Start

Passkeys - the better passwords?

Passkeys - the better passwords?

For readers in a hurry

  • People are a computer's greatest vulnerability - at least when it comes to user names and passwords and therefore access to data and applications. People are therefore a prime target for hackers.
  • Despite two-factor authentication, security has not fundamentally changed. Thanks to social engineering, resourceful cyber criminals look for and find ways for a user to reveal their second factor so that they can log into their system.
  • Passkeys are intended to change this: instead of a user name and password and a second factor, a passkey will in future be created automatically when registering for an application, half of which will be stored on the end device and half in the application.
  • If the user wants to log in to the application, the passkey is used in the background to authenticate the user. There is no need to enter a user name and password. Cyber criminals cannot use social engineering to spy on the passkey.
  • The major Internet browser manufacturers are already starting to implement passkey technology. Some website operators already offer passkeys for logging in. A broad, worldwide roll-out is just around the corner.

Tip to try out

AI is playing an increasingly dominant role in security; the threats are too complex for human responsiveness to be sufficient. If you are interested in a carefully compiled weekly newsletter, the Handelsblatt AI Briefing is a good choice. It mainly mentions German-language sources and reports - a good impression that the world is not standing still in German-speaking countries. Incidentally, the KI-Briefing is free of charge.

Passwords - a problem in the cloud age

Passwords have been the de facto standard for authenticating users for decades. However, they are increasingly becoming a problem:

  • We easily forget them.
  • We use them several times.
  • They can easily be stolen.
  • They can be intercepted and misused.

Especially in times of many heterogeneous system landscapes, users have to manage, use and securely store over 100 passwords. A risk for every company. After all, who wants their CRM leads, order data or internal documents to be accessible to unauthorized persons?

Although the use of password managers is a solution for more secure access management, it is also subject to the inherent problem of passwords having to be transferred between client and server.

The use of certificates has so far not been able to establish itself due to the time-consuming administration and the lack of standards at application level. Who wants to manually create a certificate for every Internet application, upload the public key, securely store the private key and then ensure that authentication works successfully when logging in?

Passkeys change that. The time for passwords is running out.

What are passkeys?

Passkeys are access data that are generated and stored on the user's end device during registration in an application or on a website. This means that the user no longer assigns a user name and password, but instead so-called keys are generated in the background by their end device, one of which is transferred to the application or website to be stored there as a "remote station". If the user then logs in, this access data is used to authenticate the user. There is no need to enter the user name and password.

What do the steps look like in detail?

Registration

  1. A user goes to a website to register there.
  2. The website has implemented the passkey standard (according to the standardized FIDO protocol "WebAuthn") and sends the user a configuration file with the request - e.g. a QR code - to generate a passkey.
  3. The user's end device (e.g. smartphone, notebook) receives this configuration file (e.g. QR code) and displays it to the user.
  4. The user automatically reads the configuration file with an authenticator program (e.g. Password Manager, but also in the key management of the operating system), which supports the FIDO WebAuthn standard.
  5. The authenticator program then generates a unique key pair: One private, one public. This pair is not used anywhere else in the world.
  6. The private key is stored on the user's end device using additional biometric protection (e.g. in the password manager), while the public key is transferred to the web application and stored there automatically. The private and public keys together make up the "passkey".

Registration

If the user logs on to the website, the following steps are carried out:

  1. The website sends the user device an "authentication challenge", a dynamically generated message that the user device (or its browser) should sign with its private key.
  2. The Authenticator program recognizes this request and asks the user to authorize himself with his biometric data, e.g. fingerprint, face scan.
  3. If the authorization is successful, the Authenticator program signs the "Authentication Challenge" and sends this signed version back to the website.
  4. The website uses the public key to check whether the signature of the challenge is valid. If it is valid, the website grants the user access.

Essentially, the passkey procedure corresponds to a digital certificate procedure. The public key validates that a message has been signed with an associated private key ("thumbprint") and evaluates this as positive authentication of the user.

Passkeys live from digital certificates.

Advantages of Passkeys

Security

The combination of public key cryptography (unique private and public key pair) and biometric authentication eliminates the problem of password reuse, spying on a second factor (there is no "token" that the user has to enter) and password theft from servers (only the public key is available there, which is known anyway; however, this is of no use without a private key).

Comfort

The passkey procedure is more convenient for the user, as they no longer have to remember user names and passwords to log in to an application.

Phishing resistance

Passkeys are not stored in any application or on any website. The attack surface for "social engineering" is significantly smaller.

Platform independence

As passkeys are a web standard that is implemented by all major Internet browser manufacturers, this procedure can be used on all end devices and all operating systems. Not even a password manager is required, as the functionality is also available as it is.

When are passkeys coming?

An important prerequisite for the broad use of Passkeys is implementation in all common browsers and on as many web applications as possible.

Windows 10, macOS Ventura and ChromeOS 109 as well as iOS 16 or Android 9 are the minimum basic requirements. Chrome 109, Safari 16 or Edge 109 are also required, although higher versions will of course work.

At the end of 2023, PayPal will already be offering the option of authentication via Passkey. Others will follow.

The question is not whether passkeys will catch on, but how long it will take application developers to implement this new, more secure password standard. We are excited and are already relying on this technology.

Passkeys make the world a safer place.

About Business Automatica GmbH:

Business Automatica reduces process costs by automating manual activities, increases the quality of data exchange in complex system architectures and connects on-premise systems with modern cloud and SaaS architectures. Applied artificial intelligence in the company is an integral part of this. Business Automatica also offers automation solutions from the cloud that are geared towards cyber security.