The widespread reliance on passwords has long been a significant security concern for individuals and organizations. In collaboration with the W3C WebAuthn working group, the FIDO Alliance has developed a set of standards to address various security needs. These FIDO-based solutions, coupled with the recent implementation of passkeys (also referred to as multi-device FIDO credentials), are transforming the authentication landscape, making it more secure and user-friendly.
The FIDO Alliance's Solution
FIDO, or Fast Identity Online, offers a secure and easy-to-use alternative to password-based authentication. FIDO standards employ public key cryptography to ensure that the user's credentials are never shared with the service provider, significantly reducing the risk of phishing and other cyberattacks.
Traditionally, the FIDO authentication process involves using a physical device, such as a security key or a smartphone, as a second factor to verify the user's identity. Recently, there has been a shift towards transforming smartphones into roaming authenticators. This approach enables users to utilize their mobile devices to authenticate on other devices, such as laptops and tablets, without requiring additional hardware.
Passkeys, or multi-device FIDO credentials, are a new implementation that allows users to sync their credentials across multiple devices. This means that users can authenticate on different devices with ease. Companies like Google, Apple, and Microsoft have integrated this feature into their operating systems, ensuring that users' FIDO credentials are readily available when needed.
The security of synced passkeys depends on the underlying platform's authentication mechanisms. In most cases, this provides a strong signal of the user's identity to the service provider. However, additional verification steps can be employed if needed when signing in from a new device.
Benefits of Transitioning from Passwords to Passkeys
The shift from passwords to passkeys offers numerous advantages:
- Elimination of password-related threats: When data breaches occur, attackers often gain access to users' passwords, which they then use against the breached service and other websites. Passkeys completely mitigate this risk, as a breach would only reveal the public key, which cannot be used to authenticate across services without the corresponding private key.
- Improved security: Passkeys provide stronger authentication methods, reducing the risk of phishing attacks and other cyber threats.
- Enhanced user experience: Users can enjoy a seamless authentication process across multiple devices without remembering complex passwords.
- Simplified deployment: FIDO allows organizations to achieve a high level of security without the complexity and cost associated with traditional smart card deployments.
As with all new technologies, privacy considerations must be considered. Per Google, while biometric authentication will be how a user validates their identity when interacting with a website, the biometric information never leaves the user’s personal device. Additionally, the passkeys are designed so that no information is shared with sites and can be used as a tracking mechanism.
If you would like to begin using a passkey for your Google Account, you can visit https://g.co/passkeys. For Apple and iPhone devices, you can visit https://support.apple.com/guide/iphone/sign-in-with-passkeys-iphf538ea8d0/ios.
The evolution of passkeys offers a promising alternative to the existing reliance on passwords. By providing enhanced security and a better user experience, passkeys are set to revolutionize how we authenticate across a wide range of use cases, from consumer-level applications to high-security government and enterprise systems. This paradigm shift in authentication methods not only addresses the inherent vulnerabilities of passwords but also paves the way for a more secure and user-friendly future in digital security.
By Joshua Ivy, Information Security Analyst
Joshua is a new addition to the TraceSecurity team, bringing with him a wealth of experience from 20 years of service in the US Navy, with his last two years spent as an ISSM in Virginia Beach. He currently holds multiple industry certifications, most notably, CompTIA Security+, Pentest+, CySA, and is looking forward to graduating with a Bachelor's in Cybersecurity Technologies by the end of 2024. At TraceSecurity, he primarily focuses on penetration tests, risk assessments, and IT security audits.