As FIDO-based passkey based login is getting a great boost from companies like Google (Read here) and Apple, there is a lot of chatter and buzz about Passkeys now. We want to cover 5 misconceptions about passkeys that people have and that stopping them using Passkeys.
Let’s delve into these top 5 misconceptions and see what is right or wrong.
Contrary to this belief, passkeys are not merely rebranded passwords. While both serve the same purpose—to authenticate user identities—passkeys are fundamentally different. Passkeys leverage the FIDO (Fast Identity Online) protocols, which provide robust, phishing-resistant, public-key cryptography based authentication that is easier to use and more secure than traditional passwords.
For example, Google introduced passkeys based authentication for your google accounts without needing to remember a password, reducing the risk of user-induced security vulnerabilities.
Unlike traditional passwords stored on your application provider servers, passkeys work in a different way. When you enable passkey based login to the app or website, it first asks your face id/biometric or a PIN to proceed. Then it generates a pair of private and public keys for your account. Public key gets stored on your server but the private key never leaves your device. An attacker can't derive the user's private key from the data stored on the server, which is always required to complete authentication.
Many apps allow you to use biometric or face id to access their application and it is more convenient because now you don’t have to remember or store passwords. However it does not make it more secure because your user id-password pair can still be used to access your account and that still gets stored on the application server and prone to mass data breaches.
FIDO-based passkeys have been designed specifically to be phishing resistant. Traditional passwords can be vulnerable to phishing as they often rely on user-entered data, which can be intercepted or mimicked by hackers. Passkeys, on the other hand, leverage cryptographic principles. They are locally stored and never shared with online servers, significantly reducing the risk of phishing attacks.
This concern is valid but not entirely accurate. Yes, losing a device used for passkey authentication can potentially lock you out of your accounts. However, most platforms offering passkey-based security provide options for account recovery. These may involve backup passkeys, alternate devices, or even using traditional recovery methods like email or phone verification.
To ensure uninterrupted access to your accounts, it is recommended to set up multiple recovery options when available. It’s also crucial to safeguard your physical devices just as you would protect traditional password information.
In the Passkeys system, when users sign in using biometric details, they may mistakenly believe that their sensitive data is being transmitted to the server. However, the truth is that such biometric data never leaves the individual's personal device.
Passkeys by themselves do not facilitate user or device tracking across various websites. Each passkey is exclusively assigned to a single site, ensuring no cross-site usage. The underlying protocols of passkeys are meticulously crafted such that no information shared with websites can be used as a tracking mechanism.
Passkey managers are implemented to safeguard passkeys from unauthorized usage or access. For instance, Google's Password Manager employs end-to-end encryption for the secure storage of passkey secrets. These are only accessible by the user and despite being backed up on Google's servers, Google cannot use them to masquerade as the user.