Skip to main content

Passkey Security

Cybercriminals often pretend to be a trusted colleague, acquaintance, or organization to trick victims into providing sensitive information or network access. This action is known as phishing. Cybercriminals can try to lure people through email, text messages, or phone calls.

According to Verizon's 2024 Data Breach Investigations Report, The overall reporting rate of Phishing has been growing over the past few years. The median time for users to fall for phishing emails is less than 60 seconds.

In addition to phishing, credential breaches and exploitation of vulnerabilities are also security concerns. The 2024 report examined over 30,000 incidents and a third of these were confirmed data breaches.

  • 14% of breaches involved the exploitation of vulnerabilities as an initial access step, almost triple the amount from last year’s report.
  • 68% of breaches involved a non-malicious human element, like a person falling victim to a social engineering attack or making an error.
  • 15% of breaches involved a third party or supplier, such as software supply chains, hosting partner infrastructures or data custodians.

Passkeys are phishing-resistant and secure by design. This approach provides an improved security model over traditional authentication and multi-factor authentication. Passkeys are scalable to achieve long-term needs as virtually all personal computing devices now support passkeys and people prefer the passkey user experience.

Overview

Passkeys use a challenge-response authentication protocol that is based on asymmetric cryptography. This provides phishing resistance and eliminates sensitive secrets on the server. This results in a huge step forward in security compared to traditional authentication.

Phishing resistance

Passkeys are presented by the system (a combination of the browser, the operating system and the password manager or security key adhering to the same standards) when the user approves by unlocking their device. The system would never present the credential to the wrong site, thus defeating the essence of phishing. For example, a user can be tricked into typing the password for company.com om the website for compannyy.com (which has some extra letters), but the system would never do this since it is a robot and requires an exact match between the domain the passkey was issued to and the domain that the user is on.

Passkeys can also be presented from the user’s mobile phone to a nearby device (say a computer) to sign in to an internet service. This is sometimes referred to as cross-device authentication. In this case, the computer system and the mobile system use the standards to ensure that the mobile phone is indeed physically close to the computer and that the presentation is not phishable. Physical proximity is verified using bluetooth in this case. The protocol between the mobile phone and the computer is secured at the application layer and does not depend on Bluetooth security.

In another important use case for cross-device authentication, to sign in to an internet service, a user can present a passkey that is present on a security key to a nearby device (say a computer or a mobile) by inserting the security key (over USB) or tapping it (over NFC). In this case, physical proximity is ensured using USB or NFC.

Eliminating server side secrets

Another standard attack method we often hear about is when a database of password hashes is stolen from some smaller site and the database is then cracked by the attackers, since the hashing was not done right. The attacker now knows the plain password and can sign in as the user on this site (and sign-in to other sites too, if the user reused the password, which users often do). However, because passkeys use asymmetric cryptography, the analogous server database only contains a set of public keys.

It is not computationally feasible to crack a public key to extract a private key by the mathematics of cryptography. Therefore, even if the attacker is able to get their hands on this database, they cannot use the public keys to sign in to the site as the private keys are only on the user's devices.

To take it a step further, every account on every site gets a unique public and private key pair. Hence, a database of public keys stolen from one site cannot, by design, be used to compromise another site since there is no re-use.

Multi-factor authentication

There are three types of authentication factors:

  • Something you have
  • Something you are
  • Something you know

Passkeys use a private and public key pair. The private key is stored on your device and establishes a factor of something you have.

If the service you are signing in to requests User Verification, which can be exercised by the user with a biometric or PIN, this is something you are or know. Thus, authentication with passkeys embodies the core principle of multi-factor security.

Organizations might be concerned that a passkey could be made available to an attacker through a single factor, such as a password used to access the credential manager account. In practice, however, this is not usually the case. Credential managers consider multiple risk signals beyond the user’s password, some visible to the user and some not, when authenticating users and restoring passkeys to their devices.

Biometrics

FIDO protocols dictate that when biometric data is used, it never leaves the device. The server only sees an assurance that the biometric check was successful. There is no change to the local biometric processing of devices such as mobile phones, computers, and security keys.

Security keys for device-bound passkeys

Environments with particular compliance requirements might need to guarantee there is only one copy of the cryptographic key available. Passkeys on FIDO security keys are a great solution for such use cases.

Another helpful use case is for end users to use security keys as an account recovery factor. If an end user loses access to their mobile phone or their other devices that use synced passkeys, FIDO security keys can be used to recover access.