It’s our final installment of the passkey primer, so we’re going to discuss some of the most important security and privacy considerations that you should be aware of. If this is your first time checking in, here are the links to the earlier parts of the series:
If you remember back to our second edition, we discussed the different authentication factors: knowledge, ownership and characteristic. We also discussed the weakness of using only a single factor, like just a password. On top of this, we emphasized the need for two different factors, such as knowledge and ownership, for securing important things.
When you take a bird’s-eye view of passkeys, you realize that it actually combines two separate authentication factors. The user must have control of the device that the keys are stored on, so that gives us an ownership factor. They also must enter their PIN, pattern or biometrics, which gives us the second factor, either a knowledge or characteristic factor.
This is one of the major reasons that passkeys are being seen as a significant authentication improvement. It gives users a faster and easier way to be relatively secure. PINs and patterns may be easier to crack than strong passwords, and biometrics have their own issues, but passkeys do provide a reasonable compromise between security and usability. They aren’t the ideal solution for every scenario, but there are many situations where passkeys will probably be an improvement upon the status quo.
Passkeys are generally resistant to man-in-the-middle attacks because WebAuthn Authenticators send verifiable attestations to the relying parties. However, the registration process does have some openings for attackers. If an attacker injects malicious code into the relying party’s script during registration, and then inserts their own attestation object, they could fraudulently authenticate themselves in the future.
However, these attacks may be detectable because an attacker would have to tamper with all of the user’s future authentications with that relying party, otherwise the authentication would fail, which could reveal the attack. Protocols like TLS can help to prevent man-in-the-middle attacks during registration.
It’s important to note that while this registration vulnerability exists, it is also present in normal password registration.
If you are intrigued by passkeys and interested in implementing them in your organization, you will have to make sure that passkeys allow you to meet your compliance obligations. Passkeys are only just beginning to be rolled out, so you will need to confirm that your regulators view them as an appropriate form of authentication. If you can’t find a definitive answer, it’s probably best to stay away from them for now, especially in heavily regulated industries. You don’t want to risk a costly fine for violating the regulations.
Passkeys have been designed with a number of privacy-preserving measures. Biometric characteristics like facial recognition data or fingerprints are never sent to the relying party, so even if users authenticate with them, they don’t have to worry about PayPal scooping up their fingerprints.
Another privacy measure is that the public-key credentials are specific to each relying party and they are not revealed to other entities. The existence of public key credentials will only be revealed to a relying party if the user consents. This design helps to prevent user tracking.
While the standard for passkeys is designed to preserve privacy, this doesn’t mean that a user’s other information will necessarily be kept private. If you use passkeys to log in, but the website has other identifiers like your email and phone number, they can still track you. However, this is another problem independent of passkeys.
Passkeys aren’t perfect
While passkeys have their flaws, they are probably a net-benefit for our overall security. Some users will probably continue to have weak PINs and patterns, and hackers will figure out new circumvention techniques. But if passkeys can cut down on phishing as much as some of its promoters promise, that would be a huge win for security.