the friendly club for 40 years

Understanding Passkeys (sort of)

On Thursday, October 9, we tried to understand “Passkeys”. Websites such as Amazon have been asking account holders to set up “Passkeys” to log in, instead of using passwords. In the past, Club members treated these things with suspicion, since they didn’t know what they were. This YouTube video explains the concept behind them in an easy-to-understand way.

Here’s a summary from other sources:

A passkey is a password replacement that uses cryptographic keys stored on your device to verify your identity, allowing you to sign in with just your fingerprint, face scan, or device PIN instead of a traditional password. Passkeys are more secure than passwords because they are not phishable, can’t be stolen or guessed, and are tied to specific websites or apps, ensuring you only log in to the legitimate site. They offer a simpler, faster, and more convenient way to log into accounts across your devices. 

How passkeys work

  1. Key generation: When you create a passkey for a website or app, your device generates a unique pair of cryptographic keys: a public key and a private key. 
  2. Public key storage: The public key is stored on the website’s server. 
  3. Private key storage: The private key remains securely on your device and is never shared with the website or anyone else. 
  4. Login process: When you try to log in, the server sends a one-time challenge that your device’s private key signs to prove it’s you. 
  5. Verification: The server then uses the public key to verify this signature and grant you access to your account. 

Why passkeys are better than passwords

  • More secure: Passkeys are highly resistant to phishing attacks because they are bound to a specific website or app, and the private key never leaves your device. 
  • No need to remember anything: You don’t need to create or remember complex passwords. 
  • Faster and easier: Signing in is as simple as using your device’s existing unlock method, such as a fingerprint, face scan, or PIN. 
  • Cross-device compatibility: Passkeys can be synced across your devices through password managers or cloud services, so you can access your accounts from any device. 

The implication is that a passkey pair is linked to a device, and “the private key never leaves your device”, However they can be synchronised across devices using a password manager, including Google’s Password Manager, access to which is protected on a PC, for example, by a password. It all seems to be circular…..How can both things be true: a) The passkey never leaves your device and b) Passkeys can be synced across your devices?. Here’s an explanation from Gemini:

Passkeys are synchronized by storing the encrypted private keys within a user’s operating system or a third-party password manager (like Apple iCloud Keychain or Google Password Manager) that securely syncs these encrypted credentials across your signed-in devices. This means the private key doesn’t leave your device for the initial creation, but a secure, encrypted copy is uploaded to the cloud service and then downloaded to your other devices, ensuring access even if one device is lost.

So – an encrypted copy of your private key is uploaded and later downloaded to another device.

Here’s a summary of the Security Pros and Cons of passkeys:

Security pros:

  1. Passkeys are resistant to:
    1. Phishing – you hand over your password to a bogus site which looks like Google. Passkeys prevent phishing by ensuring the website in the browsers address bar matches the website for which the passkey was created.
    2. Credential stuffing – you use your Google email/password on another site, which is hacked. The attacker can use your credentials to log into Google.
    3. Brute force attacks e.g. dictionary or rainbow table attacks.
    4. Replay attacks – the private part of a passkey is never shared with a website (even a legitimate one)
  1. Passkeys can enforce user verification – requiring you to re-authenticate (typically using facial or fingerprint recognition) when using a passkey.
  2. Attestation allows a website to restrict the type of device(s) that can be used to store the passkey. For example if a major vulnerability is found in a particular device (see below) the website developers to prevent users from using that device. Alternatively they could whitelist particular devices.

Security cons:

1. Similar to a password manager, the passkey is managed by your device so it’s possible (although unlikely) that your device is compromised by a virus or malware which then steals your passkeys.
2. The website you’re signing into may tell the browser to skip “user verification” in which case you just need to click a button to confirm the login. If your device is unlocked, anyone with access to it could use the passkey to sign in to a site/app.
3. The technology is still relatively new. As with all new features there’s a greater risk of security vulnerabilities. So whilst passkeys should be more secure than passwords, a bug could introduce vulnerabilities.

In summary, Passkeys are more secure than passwords . However, very few websites and apps currently use them and it will take quite a long time to roll them out. The most important thing is to lock your device (phone, Laptop, tablet) securely. Biometric logins are recommended since you don’t have to remember a pin or password!

Chris Betterton-Jones – Knowledge Junkie