In the field of IT security it is rare to come across a solution capable of fully combining practicality and protection. Yet, the passkey they set themselves precisely this objective by aiming to play the role of “password killer“. A technology, that is, capable of replace passwordsso hated but at the same time essential to defend your data and workflows.
Unlike traditional passwords, passkeys do not use a shared secret between user and server. Instead, they base their operation on one cryptographic key pair, one public and one private. There public key is transmitted to the server that manages the user’s account; there private key it is instead stored in a secure area on the user’s device.
To pass the procedure authentication, the user must demonstrate that they are in possession of the private key corresponding to the public key registered online, for example from a remote server. When you log in, the passkey-based mechanism takes care of this generate a challenge (“challenge”) using the user’s public key. Only the person who owns the private key can correctly answer the challenge, thus proving his identity.
How passwords work
Before delving into the “pros” and “cons” of passkeys, let’s briefly remember how authentication works with the classic pair username-password.
We said in the introduction that traditional authentication has its roots in the sharing of a secret between user and remote server. The password that the user uses to access the services is known to the server.
Passwords should never be saved in clear text on remote servers: in the article dedicated to how websites store passwords, we saw that thehashing (through the use of a secure algorithm), is an essential practice. L’hash of a password is a derived representation of it: it’s easy calculate the hash of a password, but it must be effectively impossible to return to the plaintext password starting from its hash value.
When you type the password to log in to a service, the password is first hashed locally and then the hash value is sent to the server. If this value matches the password hash stored on the service provider’s servers, access is authorized.
In an ideal world, if any attacker managed to steal server-side password hashes, the operation should effectively be unsuccessful because the hashing process it is not invertible. In fact, if the user had used a simple password, cyber criminals might already have it precalculated all “hashed” versions of the most common passwords. By coming across a known hash, they can immediately trace the password used. This is why it is good to follow some fundamental rules for creating passwords and using them safely.
The benefits of the passkey authentication process
The approach behind the operation of the passkey offers several advantages. First of all, it simplifies the authentication process, as the keys are generated and managed automatically, without the need to remember or type them (as happens in the case of passwords).
Furthermore, each passkey is linked to a specific site/server: the pair of keys it cannot therefore be used on “fake” sites. The effectiveness of the attacks therefore declines phishing: Cybercriminals can no longer create a copy of a popular website or online service with the intent of stealing someone else’s login credentials. This is simply because passkeys do not work with sites that are not the original ones authorized to manage each user’s credentials. The public key, in itself, has no value for cybercriminals.
With passkeys, accessing a website or app is reduced to using the same method used to unlock your smartphone, tablet, notebook or desktop system. For example, entering a PIN code or using facial recognition, fingerprint or pattern is required. Here is the list of compatible devices.
Passkeys inherently work as two-factor authentication (2FA). When you log in using a passkey, in fact, the mechanism combines something you have (your device) with something you know or possess (like a PIN, a fingerprint or facial recognition). It is precisely “the salt” of 2FA (Two Factor Authentication).
The main disadvantages of passkeys
Presented as real password replacementsHowever, passkeys pose several challenges.
Let’s start from the beginning. We said that the private key used for authentication purposes is stored in a secure area (vault) available in each client device. However, it is very common for users to use multiple different devices. Properly authenticating using different devices can be difficult if your private keys are stored on a single device.
Currently, the prevailing solution is to authenticate via a secondary device using a codice QR, a connection to the phone (Bluetooth, NFC or USB) and a cloud server (also called into question as part of the process). This procedure, although apparently simple for the user, presupposes the carrying out of multiple operations “behind the scenes”.
Another crucial theme is related to account recovery in case of loss of the device containing the private keys. Currently, many platforms offer recovery options based on security questions or sending links to the password reset. However, this could compromise the security of the passkeys themselves, as traditional passwords are once again used. This document delves into account recovery strategies for passkeys.
The key synchronization problem
A solution to address the problem related to the use of multiple different devices could be to generate more pairs of public-private keys, one for each device. For example, to access the same website via passkey, you could create a key pair on your smartphone, another on your notebook, and so on. It must be said, however, that if a device is lost or stolen, each pair of keys will have to be collected (read, cancelled).
The synchronization Secure and continuous security of private keys between different devices represents an important problem in itself. Although some suppliers of password manager are working on solutions to manage passkeys intelligently, there is currently no universally accepted and interoperable method.
Apple, Google, and Microsoft have all rolled out initial support for passkeys. Since these companies are evidently not willing to handle support requests from users who lose their devices, they have created mechanisms for backup and passkey synchronization between devices. At the moment, however, it is about proprietary mechanisms: A Windows-based computer and an iPhone, for example, will not be able to synchronize users’ personal keys. Unless the user uses the method based on the use of the QR code, mentioned above.
Passkeys are vulnerable to attacks session hijacking
Although they represent a real bulwark against phishing, passkeys remain vulnerable (as happens with traditional authentication methods) to cyber attacks. session hijacking.
After a user has logged in via passkey, a cybercriminal can, for example, intercept the session cookie created on the client and use it to impersonate the identity of another user.
Even in the context of passkeys, attacks by session hijacking they can be particularly dangerous. Since passkeys are associated with a specific session, an attacker could eavesdrop on or manipulate that session to obtain access to the user’s accountwithout the need to directly know the private keys.
Is it a good idea to adopt passkeys right away?
While passkeys do have the potential to replace not only traditional passwords but also two-factor authentication, for now we still suggest treading carefully.
As we know, for Google passkeys have become the default authentication mechanism and many vendor they threw themselves headlong into supporting this new tool. For our part, we would like to suggest adopt passkeys cautiously.
In fact, solutions are needed that effectively address the issues related to the multi-device management and account recovery. It is also essential that solutions based on…