Passkeys are primarily about vendor lock-in
With Microsoft's latest admission that they're FORCING everybody to use passkeys, it really gives one a moment of pause to reflect.
In the mad rush to "improve security" many people seem to be missing the entire point in this debate.
Passwords are "something you know" Passkeys are "something you have"
These two things are individual factors, and are not exclusive. Infact, "MFA" is to use two factors, not just one; and that is where the security comes from.
Switching to Passkey is nominal, at best, without having a second factor to keep it MFA.
If you care about security, don't delude yourself in thinking passkey alone is some sort of holy grail, it's not.
However, the push to replace passwords with passkeys is a fundamental shift in security paramount to changing gravity. And I, at least, think it's a serious mistake.
The reason is that passkeys require something you have. Either hardware or virtually with software, but if you, for some reason, don't have that thing, then guess what? For most lay users, it's a serious point of pain and friction. Those who care about security are willing to accept that, but EVERYBODY? Is it really necessary for every single person to stop using passwords? Seems like a myopic assertion that doesn't consider the users themselves.
The real problem here is evidenced by WHO is pushing for this. It is the platform vendors. Microsoft. Apple.
And why is that?
If Microsoft actually cared about their user's security, they'd have resolved many other problems before this.
Personally, I think is about one thing and one thing only: Control of the users, and vendor lock-in to their walled garden.
13 comments
[ 3.1 ms ] story [ 24.6 ms ] threadhttps://www.yubico.com/resources/glossary/what-is-certificat...
https://passage.1password.com/post/passkeys-compliance-stand...
https://www.biometricupdate.com/202408/passkeys-highlighted-...
If customers want to free ride where they are not exposed to the cost of using weak passwords, or using passwords in general, I would encourage them to find an org willing to eat those identity defense costs. Why should orgs pay the cost for users who want to remain on passwords? Customers are not entitled to weak or vulnerable technology implementations simply because they desire them and there is a material cost versus a more secure technology implementation.
They're not 2fa, they're a replacement for manually entering passwords. Basically a more secure autofill. Way easier to use than trying to adhere to every site's different pw requirements.
Re: MFA
Password risk: low quality, reuse, malware, leak, phishing, social eng
Password+MFA risk: malware, leak, phishing, time-limited social eng
Passkey risk: malware
The benefit of MFA with a shared secret (aka password) is to defend against a party that has learned or guessed the secret (low quality password, password reuse, user hack/malware, system hack/leak, phishing). By requiring something you have (access to email, SMS, an authenticator app), and can prove you have access to in a small window - you can significantly reduce the risk of a successful login from someone other than the user. Reduce - if it's user hack/malware, or social engineering the other factor may also be obtainable.
Passkeys use public key crypto, rather than shared secrets. Your password never leaves your device(s), so system hack/leak can only lead to a public key becoming.. public. Passkeys are also machine generated, which eliminates the low quality password and password reuse problems. The negotiation is automated, rather than requiring typing from the user - so the ability to socially engineer is greatly reduced. Finally because the negotiation includes a challenge/response, you still make a time-limited proof you known (like MFA).
Many of the password storage services support passkeys (which are crossed platform). You can also use a Yubikey as a passkeys.
Regardless, most people will store their passkeys in their iCloud or Google accounts, and given that those certs live in secure enclaves, this is way more secure than writing passwords everywhere or using SMS for 2FA (especially given SIM cloning attacks and the whole Chinese hackers in our networks thing)