Arshad Noor - Jun 13, 2023

“Would you trust your bank with both keys to your safe deposit box?”

FIDO  Key Management  Passkeys

“Huh?” Bob responded.

He looked up from the newspaper as Alice and he were at the kitchen table finishing breakfast. Alice put down her tablet computer and looked at him.

“I mean: You go to a bank to open a safe deposit box; you do the paperwork. They take you to the safe deposit locker section and using two keys, open up an empty box for you. After you are done with the safe deposit box, the bank employee locks up, pockets both keys and escorts you out. Would you trust that bank with the safe deposit box and its contents?” she responded.

“Are you nuts? That’s not how it works!” Bob retorted. “At least not in the US. And probably, also not in most countries where safe deposit boxes are available. You know very well banks keep one of the two keys to the box, while you keep the second key. You are required to be present with your key for the box to be opened - that’s the only way you are assured no one can open that box without your key. If the bank has both keys, why would anyone trust them?”

“But, what if the bank had some cool new capability” Alice responded. “Capability that promised, no matter which branch of the bank you go to, your safe deposit box – and keys – will be available there?”

Bob looked puzzled.

Alice continued “Lets assume the bank has come up with a new service. When you show up at any of the bank’s branches, somehow your safe deposit box and its two keys are there. You never have to worry about losing the key the bank gave you, or going back to the branch where you got the box originally. They simply want to make it convenient for you to access your safe deposit box in any of their branches, rather than just the one where you got it.”

“But, why does the bank want to retain both keys? Can I not just keep – and use - the one I normally have with me at any branch?” Bob asked.

“That’s because you might lose it – you know how you keep misplacing your own keys all the time. With both keys with the bank, you’ll never have to worry about losing access to the safe deposit locker.”

“But, how will I be assured that someone did not open the box with the two keys the bank retains?” Bob persisted.

“Oh, you would be assured that you can trust them. They have a policy that prohibits any bank employee from opening your safe deposit box, with processes and technology to implement that policy. They are the biggest banks in the world after all, and who would have the resources to get past their security?”

Bob decided to play along.

“Would they guarantee the contents of my box would remain intact and nobody – NOBODY – would ever access my box? Would they make me whole if anything was missing from that box?” Bob persisted.

“You know they can’t guarantee that! Its technology after all - it would be impossible to prevent someone with criminal intent, collusion or a flaw in the design of the process to get to your keys. The important thing is they are thinking about your convenience.”

“Will this be regulated by the Fed?” Bob asked.

“Probably not” responded Alice. “This is a custodial service and does not involve money within the banking system. Besides, the banks would be cagey about divulging too much detail to protect their competitive advantage – criminals might use that information against them.”

“Not gonna happen, Alice” Bob responded with finality, as he rustled his paper to go back to it. “Nobody in their right mind would trust any bank with both keys to their safe deposit box and walk away – just look at the news. Its 2023. Every big company is getting hacked – including big banks in the Cloud. “

“Where are you going with this, anyway?” he asked. “ You’re not in the banking or safe deposit locker business — you’re in the computer security business.”

“Well… there’s this thing called Passkeys that some of the biggest technology companies in the world are pushing. They’ve taken a secure concept hundreds of other companies agreed to, and are turning it upside down in the name of making things convenient for users.”

“What do you mean?” asked Bob, putting down his newspaper.

“So, there is this authentication technology called FIDO that allows companies to eliminate website passwords – something we both agree we hate passionately – and replace it with a highly secure scheme. Hundreds of companies from around the world worked for nearly a decade to make the scheme a standard so it works on every computer, browser and mobile device; it is also one of the easiest technologies to use.”

“What makes it so much like the safe deposit box scheme” Alice continued “is that it requires a hardware device that creates two keys – a public and a private key. The principle is that you keep your private key while the website you use keeps the public key – just like the bank currently does with the safe deposit box. When you want to login into the website, you identify yourself, and using your hardware key you provide evidence of who you are; the website uses your public key to verify the evidence, and lets you in”.

“So, what’s the problem?” asked Bob.

“These companies – in the name of making it convenient for users who might lose their hardware devices – want to keep both keys in their Clouds. They claim they will bring your keys to whichever recognized devices you use, and enable you to authenticate to your website.”

“Sounds convenient to me, as long as they keep it secure” said Bob.

“Now, why would you trust a technology company with your passkeys, when you would not trust a bank with the safe deposit locker’s keys?” asked Alice. “You don’t really know how secure the FIDO keys are; you do not know who has access to them; heck, you might not even know if someone used them. If the technology companies can bring it down to any device you have, someone might find a flaw in their design and bring the keys down to their own devices. Would that not worry you?”

“Sounds complicated” said Bob, continuing to read the paper. “Besides you said, they are the largest technology companies in the world. How would anyone be able to get around their security?”

“Wake up, Bob!” Alice retorted, a little sharply. “There have been tens of thousands of data breaches since 2004 when California passed the world’s first data breach disclosure law. Not only the largest technology companies, but even the biggest banks, health care providers, social media companies, government agencies, password managers - and many others have been breached. Most of these breaches succeeded because companies continue to use passwords instead of FIDO - so the ‘biggest companies’ are not infallible!”

“Well, what do you expect me to do about it, Alice?” Bob asked plaintively.

“FIDO is not that complex. External hardware devices that look like USB drives - but which are called Security Keys - are available for as little as $20. It takes about 15-minutes to learn how to use them – less time than it took you to learn how to use the mouse playing Solitaire. It may not be as much fun, and it may not be as convenient as your keys magically appearing on whichever computing device you use – but a Security Key that does not release its keys to anyone is the only guarantee nobody is using your keys to access your account. As long as you have your Security Key with you, you are safer than with a passkey in the Cloud.”

Alice continued, a little softly “Besides, your FIDO keys are a contract between you and the website; nobody in the Cloud needs to know when, how or where you use your Security Key to access the website – that’s the way the FIDO scheme was designed: to protect your privacy. With a passkey stored in the Cloud, that privacy promise is broken. Not only does the Cloud service provider know when you used your keys, from where, on which device, for which website and perhaps, even for what purpose. And, since almost everybody does not read the agreement when using this technology, they could share this information with anyone they choose — and you may not even know that. Doesn’t that bother you?”

“Alright Alice; you’ve convinced me. Get those Security Keys for us. But, where will we use them?”

“I’ll get them, Bob” Alice smiled. “There are many websites that support FIDO currently – our 401k at Vanguard can be protected by FIDO, for instance. So can our account at Hyatt hotel. US Federal Government has supported FIDO for years at; so have social media sites – but the latter choose not to educate consumers about it. Companies are adopting FIDO with Security Keys for internal use for employees; lets hope they choose to support Security Keys for consumers too, rather than passkeys that give up our keys – and privacy - to the Cloud!”