkeys are setting up for a similar fate, unless something changes in how theyâre presented to the public.
Training on bad patterns #
I think my biggest issue with passkeys, as implemented, is the oddly invasive user interface/user experience (UI/UX) that Iâve seen so far. âHey, click these new buttons. Itâll be great. Don't worry about detailsâ is an awfully suspicious way to get people to do a thing thatâs actually great for them. Itâs very confusing to a security-aware person (me), and itâs difficult to understand whatâs going on with the passkey pitch. The prompts themselves appear to be originating from the browser, but maybe itâs the operating system? Or maybe itâs my third-party password manager with a browser plugin? Turns out, depending on the site, it could be any of these.
What results (for me) is a deep feeling of discomfort, followed by a dismissal of the prompt, muttering, âEh Iâll get to this someday.â Not the greatest first (or tenth) experience with a passkey-generating opportunity.
But letâs say this tactic does work. I have come around to the belief that regular people donât actually think this hard about passkeys, and just kind of go with whatever looks to be the most obvious path so they can get on with whatever task they were about to do. You see a prompt for a passkey, you click okay, scan your fingerprint or a QR code, and then youâre good.
Does this mean that a well-designed fake site can similarly just prompt people, pretty unexpectedly upon login, and get them to click a few things? Is this what we really want to train people to do? I feel like weâre still struggling with the practical effects of clickjacking when it comes to leaking password data, and Iâm not exactly thrilled that passkey enrollment feels an awful lot like a clickjacking scam.
But seriously, are passkeys good? #
Yes. More precisely, passkeys are good at what theyâre good at:
Discouraging memorized passwords
Discouraging password reuse
Discouraging password sharing
Discouraging needless password resets
What passkeys arenât particularly good at today is defending against site breaches. This may be because theyâre new, but Iâve yet to see an authentication option that either starts with a passkey (where you never actually set a password), or removes a password authentication entirely (like with ssh keys and PasswordAuthentication no). This means that my shared secret password is still in the mix, and an attacker can pull all the traditional tricks with password stealing that passkeys are immune to: offline cracking, online guessing, credential striping, and all the rest. Passwords are still alive and well even when you âswitchâ to passkeys, so even if Iâm using passkeys and totally on board, I can still be tricked or convinced into giving up my foundational password, and a compromise of my favorite websites will still expose my usable passwords to bad guys. Purportedly, for a few sites, itâs possible to go through an initial signup and establish a passkey all without that first-and-fallback password, but today, thatâs very much the exception.
Passkeys are everywhere apparently #
Incidentally, the whole âkeep your private key in a single, special placeâ idea of passkey seems to be rapidly fading, now that Microsoft, Apple, and Google are cheerfully syncing passkeys between devices, not to mention password managers like 1Password, Dashlane, and BitWarden. The private part of the passkey itself is encrypted and requires something like Apple TouchID or Windows Hello to unlock, of course, but the major implementations are definitely passing this encrypted blob around, which, to a layperson, sure doesnât feel like their new passkey is locked down in one special secure place.
So, if youâre like me, and youâre already familiar with your cloud-synced password manager, thereâs just not a ton of upside with passkeys. Iâm already solving nearly all the problems that passkeys solve well. Again, it may be because theyâre new, and the major players here are slow to pick them up or make a stellar, but short, case for their use. They do seem slightly more convenient than using a password manager, and even if the passkey is lost, the tried and true password auth scheme is still available, for good or ill. And of course, the tech itself is actually and truly super cool.
Iâm mostly over my discomfort with them, and can confidently recommend their use, if youâre into them. Theyâre no worse than passwords, which I know isnât exactly a ringing endorsement. I suspect weâll get there as the best way to authenticate to websites, but in the meantime, weâre still in this kinda-good, at-least-not-harmful situation.
This blog is the second in a series of consumer tech-centric blogs here at runZero for National Cyber Security Awareness Month.
Check out the first NCSAM post here: Exorcising the ghosts of forgotten devices
