WHAT TOOK YOU SO LONG? — PasskeysMicrosoft, Apple, and Googles password killerare finally here It only took 50 years, but there’s finally a replacement that’s safer and easier to use.

Dan Goodin – Oct 25, 2022 1:25 pm UTC EnlargeGertty Images reader comments 129 with 81 posters participating, including story author Share this story Share on Facebook Share on Twitter Share on Reddit

For years, Big Tech has insisted that the death of the password is right around the corner. For years, those assurances have been little more than empty promises. The password alternativessuch as pushes, OAUTH single-sign ons, and trusted platform modulesintroduced as many usability and security problems as they solved. But now, were finally on the cusp of a password alternative thats actually going to work.

The new alternative is known as passkeys. Generically, passkeys refer to various schemes for storing authenticating information in hardware, a concept that has existed for more than a decade. Whats different now is that Microsoft, Apple, Google, and a consortium of other companies have unified around a single passkey standard shepherded by the FIDO Alliance. Not only are passkeys easier for most people to use than passwords; they are also completely resistant to credential phishing, credential stuffing, and similar account-take-over attacks.

On Monday, PayPal said US-based users would soon have the option of logging in using FIDO-based passkeys, joining Kayak, eBay, Best Buy, CardPointers and WordPress.com as online services that will offer the password alternative. In recent months, Microsoft, Apple, and Google have all updated their operating systems and apps to enable passkeys. Passkey support is still spotty. Passkeys stored on iOS or macOS will work on Windows, for instance, but the reverse isnt yet available. In the coming months, all of that should be ironed out, though. What, exactly, are passkeys?

EnlargeFIDO AlliancePasskeys work almost identically to the FIDO authenticators that allow us to use our phones, laptops, computers, and Yubico or Feitian security keys for multi-factor authentication. Just like the FIDO authenticators stored on these MFA devices, passkeys are invisible and integrate with Face ID, Windows Hello, or other biometric readers offered by device makers. Theres no way to retrieve the cryptographic secrets stored in the authenticators short of physically dismantling the device or subjecting it to a jailbreak or rooting attack.

Even if an adversary was able to extract the cryptographic secret, they still would have to supply the fingerprint, facial scan, orin the absence of biometric capabilitiesthe PIN thats associated with the token. Whats more, hardware tokens use FIDOs Cross-Device Authentication flow, or CTAP, which relies on Bluetooth Low Energy to verify the authenticating device is in close physical proximity to the device trying to log in.

Until now, FIDO-based security keys have been used mainly to provide MFA, short for multi-factor authentication, which requires someone to present a separate factor of authentication in addition to the correct password. The additional factors offered by FIDO typically come in the form of something the user hasa smartphone or computer containing the hardware tokenand something the user isa fingerprint, facial scan, or other biometric that never leaves the device.

Further ReadingPhishers who breached Twilio and targeted Cloudflare could easily get you, tooSo far, attacks against FIDO-compliant MFA have been in short supply. An advanced credential phishing campaign that recently breached Twilio and other top-tier security companies, for instance, failed against Cloudflare for one reason: Unlike the other targets, Cloudflare used FIDO-compliant hardware tokens that were immune to the phishing technique the attackers used. The victims who were breached all relied on weaker forms of MFA. Advertisement

But whereas hardware tokens can provide one or more factors of authentication in addition to a password, passkeys rely on no password at all. Instead passkeys roll multiple authentication factorstypically the phone or laptop and the facial scan or fingerprint of the userinto a single package. Passkeys are managed by the device OS. At the users option, they can also be synced through end-to-end encryption with a users other devices using a cloud service provided by Apple, Microsoft, Google, or another provider.

Passkeys are discoverable, meaning an enrolled device can automatically push one through an encrypted tunnel to another enrolled device thats trying to sign in to one of the users site accounts or apps. When signing in, the user authenticates themselves using the same biometric or on-device password or PIN for unlocking their device. This mechanism completely replaces the traditional username and password and provides a much easier user experience.

Users no longer need to enroll each device for each service, which has long been the case for FIDO (and for any public key cryptography),” said Andrew Shikiar, FIDO’sexecutive director and chief marketing officer. “By enabling the private key to be securely synced across an OS cloud, the user needs to only enroll once for a service, and then is essentially pre-enrolled for that service on all of their other devices. This brings better usability for the end-user andvery significantlyallows the service provider to start retiring passwords as a means of account recovery and re-enrollment.

Further ReadingDeath to passwords: Beta passkey support comes to Chrome and Android [Updated]Ars Review Editor Ron Amadeo summed things up well last week when he wrote: “Passkeys just tradeWebAuthn cryptographic keys with the website directly. There’s no need for a human to tell a password manager to generate, store, and recall a secretthat will all happen automatically, with way better secrets than what the old text box supported, and with uniqueness enforced.” Page: 1 2 Next → reader comments 129 with 81 posters participating, including story author Share this story Share on Facebook Share on Twitter Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Email dan.goodin@arstechnica.com // Twitter @dangoodin001 Advertisement

You must login or create an account to comment. Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars