In the last year or so, you may have seen tech giants like Google, Apple, Microsoft, and others making a big push for passkey for authentication instead of user/password w/MFA. While it is true that passkey is elegantly designed and secure, does it actually solve the security problem today? This blog will focus on why it is difficult, if not impossible, to realize the full benefit of passkey at present or in the foreseeable future. Additionally, this blog is intended for a general, non-technical audience and, as such, does not go into technical details. I have listed links to blogs at the end that go into in-depth details on various challenges of passkey, specifically on their usability today, if you are a technical reader.
What is a passkey? In simpler terms, a passkey generates and associates unique public/private keypairs for each website you log in to. While the public key is shared with the website, the private key remains on your device. To log in, you need your private key and the public key from the website. It is roughly similar to how your lockbox at the bank works where you have one key, and the bank has the other key, and the lockbox can be opened only when both keys are inserted.
Ok, all this sounds very secure. Why is it not practical today? The reason is plain and simple: all websites that support passkey login also provide other, less secure forms of authentication like user/password with weak MFA (e.g., SMS) or worse, no MFA, along with many forms of recovery methods. So, when an attacker is trying to break into your account, they don’t care if you have secure passkey authentication; instead, they will choose the weakest method. A good analogy is that you have a 10” thick steel door to your vault, but you also have glass windows; which one would you choose to break into the vault? Until websites start to offer only passkey login—which is not going to happen anytime soon—the use of passkey doesn’t make your security posture strong. You are better off choosing a unique, strong password combined with strong MFA (authenticator app or hardware key) to protect your account.
There is also a downside to passkey regarding how they are implemented today. Earlier in this blog, I mentioned that the private key never leaves the device, which is not actually true in most implementations. The implementation choices made by Google, Microsoft, and Apple could have been different, making passkey nearly impossible to hack except by using the "$5 wrench" method. However, I feel they chose convenience over security by shipping each key pair to their respective cloud storage to support syncing across multiple devices. At the end of the day, the question to ask is if the private key leaves your possession (encrypted or otherwise), is it still a private key?
In conclusion, while passkey sounds secure and elegant, today’s authentication mechanisms like user/password + MFA are here to stay for the foreseeable future.
Related Links:
- https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/
- https://world.hey.com/dhh/passwords-have-problems-but-passkeys-have-more-95285df9
- https://firewallsdontstopdragons.com/the-pros-and-cons-of-passkeys/
- https://www.pbrumby.com/2023/11/29/how-passkeys-work-benefits-and-downsides/
- https://osma.medium.com/the-trouble-with-passkeys-64c791ef5620
- https://betanews.com/2023/05/30/the-downsides-to-using-passkeys/
