Passwords and Passkeys

I guess the moral here is: you must be careful what you pretend to be because in the end you are who you’re pretending to be. — Howard W. Campbell Jr

  • Richard Krueger

  • August 2, 2024

Passwords and Passkeys

Currently, the prevailing app authentication methods rely on email/password combos alongside SMS-based two-factor authentication, which has become a cultural norm for accessing cloud-based accounts. However, this approach carries numerous security pitfalls. Passwords are prone to being forgotten and are often jotted down on vulnerable cheat-sheets, susceptible to theft. Password recovery via email is susceptible to hacking, often going unnoticed by the owner. Two-factor phone authentication can be compromised through SIM swaps, granting malicious entities access to six-digit codes. Additionally, storing passwords on servers using MD5 hashes poses risks — if the server is breached, common passwords can be reconstructed via reverse lookup in large MD5 hash databases. While password managers offer a solution by generating unique 128-bit passwords for each account, compromising the manager exposes all accounts.

In 2023, data breaches in the United States cost over $12.5 billion USD, with a 21% year-on-year increase, highlighting the escalating severity of the issue. Merely layering patches atop this flawed system, such as adopting Google’s Time-based One-Time Passwords (TOTP), won’t suffice. What’s necessary is a paradigm shift in approaching the authentication conundrum and cybersecurity at large.

The email/password protocol, coupled with two-factor authentication, not only suffers from security flaws but also imposes significant time burdens on users. Entering passwords via keyboard and retrieving six-digit codes from phones, which may not always be within reach, adds unnecessary complexity. Although this process can be streamlined by saving credentials to a keychain, it amplifies security risks if the device is compromised. Furthermore, relying on keychains often leads to password forgetfulness.

Passkeys and WebAuthN

To tackle the security issues of the email/password system, even with two-factor authentication, the FIDO2 alliance, led by Microsoft, developed the Passkey protocol. Unlike passwords stored as MD5 hashes on servers and vulnerable to breaches, Passkey uses public/private key encryption. The private key stays on the user’s device and is never shared with the server. For authentication, the server sends a challenge to the device, which encrypts it with the private key and sends it back. The server decrypts it using the public key stored on the server. If it matches, the user is authenticated. WebAuthN, an open-source toolkit from the FIDO2 Alliance, helps implement Passkey on servers. The key advantage of WebAuthN is that even if a server is breached, only public keys are exposed, which are useless without the private keys. Since hashed passwords aren’t centralized, hacking would require accessing each user’s device individually — a tough task, as mobile keychains are protected by biometrics like Face ID and Touch ID.

Passkey is poised to become the future of app authentication, set to replace the email/password protocols just as digital cameras overtook analog film two decades ago. However, there are significant challenges. First, implementing Passkey is complex, involving numerous components on both the client and server sides. This complexity has slowed adoption, even though the flaws of email/password systems are well-known. Second, there’s a deep-seated reliance on email/password solutions. Users have invested in password managers and strategies that provide a sense of security, despite frequent breaches. SMS-based two-factor authentication, while flawed, is still trusted as an additional safeguard. Lastly, the vast existing infrastructure built around email/password authentication presents a hurdle. Companies will be slow to adopt Passkey, needing to integrate it with their legacy systems. Each app’s unique authentication solution further complicates the integration of Passkey, making it a non-standard effort for every implementation.

Passkey and WebAuthN are excellent technologies that promise a much more secure future for cloud-based application authentication. However, they are complex to implement and may be overkill for many permission-based uses. They are particularly excessive for transient uses like in-person access to shared resources and for less compute-intensive platforms like IoT devices, which often lack a screen, keyboard, keychain, or camera.

Principles of Authentication

All software authentication is built on three principles:

  • A secret you know
  • What you have
  • Who you are

Initially, authentication relied solely on a secret you know: a password, a passcode, or answers to security questions. The issue with this method is that someone else could also know or guess this information. Passwords are especially vulnerable — they can be guessed if they’re obvious, which they often are for ease of remembering, or they can be hacked due to how they’re stored on a server.

To address the weaknesses of knowledge-based authentication, the system can also use things you have. This is where two-factor authentication (2FA) comes into play. If you have a phone, the authentication server can send a code to verify your identity, assuming only you possess your phone and know your password. 2FA can also be done through email. However, what you have can also be hacked remotely — phones can have their SIM cards swapped, and emails can be compromised without the user’s knowledge, as they are often protected by a password or another layer of 2FA.

To address the weaknesses of knowledge-based authentication, the system can also use things you have. This is where two-factor authentication (2FA) comes into play. If you have a phone, the authentication server can send a code to verify your identity, assuming only you possess your phone and know your password. 2FA can also be done through email. However, what you have can also be hacked remotely — phones can have their SIM cards swapped, and emails can be compromised without the user’s knowledge, as they are often protected by a password or another layer of 2FA.

There are three vulnerable points in an authentication system:

  • Account setup
  • Account login
  • Account recovery

Many overlook account creation as a vulnerability, but it is crucial. Account creation must be safeguarded with the same level of security as login, typically with 2FA of the email or phone number being registered.

Login is another vulnerable point, especially when passwords and 2FA are involved. If a password is stored in a device’s keychain and the device is compromised, unauthorized access is easy. Passkeys enhance security during login because they require retrieving a private key to sign a server challenge, usually guarded by biometric authentication. With public/private key encryption, server data hacking is futile since only public keys are stored on the server, useless to hackers.

Account recovery poses the greatest risk. In password-based systems, recovery happens when a password is compromised or lost, and a recovery link is sent to the associated email or phone. If either is compromised, unauthorized access can occur by simply changing the password. Passkeys mitigate this risk as recovery involves biometric verification and there’s no traditional recovery process. Passkeys are stored in device keychains linked to unique handles. The exception is extending passkey access to a different device, like an iOS user wanting to use their passkey on an Android phone or Windows PC.

Problems Passkeys solve

In summary, passkeys address several security issues that have plagued email/password solutions for decades, issues that come with significant economic costs to mitigate. Passkeys focus on what the user has — private keys cryptographically stored on client devices — rather than a secret that the user knows, such as a password or passcode. Access to these private keys is protected by a device’s biometric verification, ensuring the user is who they claim to be.

  • Passkeys use public/private key encryption, which is virtually uncrackable by malicious third parties. Users no longer need to save or remember passwords that others could discover.
  • Servers do not store password information, so even if they are compromised, the user’s authentication credentials remain safe.
  • Passkey private key signing is protected by biometric verification at the device level, ensuring users are who they claim to be.
  • Authentication does not rely on secondary devices like phones for two-factor authentication, which can be compromised.

The bottom line is that email/password schemes allow bad actors to impersonate users, bypass authentication, and gain system access at the real users’ expense. Passkeys provide a well-designed defense against this type of threat.

Blog

Read More Posts

Your Trusted Partner in Data Protection with Cutting-Edge Solutions for
Comprehensive Data Security.

blog image

August 10, 2024

Passkey Recovery Strategies

You’ve chosen to use Passkeys and WebAuthN to strengthen your digital security. But what happens if a customer loses their mobile device? How do you manage passkey recovery?

Read More Details
call to action

Secure Your Users with Cosync Appkey Solution

Enable your developers to implement a cost-effective Passkey authentication solution—quickly and seamlessly. Use it as your primary authentication system or as a secondary multi-factor authentication layer. Start today!

Get Started