Understanding Passkeys: FAQ
November 29, 2022
Daon® is one of the founding members of the FIDO Alliance. We have been heavily involved in the working groups that help shape FIDO specifications since 2014. Our IdentityX® platform supports the deployment of multi-device credentials (passkeys) through its FIDO Certified FIDO2 implementation, which greatly decreases the use of phishable knowledge-based authentication and the fraud associated with it. However, there are some industries where multi-device credentials alone may not provide sufficient security and may be viewed as only one component of an identity continuity solution.
What are FIDO passkeys?
FIDO passkeys, more accurately referred to as multi-device credentials, are cryptographic keys which can be used as part of the FIDO2/WebAuthn protocol. Rather than being stored on a local device, these multi-device credentials are stored in the cloud. Consumers can authenticate to the Operating System vendor on a new device, download these cryptographic keys on that device, and use those same keys to authenticate themselves.
Who is the target audience for passkeys?
Today’s OS providers are targeting the average consumer with passkeys. Passkey usage is a huge step in the right direction, as their adoption reduces password reliance, leading to lower rates of consumer identity fraud and phishing attempts— two of the most common and harmful security issues.
Why has FIDO2 single-device adoption been lagging?
The FIDO Alliance has noted that even after the FIDO2/WebAuthn specification became possible in all major browsers and operating systems, mass adoption has still not arrived. The reasons for this lag are due to limitations with the two authenticator types. FIDO2 authenticators are divided into two categories:
- Roaming Authenticators, which are authenticators that can be moved between different devices, like Yubico or Feitian keys that can be used for FIDO2 authentication. A user must carry their roaming authenticator with them if they wish to authenticate on different devices. If the physical device is lost or stolen, account recovery is time consuming and troublesome.
- And platform authenticators, which are fixed to the device performing the authentication. Examples of platform authenticators are Windows Hello authentication via PIN, Fingerprint, or Face on a Windows computer, Fingerprint on an Android device, or Touch ID on an iOS device. Platform authentication is tied to one device and not shared across PCs and smart phones. If a device is lost, the user will suffer from the same limitations on account recovery as those of roaming authenticators.
What are the advantages and disadvantages of multi-device credentials?
Multi-device credentials (passkeys) are paving the way for wide adoption of FIDO-based cryptographic authentication. Their major advantage is an innate ability to transfer credentials between devices, making account recovery fast and simple. Multi-device credentials offer the benefit of non-phishable authentication, with the services for authentication being processed by the OS provider. This feature addresses some of the limitations from a FIDO2 implementation.
However, multi-device credentials may not suit all business use cases. For instance, it is unlikely that government agencies that require adherence with standards like NIST 800-63 or FIPS-140 would allow cloud-based credentials to be used – at least not anytime soon. Also, within highly regulated industries such as banking and insurance, regulators have not yet accepted the use of a passkey alone to meet the security standards required.
Who offers multi-device credentials?
Currently, FIDO UAF and vendor-provided FIDO2 credentials are single-device only. Newly created FIDO2 credentials may be multi-device credentials, depending on the OS support. Apple, Google, and Microsoft have committed to providing multi-device credential support, with some launching the service at the time of this publication. Other FIDO vendors may decide to support multi-device credentials in the future.
Can a relying party know whether or not a multi-device credential is being used on the original device it was registered on, as opposed to on a synchronized device?
The specifications detail an optional extension called the Device Bound Key (DBK), which can be generated during credential registration and provided with the public key of the authenticator. The DBK is device-resident and will not be synchronized across devices. When authenticating, the FIDO2 server compares the DBK to the DBK made during credential creation time to ascertain whether the device is the one initially registered. If the DBK has changed, it can be assumed that this is a different device, and the relying party can then decide whether to perform additional checks or step-up authentication on that user.
It is important to note that this extension is optional, and to date, only Google and Microsoft have committed to implementing DBK. In the absence of the DBK, relying parties must depend on other methods of discovering whether the credential has been synchronised to a new device. Relying parties will continue to depend on additional signals from the authenticating devices. Existing methods, such as using separate device-specific credentials or performing device or browser fingerprinting, will continue to be important.
Are passkeys here to stay?
With major OS providers all mutually supporting them, passkeys are likely to be a cornerstone of the authentication landscape. Passkeys are a much safer alternative to passwords and a welcome addition for consumer account and data security. By combining passkeys with other security capabilities in IdentityX, they can be adopted in the future by enterprise and more regulated industries.
To learn more about passkeys or how Daon can help you maximize the security of your customers’ identities, contact us today.