This edition of the passkey primer is going to take a look at the options for accessing your accounts via passkeys from different devices, as well as your backup options. We covered the background in our earlier newsletters:
- An overview of passkeys
- The problems with passwords
- The cryptography behind passkeys
- How passkeys authentication works
Passkeys are fairly adaptable and can be implemented in a range of different ways. The flow that we outlined in the previous newsletter was just one of the simplest examples. If you were really paying attention, you may have picked up a pretty significant flaw in it: The keys were just stored locally on the device.
In the current tech environment, we are frequently switching between laptops, phones and other devices, so only having an account’s keys on a single device would mean that you can’t access the account from other devices. This would be a serious limitation, making it hard to work between phones, tablets and laptops. It would also be a disaster if you lost the device, because you would be locked out of the account.
But don’t worry, the tech community wasn't that short-sighted, and there are a few solutions.
Authentication via Bluetooth
Let’s say you want to access your Google account on your laptop, but your passkeys are stored on your phone. This would be a big problem, except you can actually use your phone to sign in on your laptop, via Bluetooth. First, you would go to Google’s login page on your laptop, and you would see a button that says something along the lines of “Use another device to sign in”.
If you clicked on it, the two devices were physically close, and Bluetooth was on, you would then see a notification on your phone. In essence, it would say that “You are trying to sign in to Google on your nearby computer. Here are the accounts.”
You would then choose the correct account, and your phone would prompt you for your PIN, pattern or biometrics to sign in. Once you successfully enter it on your phone, you would be able to access the account on your computer.
Hardware security tokens
Another option is to store your passkeys on a hardware security token like a YubiKey. You could use it for authentication across devices via NFC or USB—you just have to connect it, then enter your PIN or biometrics. While it’s a great option for security, it does have usability issues. You won’t be able to access the accounts via passkeys unless you have the hardware security token. You would want to have alternative plans in place that allow you to maintain access to your account, even if you lose the hardware token.
It’s also possible to sync your passkeys in the cloud via solutions like Google Password Manager and iCloud Keychain. If you log in to your Google account across any of your Google devices, you can access all of the passkeys stored in Google Password Manager. Apple devices provide the same flexibility.
While these options are great for usability and they allow users to access their keys even if their device is lost or stolen, they also come with problems. When passkeys are stored in the cloud, any attacker that can access the cloud account can access the passkeys as well. Users need to have 2FA on any cloud account that stores their passkeys, otherwise they would have a security catastrophe waiting to happen.
When users switch platforms, for example from iOS to Android, they can use the passkey from their old device to sign in to their account on the new device. After logging in, they can set up a new passkey on the new device. They could also use a hardware security key to authenticate on the new device. If neither option is available because the device was lost or stolen, they will have to go through account recovery procedures.
The WebAuthn recommendation
The WebAuthn specification recommends that users should register separate passkeys for each frequently used device for a given account. As an example, your phone and laptop could use different passkeys to access the same account. This gives you access across devices and provides redundancy, without you having to backup and share the keys themselves.
The challenges of access across devices
Seamless passkey authentication across devices is something that the tech community is still working on. Especially in these early days, users will be responsible for ensuring that they can access their accounts when they need them, and that they also have recovery options in place.
While these aren’t issues that we should ignore, it’s also worth considering that passwords face their own set of problems. Users need to set up their own unique passwords for each account, and sync them across devices, which is often achieved through a password manager. But this means that they have to trust a third party to secure the passwords and make them available. On top of this, there’s also issues like vendor lock-in.
While passkeys aren’t perfect yet, passwords aren’t either.