Passkeys – Week 10

In recent news, Amazon is allowing users to adopt passkeys. I wanted to understand a little more about Passkeys, and how Passkeys are supposed to work.

What About Passwords?

Passwords are currently here to stay, and you should still exercise good password hygiene. Good password hygiene/protocol can be summarized as follows:

  • Create strong passwords
  • Avoid repeating passwords
  • Do not share passwords
  • Avoid leaving passwords in unsafe areas — don’t write them on a memo pad
  • Use a Password Manager, whenever possible

About Creating Strong Passwords

Strong passwords have entropy, basically the probability of a hacker determining the password. Password policies seek to curb users toward creating better passwords by increasing the symbol selection: letters, digits, and symbols. But that’s part of the battle. To decrease the chance of determining passwords, users should also create passwords over 8 characters, and they should avoid easily guessable ones as well.

How Passkeys Work

In the simplest explanation, it works similarly to public-key infrastructure whereby it uses asymmetric encryption. Asymmetric encryption works by using two keys: a private key and a public key. A real-life demonstration of asymmetric encryption is SSL/TLS used on Web sites connecting over HTTPS. The public key is used to encrypt the message and the private key decrypts the message.

So, since the Passkey system creates this asymmetric key pair, it alleviates the user of trying to formulate a strong cryptographic key. It is also very difficult for hackers to gain access to it since the private key is stored on the device’s keychain, and the Passkey system creates a new key pair during initial configuration. As it’s kept on the device’s keychain, it might be prone to loss of device or device failure, which is where cloud services can help by using things like Apple’s iCloud and similar for each mobile vendor.

Conclusion

Although I am optimistic of this new method of authentication, I do have apprehension, and I hope that the restoration methods are well-documented. I’m sure passwords and MFA (multi-factor authentication) will remain as a feasible restore procedure for a while.

One issue that is an omnipresent problem is user adoption and user education. Users have a diverse set of backgrounds, and the common user “just wants it to work” and they really don’t care how. Plus, there are users who will be apprehensive of adopting new methods of authentication, and additionally, they’re probably confidently locked (and/or obstinate) into their “tried-and-true method.”

The next hurdle is also adoption by companies deploying them. It takes training, and I’ve seen some really complicated deployments for something as seemingly simple as multi-factor authentication — for whatever reason, possibly poor design by the vendor?

Anyhow, it may be slow or fast adoption. Data breaches of client information may intimidate some to the switch, but not everyone will switch. We shall see how this goes.