I’ve been wrestling with passkeys. I get them, but I don’t really get get them. HD’s recent keynote at SecTor has some words about passkeys and how you really should use them. But, it’s a keynote, meant to be broad, and pointedly not a deep dive on the technical details of this one technology.
And, since National Cybersecurity Awareness Month coincides with Halloween-time, this blog seems like the perfect time to peer into the crypt, dust off the cobwebs, and explore the weirdness (and spookiness) of passkeys, and why they make me uncomfortable.
Why the discomfort? #
Most guides and explainers involving passkeys tend to elide over the details, and just assure you that passkeys are great. They stop phishing, they’re more secure than passwords, and they’re easier to use. No longer are you burdened with remembering and reusing passwords for logins.
> We’ve got passkeys! Don’t you want a passkey? Hey, stop what you were trying to do and take a second to generate a passkey!
This pushiness is mostly what makes me suspicious. It sounds an awful lot like the pitches you hear for consumer VPNs — a cryptographic technology that promises to secure what ails you, from nosey spouses to sneaky ransomware ghouls to tyrannical governments. But of course, VPNs don’t actually help you with most threats; they’re mostly good for evading region locks on content, like watching Doctor Who outside of the UK.
But are passkeys actually great? #
Despite my marketing spidey-sense, passkeys are pretty great. They’re built on public key cryptography, which is a truly incredible mathematical trick. PGP, in particular, was a watershed moment in infosec, and passkeys have a direct lineage to PGP.
Here’s an extremely simplified explainer of public key cryptography: when you’re using a passkey, you’re not transmitting or sharing a secret with the website you’re authenticating to. Instead, you first let the website know who you are (represented by the public key part of the passkey), then prove that you are who you say you are (represented by using the private key part to solve a puzzle offered which is based on your public key part).
Since you never transmit the secret part, there’s nothing to steal if bad guys intercept the communication or make off with the entire authentication database. (There are ways the bad guys could still steal your private key, but that means the call is coming from inside the house.)
You can’t even share passkeys between sites, even if you wanted to, since every passkey is inexorably wrapped up with the site that it was generated for (it’s part of the puzzle mentioned earlier). You can’t tell someone your passkey over the phone, no matter how insistent or threatening they are. You can’t share it with your adult kids who continue to leech off Netflix from you. The public part is public, and the private part is safely stored away.
All that said, it turns out that PGP is actually awful, mostly for usability reasons, and I’m worried that passkeys are setting up for a similar fate, unless something changes in how they’re presented to the public.
Training on bad patterns #
I think my biggest issue with passkeys, as implemented, is the oddly invasive user interface/user experience (UI/UX) that I’ve seen so far. “Hey, click these new buttons. It’ll be great. Don't worry about details” is an awfully suspicious way to get people to do a thing that’s actually great for them. It’s very confusing to a security-aware person (me), and it’s difficult to understand what’s going on with the passkey pitch. The prompts themselves appear to be originating from the browser, but maybe it’s the operating system? Or maybe it’s my third-party password manager with a browser plugin? Turns out, depending on the site, it could be any of these.
What results (for me) is a deep feeling of discomfort, followed by a dismissal of the prompt, muttering, “Eh I’ll get to this someday.” Not the greatest first (or tenth) experience with a passkey-generating opportunity.
But let’s say this tactic does work. I have come around to the belief that regular people don’t actually think this hard about passkeys, and just kind of go with whatever looks to be the most obvious path so they can get on with whatever task they were about to do. You see a prompt for a passkey, you click okay, scan your fingerprint or a QR code, and then you’re good.
Does this mean that a well-designed fake site can similarly just prompt people, pretty unexpectedly upon login, and get them to click a few things? Is this what we really want to train people to do? I feel like we’re still struggling with the practical effects of clickjacking when it comes to leaking password data, and I’m not exactly thrilled that passkey enrollment feels an awful lot like a clickjacking scam.
But seriously, are passkeys good? #
Yes. More precisely, passkeys are good at what they’re good at:
Discouraging memorized passwords
Discouraging password reuse
Discouraging password sharing
Discouraging needless password resets
What passkeys aren’t particularly good at today is defending against site breaches. This may be because they’re new, but I’ve yet to see an authentication option that either starts with a passkey (where you never actually set a password), or removes a password authentication entirely (like with ssh keys and PasswordAuthentication no). This means that my shared secret password is still in the mix, and an attacker can pull all the traditional tricks with password stealing that passkeys are immune to: offline cracking, online guessing, credential striping, and all the rest. Passwords are still alive and well even when you “switch” to passkeys, so even if I’m using passkeys and totally on board, I can still be tricked or convinced into giving up my foundational password, and a compromise of my favorite websites will still expose my usable passwords to bad guys. Purportedly, for a few sites, it’s possible to go through an initial signup and establish a passkey all without that first-and-fallback password, but today, that’s very much the exception.
Passkeys are everywhere apparently #
Incidentally, the whole “keep your private key in a single, special place” idea of passkey seems to be rapidly fading, now that Microsoft, Apple, and Google are cheerfully syncing passkeys between devices, not to mention password managers like 1Password, Dashlane, and BitWarden. The private part of the passkey itself is encrypted and requires something like Apple TouchID or Windows Hello to unlock, of course, but the major implementations are definitely passing this encrypted blob around, which, to a layperson, sure doesn’t feel like their new passkey is locked down in one special secure place.
So, if you’re like me, and you’re already familiar with your cloud-synced password manager, there’s just not a ton of upside with passkeys. I’m already solving nearly all the problems that passkeys solve well. Again, it may be because they’re new, and the major players here are slow to pick them up or make a stellar, but short, case for their use. They do seem slightly more convenient than using a password manager, and even if the passkey is lost, the tried and true password auth scheme is still available, for good or ill. And of course, the tech itself is actually and truly super cool.
I’m mostly over my discomfort with them, and can confidently recommend their use, if you’re into them. They’re no worse than passwords, which I know isn’t exactly a ringing endorsement. I suspect we’ll get there as the best way to authenticate to websites, but in the meantime, we’re still in this kinda-good, at-least-not-harmful situation.
This blog is the second in a series of consumer tech-centric blogs here at runZero for National Cyber Security Awareness Month.
Check out the first NCSAM post here: Exorcising the ghosts of forgotten devices
