There has been a good of talk about Passkeys and how this tool will replace passwords in the Apple environment.
What are Passkeys and how will they be used?
The FIDO Alliance was launched in 2013 by PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnitio came together to work on a passwordless authentication protocol. Today there are hundreds of members of the alliance from large multi-national businesses such as Amazon and Facebook, Wells Fargo and American Express. Governments from Australia to Germany to the UK to the US are all participating as well.
Microsoft, Google and Apple have a vested interest in using FIDO considering the online services and devices being used. Credential compromise is a major concern for online platforms and with mail and documents and businesses running their operations through these three services, there are major points of exposure.
Passwords are the source of over 80% of data breaches. With hundreds of millions of online accounts active today and over 50% of passwords being resused, a new way to secure business, personal and private data was needed. The FIDO Alliance came together to address passwordless tools and multi factor authentication.
FIDO has brought tools like security keys, facial recognition, fingerprints, voice and Yubico keys into the marketplace.
Apple announced in early June 2022 that they were going to be moving to use Passkeys, which were announced by Google and Microsoft at their major developer conferences around the same time.
The idea behind a Passkey is that instead of using a password, users will unlock their smart phones and provide a verification of a code to sign on to a website or online services. With a physical device (the cell phone) and a biometric unlocking mechanism to the device and matching a unique signature key on each application or website, security will be greatly increased.
This concept what developed several years prior. However, one of the greatest issues with the protocol was what happens if the cell phone is lost, misplaced, stolen or compromised. If the security was tied to the cell phone and it was gone, then all access to sites and applications would be lost with no way to recover the access.
The FIDO Alliance released an update in March where credentials will be stored using a public and private key pair. The details on how this works are little bit more technical than we want to go into right now. The important point is that in the event a device needs to be replaced, by enrolling the new device onto Apple, Google or Microsoft’s systems, the Passkey information will be transferred to the new device. This resolves a major issue with the technology.
It is important to note that if not using a biometric lock and instead using a digital code to lock the cell phone, the code needs to be strong as well. If the code is easy to crack it will be easy to access that device and the Passkeys will be available.
Throughout the cybersecurity industry the advance put forth by the FIDO Alliance is seen as a very positive step forward in solving a major problem plaguing businesses large and small and individuals in an ever more connected world.
Research shows that far too many passwords are still reused on multiple websites and over 70% of credentials are believed to be compromised from all the breaches known to date. Every step that brings us closer to a more secure environment is a welcome one.
There are two challenges that we need to be aware of. The first is end user adoption, having users enroll their credentials, their devices and then using their credentials and devices on the platforms that support the service. The second issue is websites will need to update and recode their authentication process to meet the FIDO Alliance standard. Considering the number of websites with a login component, this is not expected to happen overnight.
Stay tuned for more information on how to make use of the Passkeys.
