Big Tech firms push them as heirs apparent to passwords, but passkeys are proving tough for businesses to implement – with technical complexities and user adoption issues that one Aussie expert says are driving many firms to reconsider their options.
That’s far from the rosy picture painted by technical group the FIDO Alliance, which has pushed its FIDO2 passkey standard hard and renamed World Password Day as World Passkey Day after a survey said 69 per cent of people have already enabled passkeys.
Yet security consultants warn of passkeys creating challenges around account recovery, compatibility across platforms, vendor lock-in, user experience and education, security policies, and portability of passkeys all pose practical issues for small businesses.
One recent literature review, for example, found passkey adoption is being hindered by “misaligned user perception and technical issues” – concluding that current passkey discussions are too technical and advising more focus on “improved user education”.
Many companies have struggled to explain passkeys to users who are only marginally interested in security – but Big Tech firms are shifting from carrot to stick, with a Microsoft change in August set to leave users wondering where their passwords went.
It could be a fillip for passkeys, which toughen authentication by adding ‘something you are’ – using smartphone and computer biometrics to validate users – to existing models built around ‘something you know’ (a password) and ‘something you have’ (a phone).
Passkeys are projected to become the dominant authentication method by 2027 – yet with many firms disenchanted by the complexity of updating a broad range of core applications support FIDO2, one entrepreneur sees growing interest in an easier way.
Five-factor authentication in a matter of minutes
“All of the passwordless options in the market today typically take weeks, months or longer to deploy,” Graeme Speak, founder of Perth-based BankVault, told Information Age as he ramps up the company’s efforts to ride the crest of the passwordless wave.
Widespread interest in passkeys is turning heads at industry shows, Speak said while demonstrating how BankVault’s MasterKey passwordless authentication protocol enables companies to add passkey support to any web application in minutes.
Users securely log into online services by scanning a QR code that verifies their identity and device once, then automatically validates this information upon subsequent logins.
A passkey, which is a passwordless login credential such as a fingerprint or facial recognition, is a more secure and convenient replacement for traditional passwords and two-factor authentication. Photo: Shutterstock
Passwords and other data are typed into the system through a patented virtual keyboard that cannot be detected by infostealer malware that has been fingered for the theft of billions of passwords, cookies, bank staff credentials, and more.
It can also add a fourth authentication factor – the user’s location, enabling geofencing or blocking of overseas access – and a fifth, with an integrated liveness algorithm confirming that users are in fact not automated bots.
Because it functions as an overlay, companies can use it to add passkey support to any web application without having to update applications – just 20 lines of code must be added to the login page – and businesses can start enrolling users immediately.
Most web sites “have just got username and passwords today and don’t even have MFA,” Speak said, adding that “we can deliver a seamless experience instantly…. It’s a growth engine because you’re eliminating friction for the users.”
A longtime innovator who splits his time between Perth and the US, Speak reports interest from e-retailers who believe easy sign-in could reduce the 70 per cent of online shopping carts that are abandoned, often because buyers find registration too complex.
Confabulating convenience and security?
As the industry’s passkey migration efforts ramp up, availability of easier solutions will create new options for companies that see their benefits but stumble on the details – but other security experts warn that much about passkey security is still unresolved.
Just because you create a passkey, for example, doesn’t stop you using your passwords to log in – or cyber criminals from abusing them – so you still need to use and protect strong passwords, KnowBe4 data driven defence evangelist Roger Grimes warns.
Arshad Noor, chief technology officer at hardware authentication firm StrongKey and a FIDO Alliance member of over a decade, worries about the technical compromises that have been accepted to make passkeys palatable to the mainstream.
Graeme Speak of BankVault. Photo: Supplied
Since passkeys use private and public keys, synchronising passkeys to a central cloud server – as when Apple’s iCloud Keychain moves passkeys between a user’s registered devices to ensure smooth logins – requires storing the passkey’s private key centrally.
Yet “since the 1990s one of the cardinal rules of public key cryptography is that you never, ever give up your private key,” Noor said, noting that “all of the complexity of public-key infrastructure is around protecting the private key.”
While security experts long extolled the benefits of storing a private key on a physical hardware security key – which you plug in to authenticate yourself, then carry with you – tech giants have shifted towards synced passkeys that move that key around.
“Apple originally built their FIDO capability to protect the private key,” Noor explained, “but realised the complexity of educating consumers and flipped the whole model around to say ‘don’t worry about the private key – we’re going to protect it’.”
This is a concern not only because cybercriminals could access a victim’s passkeys if they can add a new phone to their cloud accounts, but because standards for seamlessly moving passkeys between cloud providers are still works in progress.
“This completely shocked me,” Noor said, “because what was absolutely devastating was that Apple, Google and Microsoft recognised that this was a way for them to carve up the entire internet ecosystem between them, and they all jumped on it.”
