A difference between passkeys and passwords is that in order for a password to be useful it has to be known by two entities, the user of a service and the provider of that service, but a passkey is known to (held by) only one entity, the user of a service.
Passkeys mitigate two serious problems with passwords: poor password handling by service providers, and password reuse by users. They introduce other problems such as loss of authenticator device and authenticator lock in, but mitigations for those exist as well. I think it remains to be seen how those will be implemented.
In theory a password stored in your head and disclosed perfectly securely to a single service provider who manages it with perfect security is “more secure” than a passkey. For all practical purposes, this never happens. Generally speaking, anything that reduces your reliance on someone else doing the right thing is better.
(I put quotes around “more secure” because information security is (more or less) a measure of resilience against a set of undesirable outcomes (that affect the confidentiality, integrity, and (the almost always overlooked) availability of information) under a set of conditions. Without specifying the outcomes and conditions, the phrase “more secure” has very little meaning.)
Password/passcode/passkey/private key…
They are all just different words for a chunk of data.
Traditionally passwords were short, like 8 characters, and people often used words.
Passkeys will be 256 characters long or something, and unique for every website/account etc.
For someone to steal your traditional password and access your account, they can either phish it from you, hack the website, or hack your device if you save it in a password manager.
For someone to steal your modern passkey and access your account, they can only hack your device. There’s no other way.
So, whilst there are scenarios where passkeys are inferior, for the vast, vast majority of people this is a massive improvement, a revolution I’d say.
If you can protect your single, long password (isn’t passcode a better name?) to access your device then you are surprisingly secure.
Note: I am not certain of the implementation, you may need to be remembering your device and/or iCloud. Plus Android and Windows if you are in that realm . Still, it is a huge reduction.
It sounds like passkeys are going to work a lot like private/public key methods used for server authentication (eg, GitHub among many others).
Those seem to have worked extremely well so far – for a relatively expert user base. It will be very interesting to see if that can be translated to a mass user base.
Passwords also worked well for people who understood their significance and good security practices, but have been much more problematic for the broader public – maybe because they weren’t implemented particularly well?
There are some potential downsides to this (password sharing is rough, how do you do it between iOS and Android or Windows, etc), but this is so conceptually smart. I really hope it works. I’m extremely excited to see more.
I’d be very curious to see if this really catches on, I myself am not really interested in a solution that is device dependent. (Especially at work where my phone needs to be locked away.)
Even though passwords are a hassle sometimes they are easily transferrable, and can be used on multiple devices without problems. Very very interested to see how this works. (time to catch up on the WWDC vids :-))
Also: if this is another play by the major tech companies to lock users into their ecosystem even further, then I’ll pass on it completely. At least, for as long as I can.
Yes, it has to work across platforms and it will. It may sound frightening and ambitious, but it is the way to go. Passwords are broken. They do not work. There are means to make them work (password managers), but it is a flawed system. A password is a secret anybody can enter to “identify” a person. As soon as somebody has the password, the credentials are compromised (yes, there are additional components like 2FA, but…).
With FIDO a device (Yubikey, soon: iPhone) identifies you and you are logged in. What happens, if the device is stolen? Well, you are needed to identify yourself via the device, the device itself is not the ultimate key, you are the ultimate key. What happens if you lose this device? There are solutions. One of them is to have more than one device to identify you (iPads, Macs, PCs, USB tokens, smartphones and what not). Difficulties? Danger? Maybe. Right now. Because FIDO is happening in “geek land” these days (not a trivial thing). But that will change when all big players implement FIDO2 on the system level. I am confident that the FIDO alliance and other players know what they are doing. This is no password manager, this is a password-less identification method that identifies a person reliably and securely. Like in the real world. Usernames and passwords are hacks to make the identification of the person happen in the world of computers and networks. FIDO2 will skip this “hack” going back to the root cause: the identification of the person itself. Again: I know that all this sounds scary. But we are at the starting point of this implementation of FIDO. Time will tell how everything will work and interact with each other from system to system.
I agree. But Lastpass and 1Password plan to include FIDO into their products which should eliminate vendor lock-in. Something is going to replace the iPhone someday and it may not come from Apple.
Typically FaceID or TouchID, with the occasional passcode use. So, a decent passcode to access your device is going to be more important than ever (but a wise choice note, anyway).
The device is being connected to an account (AppleID in the Apple universe).
The device identifies you with whatever means like the ones @GraemeS has mentioned and does the FIDO thing:
The user’s device registers the user to a server by registering a public key. To authenticate the user, the device signs a challenge from the server using the private key that it holds. The keys on the device are unlocked by a local user gesture such as a biometric or pressing a button. (via FIDO Alliance - Wikipedia)
That is for the easy stuff like plain and simple web logins.
Apart from the simple FIDO stuff:
If it needs to be even more secure (a REAL identification of the actual person), it can be combined with other factors like passports that can be read via NFC during a registration process. There are no limits. Or like Google is doing with their Google Business accounts: they still send postcards to the mail address with a key to verify the address. There are many possibilities depending on the question how much security has to be added.
FIDO provides a means to login to something using a device (a service) that uses public and private keys. The device can use your biometrics (FaceID, TouchID) as a prerequisite to check the keys. This is what I meant with “identification of the person itself”. Identification in the sense that the password is going away as the identifier.
FIDO in combination for instance with a passport that can be read via NFC is a totally different ballgame, though: this would even lead to a REAL identification of a person during a registration process. There are already countries that have passports that enable exactly that in combination with a passport app using the iPhone’s NFC capabilities. But again, that has nothing to do with FIDO. My apologies for causing this confusion.
That’ll be the question to me. Will it require something like FaceID / TouchID? Or is it literally going to be “anybody who grabs your device and knows your passcode can access your entire online life”?
I suppose that’s theoretically more secure than people using a single password everywhere online, but something about it feels significantly less secure than, say, passwords stored in something like KeePass or 1Password.
I don’t know anybody that picks super-secure passcodes.
If you choose to use 1Password as your FIDO passkey manager, then you’re good to go. LastPass already does it, apparently.
Apple, Google and Microsoft will build it into the operating system, but I don’t think you need to use their implementation. The big news, for me, is that with the three major OS companies building it in and working together, it will happen.
