DEV Community

Robertino
Robertino

Posted on • Edited on • Originally published at auth0.com

Our Take on Passkeys

Original post written by Vittorio Bertocci for Auth0 blog.

“Passkey” is the shorthand for FIDO multi-device credential, a new technology that makes it convenient to use FIDO's phishing-resistant authentication methods and ceremonies across multiple devices.


"When the student is ready, the teacher will appear"

We believe that passkeys offer a viable, phishing-resistant alternative to passwords that solves end-user friction for consumer applications in particular, and we are committed to making it easy for developers to offer that experience to their users. Passkeys might also introduce challenges for solutions relying on FIDO's platform authenticators as they are implemented today, typically in the workforce and mission-critical solutions: as an industry, we'll need to find ways to reap the advantages of this new technology while minimizing the drawbacks.

The Starting Point: FIDO's Platform Authenticators

Passwords are a classic example of how civilization will, sometimes, get stuck on a local maximum. Intuitive, portable, and (in the naive case) easy to use, shared secrets have been used to protect information and resources since at least Roman times.

Unfortunately, the sheer number of accounts everyone needs to juggle to participate in modern life exacerbates the shortcomings of this method, up to and including all the ways in which passwords can be stolen by bad actors, remotely and at scale.

The FIDO Alliance, a group of industry leaders, was formed to create and promote the adoption of phishing-resistant tech that could be a viable alternative to passwords. If you are interested in digging deeper into FIDO, you can listen to the Identity, Unlocked podcast episode I recorded with Yubico's John Bradley on that very topic.

For the purposes of today's story, the important bit is that FIDO2, one of the sets of specifications the alliance produced, led to the widespread availability of phishing-resistant authentication features on modern devices. In short, that's achieved by describing how authenticators (physical keys, security hardware on devices, etc.) can talk to browsers and by defining a JavaScript API that websites can use to tap into those authenticators to perform public key cryptography authentication.

Clear as mud? In practice: by using the Javascript API defined in the WebAuthn specification, developers can leverage either hardware keys (e.g., YubiKeys) or secure hardware on the device (e.g., secure elements on your phone, TPMs on your laptop) gated by biometric sensors to authenticate users without using passwords. The two authenticator types are called roaming authenticators and platform authenticators, respectively.

Auth0 immediately saw the value in the initiative and adopted WebAuthn both as a second factor for administrators accessing our management dashboard and as a method developers can use to authenticate their users when protecting their web apps with Auth0.

Last year I had the chance to present at the Authenticate conference the adoption figures we observed. The trends we identified reflect the industry at large: most of the adoption appears to be among professionals who need a high level of assurance when accessing the resources they manage, whereas consumer adoption isn't as steep.

There are many possible explanations for those results, but the consensus is clear: despite the giant progress in usability and widespread availability of hardware and software, those methods remain complex to use for end users. Hardware keys are an investment and a hassle, mostly reserved for admins and key knowledge workers. Platform authenticators are far more palatable, but they are tied to a single device: whereas in business scenarios that might be a coveted feature (e.g., admins like to know requests come from a managed device), for consumer scenarios that present challenges when migrating to new devices, using multiple devices and so on. Importantly, this also relegated WebAuthn to the role of the second authentication factor: the lack of a reliable recovery mechanism baked in the specs makes it necessary to provide at least another mechanism to access one's account. And that method, most often than not, ends up being… passwords.

Passkeys

Enter passkeys or, if you want to refer to them with their scientific name, multi-device FIDO credentials.

Passkeys are designed to eliminate the usability shortcomings of classic FIDO credentials or single-device credentials. They achieve this with a simple trick: they allow the FIDO credential to roam across multiple devices. This single-handedly solves both the recovery problem (credentials are now backed up, hence can survive the loss of their originating device) and the multiple enrollments problem (no need to repeat enrollment on each device).

You can read more about it on the multi-device FIDO credentials landing page, on the whitepaper introducing the concept, or by listening to the Identity, Unlocked podcast episode I recorded with FIDO's exec director Andrew Shikiar and Microsoft's Tim Cappalli on that very topic - but the main thrust of the idea is really that simple.

Note: whereas multi-device FIDO credentials are the official FIDO denomination, vendors refer to the technology as "passkey" - I really like the term (pass-word, pass-key, get it? 😊), and it's significantly less typing; hence I'll use passkey for the rest of the article.

At this point, the sign-up and sign-in experiences remain somewhat vendor dependent, and the tasty bits (roaming) happen behind the scenes, but just to give you a taste: here's how a sign-up, sign-in, and a sign in on a different device look like on our early demo bits. You can find the full video later in the article.

Here's a test web application.

Read more...

Top comments (0)