<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1076912843267184&amp;ev=PageView&amp;noscript=1">

RL Blog


Passkeys standard: Time to add it to your dev plans?

Forward-thinking DevOps shops are doing it already. Isn’t it time your team got on board?

Richi Jennings
Blog Author

Richi Jennings, Independent industry analyst, editor, and content strategist. Read More...


Passkeys, child of FIDO and W3C’s WebAuthn, looks almost ready for prime time. Apple and Google are supporting it — and being interoperable. Password managers are also getting on board.

2FA/MFA is great in theory, but OTP codes can be intercepted and websites are easily spoofed. Passkeys neatly automates a challenge/response exchange, with the secret being protected by biometrics.

Isn’t it time your dev team got on board, too? In this week’s Secure Software Blogwatch, we get below the surface blather.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Silver Birches.

Momentum building

What’s the craic? Jeffrey Schwartz reports — “Passkeys See Fresh Momentum With New Pilot Programs ”:

Continues to increase
New product announcements are building momentum for passkeys — digital credentials that enable passwordless authentication using private cryptographic keys. … Apple and Google, as well as leading password manager providers 1Password and Dashlane, [have] further extended their support for passkeys.

Proponents of passkeys … say they're more resilient to phishing attacks than … one-time passwords (OTPs), and various other forms of multifactor authentication (MFA) because each has a unique private and public key tied to a specific device [and] because they rely on biometric identification, such as face or touch ID, instead of passwords.

Passkeys … is based on the FIDO Alliance spec that implements the World Wide Web Consortium's (W3C) WebAuthn standard. … The number of organizations running pilots with passkeys continues to increase [including] several large banks, PayPal, Home Depot, Hyatt Hotels, Intuit, and Shopify.

New users are happy. Chris Smith’s reaction is typical — “I’ll never have to remember my Apple ID password again”:

You can use your iPhone’s Face ID
I have a hard time remembering my Apple ID password because I’m taking my own advice: I’m using a long, unique password. … But come iOS 17 and macOS Sonoma, I won’t have to remember my Apple ID password again. That’s because Apple is adding passkey support to each Apple ID account, making signing in a breeze.

You can use your iPhone’s Face ID to log into websites you load on your Mac. … That’s the “Sign in with iPhone” [or] “Sign in with Apple” … option.

If Passkeys == WebAuthn, why the new name? Arnaud Dagnelies explains — “WebAuthn vs. Passkeys”:

You should support WebAuthn/Passkeys
Passkeys is basically the platform's implementations of the WebAuthn. Until now, the protocol had a shortcoming: If the user lost their device, they lost the private key and were locked out of their accounts. Bam!

To circumvent that, Apple, Google and Microsoft decided to go forward with "Passkeys". This is basically nothing else than WebAuthn but they sync your private keys into the cloud. Your private keys are not tied to the device anymore.

The specification is overly complicated, long, unclear and … the specs differ from implementations and every platform and browser will deliver you another experience. [But] if you have sufficient resources and time … you should support WebAuthn/Passkeys. It is better security-wise and … it might be more convenient too.

Do you smell lock-in? Stavros Korokithakis is “Clearing up some misconceptions”:

A no-brainer
I am unreasonably excited about Passkeys, I’ve long been looking for a better/more convenient way than passwords to do authentication, and I think Passkeys is finally it. [But] there are always a lot of misconceptions that surface in the debate.

At its core, Passkeys is just a way for a website to ask your browser for authentication. … It’s not tied to a single company, and doesn’t rely on a single company’s implementation. I’ve implemented Passkeys on my sites for a while now, and I didn’t need anyone’s permission.

Passkeys … doesn’t mandate what you can use, it’s just a way to request some credentials. You can use … FaceID, or your phone’s secure chip, or just your password manager … and it will work with every compatible site. … Essentially, Passkeys is two authentication factors in one. [It’s] a no-brainer.

Want more? Vincenzo Iozzo and Kasper Mroz have more — “Threat modeling and implementation considerations”:

In most cases better than passwords
In other words, the browser talks to the authenticator through the CTAP2 protocol to perform the key creation and verification ceremonies initiated by a website through the WebAuthn APIs. [But] until recently, there was no established infrastructure to share key pairs across devices. … Apple and Google’s introduction of passkeys, coupled with their push to build ways to share credentials across devices, has significantly boosted interest.

Passkeys are key pairs. … The private key itself is stored in the persistent storage embedded in the authenticator.  …  The private key is encrypted with a second private key stored in the authenticator. The resulting blob is used as the credential ID … server-side [so] even if the credential database of a relying party is compromised … an attacker won’t be able to exploit them because no clear-text private key is ever shared.

However, no storage security guarantees are enforced on the authenticator [but] even an authenticator with lower security guarantees is in most cases better than passwords. … In general, non-roaming WebAuthn credentials stored on dedicated hardware security keys with biometrics/pin support should be safe as a replacement for MFA.

Forward-thinking DevOps shops are doing it already. Ben Lee-Cohen and Jeff Spencer are happy:

Can’t be phished
[We’ve] never supported password-based authentication. … We had to face a harsh reality: the password is outdated technology that requires kludges to use safely. [We] started by requiring users log in using reasonably well-managed Google and Microsoft auth providers. Over time we expanded our login options to include GitHub, Apple, and custom OIDC providers.

Now, we are happy to offer a modern replacement for passwords that meets our security requirements: Passkeys. … Each passkey is tied to the specific app or website it was created for, and can’t be phished by a lookalike domain name or fake login page design. … Rather than a password that can still be phished — you get strong credential that syncs securely across your devices, using your chosen password/passkey manager.

But are Apple and Google making their own walled gardens? No, says WorldMaker:

People think it by nature has to be a locked, walled garden, because Apple has the lead and loves walled gardens when it has the lead. I think that's why this newest rollout announcement is such great news: … Complete integration with the larger ecosystem of password apps already in the App Store … and a UX for grouping passkeys and sharing those groups with other contacts.

These UX flows would have been great to have seen in the initial rollout to assuage a lot of fears about Passkeys. It is great to see them happening right now while it is still early enough to stop most of the FUD before it starts to get … into average consumer ears.

Let’s do this. nbvb agrees:

Awesome — passwords can't die soon enough. Once folks start getting used to passkey authentication, it'll get the rest of the industry moving.

This is one of those, "We need big movers to move first instead of being fast followers," kind of things. [Otherwise] we'll be stuck with this completely stupid, "Remember a 36-character password with 4 symbols, 3 digits, at least two uppercase letter and two emojis," nonsense forever. … Let's do this.

But how can it be better than a complex, memorized password? AnniesBoobs says that’s not the point:

Passkeys isn't … targeted at you. It's targeted at the 'Password123!' or 'firstnamelastnamebirthday' crowd. Those are the people who aren't going to bother with trying to memorize a complex password (much less a unique one for every site).

And the password managers are getting on board. danShumway is eager to see one in particular:

I'm very eager to see what Bitwarden does here, they're the first big name that's actually Open Source … on board. It's hard to take passkeys seriously when the vast majority of implementations are completely proprietary.

Seeing what Bitwarden comes up with and seeing whether or not the process for self-hosted Bitwarden accounts is actually seamless and works on platforms like desktop Linux [is] going to be a really big test of whether passkeys can credibly be claimed to be actually cross-platform.

Meanwhile, why would they do that? Niclas Rupertseder lays it all out:

Password managers and passkeys might seem like strange bedfellows, [but they’re] embracing the inevitable: … To remain relevant and effective … password managers simply have to integrate passkeys.

LastPass is adapting to the era of passwordless security by incorporating passkeys as a substitute for master passwords. …
Bitwarden is to integrate passkeys and passwordless authentication into existing applications. …
Keeper Security recently rolled out passkeys storage capabilities. …
Dashlane is adopting passkeys by creating a dual 'key' system to secure user connections. …
1Password [is] planning to generate passkeys, support multiple devices and platforms, enable cross-platform synchronization, facilitate passkey sharing, and ensure data portability. …
NordPass is formulating a strategy to store passkeys [and] plans to integrate passkeys as the substitute to their master password.

And Finally:

21st century Bob Ross

Hat tip: Invisible Wizard

Previously in And finally

You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or ssbw@richi.uk. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Silas Köhler (via Unsplash; leveled and cropped)

Keep learning

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

More Blog Posts

    Special Reports