For those with even a hint of curiosity about data security, it's hard to miss the buzz surrounding the introduction of "Passkeys" and the collaboration between Apple, Microsoft, and Google in their quest to eliminate passwords once and for all. These tech giants have joined forces with the FIDO™ Alliance, an open-industry association dedicated to establishing authentication standards that reduce our reliance on passwords. Together, they have introduced the concept of Passkeys— usually referring to a synchronized form of authentication. In case you're unfamiliar with the FIDO™ Alliance, they champion the development, usage, and adherence to authentication and device attestation standards. Their joint effort has resulted in an authentication system where your phone or computer can effortlessly log you into all your accounts using biometric identification like your fingerprint, face, or voice. On the surface, this may seem like a win-win situation for both companies and consumers, but let's delve into the potential security concerns that might arise from relying on a synced Passkey.
How FIDO™ Works
First, you need to have a basic understanding of what FIDO™ is and does. There are two primary processes-- the first, registration, is a one-time event per website, in which a user with a specific authenticator registers a new key with a specific website. The second, Authentication, is performed each time the user authenticates to access the site.
A simple FIDO™ registration can be completed with the following steps:
1. The user is identified with a unique username on the website. (Although StrongKey has public demos that make use of a usernameless flow as well!)
2. The FIDO™ server sends a randomly generated challenge to the user through a supported browser or platform-specific application programming interface (API).
3. After receiving the challenge and passing validations, the authenticator generates a pair of cryptographic keys: a public and a private key.
4. The public key, along with signed metadata and optional content, is returned to the website, completing the registration process.
After successful registration, Authentication with FIDO™ takes the following steps:
1. The user is identified by username on the website.
2. The FIDO™ server sends a random challenge to the user, including any stored optional content.
3. After passing the necessary validations, the authenticator digitally signs the challenge metadata.
4. The signed response is returned to the website.
5. The user is authenticated after verifying the signature with the stored public key.
When implemented with hardware security and biometrics, FIDO™ becomes one of the most secure authentication solutions. FIDO™ was also designed to be a privacy-protecting protocol with only the relying party (website) knowing the existence of a user's FIDO™ credential when it is used, and where it was used.
The inclusion of any external entity that consolidates or provides single sign-on (SSO) services, such as synced passkeys, undermines the commitment to privacy, opening the door for potential "man-in-the-middle" (MITM) attacks that expose users' browsing habits. In the event of an MITM breach, it raises the question of who should be held accountable for violations of privacy regulations like GDPR / CCPA. Would it be the consolidator, the relying party site, or the FIDO™ Alliance itself?
This is a serious concern that needs to be taken into consideration before using or deploying "Passkeys" since the keys will be stored in the Cloud. Protecting sensitive data in the Cloud is impossible even for billion-dollar companies. Apple, Uber, Capital One, Twitch, and many others have been compromised in the Cloud. The Bank of England mentions the Cloud as a risk to financial stability in its bi-annual Financial Stability Report of July 2021, with the Governor publicly stating that its "opacity" and "security" are of concern.
In all the excitement surrounding "Passkeys," the need for strong security measures to protect billions of private keys has been overlooked. The FIDO™ protocol, along with physical Security Keys, secures the secret parts of the FIDO™ credential within secure devices. In this newly advertised collaborative effort, the responsibility of safeguarding the "Passkeys" and secrets will rest solely with one of the three technology giants, leaving us with little transparency regarding the level of protection and accessibility they possess.
Another protocol of FIDO™ that needs to be examined within the context of the synced passkey is "portability." FIDO™ allows for the portability of credentials without compromising privacy, thanks to the use of a convenient security key. This hardware device, which can be easily carried in your pocket or on your keychain, ensures that your credentials remain secure and accessible wherever you go. With Apple, Microsoft, and Google, the keys will be consolidated in the Cloud. With a Security Key, the user can log in to any FIDO™-enabled site with their phone or computer. The user only has to invest in a Security Key (available from dozens of manufacturers) and register a second or third credential to the website with a Security Key in addition to their computer and phone. Unlike other authentication protocols, FIDO™ allows users to generate many credentials from different devices to access a website.
Another portability issue is the lack of a process to easily transfer all credentials from one platform to another. Moving credentials one by one is not feasible for users with numerous keys. Although Apple, Microsoft, and Google aim for interoperability, users could still be locked into a specific platform.
With a third party involved in the cryptographic key pairs, it's difficult to realize the full potential of FIDO™ for security and privacy. Registering another credential in case of loss of a device or key is a best practice with FIDO™. Apple, Microsoft, and Google compromising the true value of FIDO™ for convenience could result in your entire digital existence being controlled by these data-driven companies. Educating consumers on how to use FIDO™ properly would be a better approach to enhancing internet security and eliminating passwords.