Passkeys and Modern Authentication

What do security professionals think about passkeys? In particular, those who were not involved in designing them. Lots of the arguments in this article feel very much like the sort of thing one would expect from someone into open source (not saying they are wrong, and I think they are well explained here) but I feel they will inevitably be the product of different concerns than those a security practitioner might have.

Security people are generally pretty positive on Passkeys. Eliminating passwords has been the white whale of information security for over 3 decades. Practitioners are generally positive about FIDO2 (Yubikeys are fetish objects for them). I think message board people would probably be surprised at security practitioner attitudes towards Apple and Google authentication lock-in (locking my team into Google authentication would be one of my first moves at a new firm, and that's not an idiosyncrasy of mine so much as me doing what other CISO-types all say they do).

I helped implement support for passkeys in a banking product. They obviate so many attack vectors and adoption is high enough that it should be a requirement to at least support them.

We already require TOTP-based 2FA, and have even implemented secure TOTP via our mobile apps. Customers still do not understand 2FA and probably never will; we regularly have customers request 2FA resets after using their 10 backup codes. SMS- or email-based 2FA is a no-go.

We don't require hardware attestation, as that is the recommendation of the FIDO alliance and Google/Apple/Microsoft. It doesn't make sense to cut out iCloud/Google-synced passkeys given the clear security benefits over passwords+2FA.

Keep in mind that for our service, we regularly see attackers set up copycat sites to phish user credentials, and pay for Google Search ads to appear before our site in search results. These phishing attempts are sophisticated and customers will send their 2FA codes through them. _This is impossible with passkeys._

I think hardware keys are the best option for passkeys, because they have a separate (physical) user interface compared to software-based keys. This makes it easier to understand the login process. You physically interact with the hardware key to confirm that you want to log in. And you can use your key for many different accounts.

The downside is of course that hardware keys are typically not cheap and you should also buy a backup key. Another unnecessary downside is that certain companies like Microsoft require the use of resident keys, which take up storage space on the hardware key. The better alternative is non-resident keys, of which you can have an infinite number on your key.

Pretty much everyone likes them? Nobody likes passwords, especially passwords by users. Passkeys essentially force the users to have some sort of password manager, whether third party, or OS / browser integrated. Plus they're unphishable in normal use.

They're technically weaker than password + hardware key but stronger than anything else, including password + totp. Google Advanced Protection still wants you to have a hardware key for your account.

Google's Advanced Protection Program supports both passkeys and security keys.

Compliance/security role at a company you've heard of here.

Passkeys are absolutely fantastic. Pretty much every complaint you see in these threads is seen as a positive in an enterprise context.

> Attestation restricts passkey clients

GOOD. I need a way to prove passkeys live on hardware-backed crypto devices (see NIST SP 800-63B), attestation makes that possible.

> But auth lock-in

GOOD. All our corporate sign-in events should be through our single IDP using SSO. Of course we want lock-in.

> But I can't sign in to my children's devices

GOOD. An identity represents a entity, it should be impossible for you to pretend to be another entity, regardless of whether they're a child or dog or whatever. If you need "parental access" or similar to some accounts, contact your service provider and ask for that feature.

> It's hard to export my passkeys

GOOD. Encrypted or not, a core security tenet is "a private key should never leave the device it was generated on" (hence the existence of HSMs, TPMs, etc). It should absolutely be impossible to ship your private keys around. Further, the primary appeal of passkeys in our context is phishing resistance, and it should be technologically impossible for a user to get bamboozled into exporting and sending their passkey to an adversary.

> But I need my backups

Why? Just contact IT if you lose your credentials. If you're on the personal side and don't have an IT authority, you should just generate passkeys on multiple devices and add all of them to your accounts.

> But that's a pain

Security is almost always inversely proportional to convenience.

> I think message board people would probably be surprised at security practitioner attitudes towards Apple and Google authentication lock-in

We're not surprised, but I think many of us are horrified. I think it's a culture clash, partly between Free Software and Enterprise communities, partly between developers and security professionals. Given that it's a culture clash, I don't actually see any resolution that will make everyone happy.

>> But auth lock-in > > GOOD. All our corporate sign-in events should be through our single IDP using SSO. Of course we want lock-in.

My workplace uses Duo Mobile for a second factor, which is functionally identical to TOTP, and probably uses TOTP internally (if your android phone is rooted, you can export Duo Mobile keys to your choice of TOTP app). But as long as I'm being a good corporate citizen, I can't use my choice of TOTP app. What actual security (non-theater) interest does that serve?

If a user can use any TOTP app of their choice, what's the mitigation for them installing a malware TOTP app that ships their private keys directly to CCP HQ?

Duo is regularly audited by independent third-party assessors to attest SDCL, data protection in their datacenters, etc.[1] Audits aren't a guarantee but they provide a reasonable amount of assurance that their software products and infrastructure have at least basic data protection measures.

> if your android phone is rooted, you can export Duo Mobile keys

This is the exact reason why personally owned devices, in most organizations, require MDM enrollment and attestation before being granted access to corporate resources.

[1] https://duo.com/solutions/compliance

If you can't use a TOTP app of your choice, what's the point of there being a standard? Pick an audited app using a proprietary scheme, you don't need interoperability, and if you don't need interoperability, you don't need a standard.

I guess they lowered requirements recently, now you can even do "1 passkey or security key, and recovery options, like a recovery phone and email".

Many security professionals suffer from a horrible case of Boyscoutism where they think snuffing out freedoms is okay because bad people will never be doing the snuffing out.