Passkeys & Zero Trust

Written by Dario Salice of the CSA Zero Trust Identity Pillar Working Group.

In this article we’re going to discuss how passkeys, based on the FIDO2 standard in combination with WebAuthn (W3C), will allow for passwordless authentication, what benefits they offer, and their current limitations.

Passkeys are an evolution of existing FIDO and W3C standards that allow the creation of cryptographically protected credentials. In contrast to the previous iteration, Passkeys can be synced across multiple devices to allow passwordless login across devices and platforms.

There are options other than passkeys for identity systems to reduce the reliance on passwords, like introducing magic links, relying on (short-lived) one time passwords, certificates, and server-side biometrics. They all come with their own advantages and limitations. What sets passkeys apart from other methods is the integration into modern browsers and operating systems and the inherent phishing resistance they offer.

The Benefits of Passkeys

Supporting passkeys as an alternative to passwords for authentication increases the security of online accounts and can reduce friction to log in.

Security

Bad actors have long found ways to compromise accounts at scale if they are only protected by passwords. Some of the methods include phishing, credential guessing, or reusing dumps of leaked passwords from compromised platforms. This means that passwords alone don’t provide enough protection to make account compromise economically unattractive for a broad set of attackers.

Traditional password policies that require them to meet certain complexity standards or even periodical rotation have shown to be insufficient or even counterproductive measures to make account-takeover more expensive.

Authentication based on passkeys offers higher assurances that a login-attempt comes from the legitimate person due to their phishing-resistance and inability to be intercepted by malicious actors.

There are other passwordless authentication methods that also don’t rely on static knowledge factors. Login-methods that rely on magic links, one-time passwords, or certificates, can have similar advantages as described above.

Access & Usability

Passwords cause significant friction for people to access their data, accounts, and perform online transactions. Relying parties detect significant drop-offs at sign-up when people have to come up with a new password. Helping people reset passwords they have forgotten can generate significant cost and burden on the support-organization - for consumer and workforce applications alike.

People struggle to remember unique passwords for the services they use, which may lead them to discontinue to use a service they previously signed up for. The impact on businesses, that depend on people’s ability to login, results in increased churn and lower revenue.

One particular moment when people are most likely to abandon a service is when they abandon their old device and switch to a new one. When setting up a new device, most services require them to sign in again. Part of the people who forgot their credentials will not even attempt to recover them or fail to do so.

Different types of services are more or less impacted by the friction a login on a new device can cause. Tools provided by the employer will have a higher retention as they are needed for the person to perform their job. Services with a paid subscription or a social element will also have a lower churn, as the user is directly motivated by monetary or social factors to get back into their account.

Even if using a churn-rate of 5%, which for most is at the lower end, the business cost is not negligible.

This reduces engagement and lifetime-value of these customers for the platforms.

Other authentication methods such as magic links, phone-number verification, social logins, etc. also don’t depend on knowledge factors people have to remember. In regards to churn those methods offer similar advantages.

Biometrics & Local PINs

Authentication with passkeys happens with use of the available device capabilities, based on the operating system. In most cases this will be some sort of biometrics like a fingerprint or facial recognition. The biometrics data is only stored on the device and will not be synchronized with any cloud services. In these cases, the biometrics are purely used to authenticate a previously registered owner of a device.

Devices that don’t offer biometric capabilities can also offer a local PIN code to unlock the passkey credentials.

The Passkeys User Journey

Interaction with passkeys is generally split into two IAM lifecycle steps: registration (one-time credential creation) and authentication (credential use at login time).

Registration

Creating a new set of FIDO credentials is the first step to register new passkeys for an account. This step can be implemented at account registration to create a passwordless account or at a later stage to replace an existing authentication method.

When a service prompts users to register a new set of passkeys, they will have to perform a local authentication check like FaceID (Apple), Windows Hello (Windows), or equivalent methods depending on the used device.

Authentication

When being offered the option to login to a website or application for which a set of passkeys has been detected, the operating system will guide the user through the same local authentication process as was used during registration.

Passkeys Replace Passwords

Passkeys are meant to be a replacement for passwords at login-time. They offer stronger security properties.

Replacing passwords with passkeys solves a number of the security and access issues that come with password-based authentication.

• Passkeys can’t be guessed or intercepted by a bad actor.
• Passkeys don’t have to be remembered by the user.
• Passkeys can’t be stolen when a relying party is compromised.

Passkeys are tied to the underlying platform account (e.g., iCloud, Google, Microsoft) to make them available across devices within the same ecosystem. This means that they are accessible to everyone who has access to these accounts and can enroll them on a new device. Compared to password-authentication, this offers a significantly harder to pass protection. In some situations the use of 2-factor authentication methods like authenticator apps, SMS, or FIDO certified Security Keys will still be recommended.

Going Passwordless is a Journey

Passkeys & Zero Trust

Looking at how passkeys can fit into a Zero Trust (ZT) environment, we need to distinguish between the specification and how it’s been implemented. General guidance for authentication in ZT environments is that access to critical assets needs to be continuously validated using strong authentication. Phishing resistance is a quality FIDO and PKI methods offer and this makes them fit well into the ZT principles.

Apple was the first mover supporting passkeys with the release of the major updates for iOS, MacOS, and Safari in H2-2022. They have chosen not to offer device ids that indicate to the Relying Party if said passkey was created on the same or a different device. From a ZT perspective, having this information can allow you to make different decisions for passkey-based logins that are made using a synchronized set of credentials.

The biggest benefit for ZT environments is the lower friction of passkey authentication compared to traditional methods. It not only provides the Relying Party the ability to perform more frequent user-verification checks, but also comes with a strong signal that the authentication is performed on the same device as the request came from.

Limitations of Passkeys

While passkeys significantly increase the Security Baseline and reduce access cost, they are not a silver bullet that solves all account security issues. Bad actors will continue their attempts to compromise online accounts to run their scams, but will have to resort to more expensive ways of doing so.

The Biometrics (e.g., Face, Fingerprint) are not synchronized across multiple devices. The purpose of the local authentication method is only proof of device-ownership. The fact that the biometrics are purely for local user verification makes the use of passkeys for Know Your Customer (KYC) purposes unsuitable.

Limited Support

In order for passkeys to work the Operating System and Browser need to offer support.

Apple, Google, and Microsoft have launched support for passkeys over the past 8 months, but the details can still be a bit confusing to consumers and IT administrators.

Support for passkeys is limited to newer versions of the operating systems, which means that people who still need to be able to login on an older device/browser can’t rely on this new method and need to be offered an alternative.

Test web-applications like Passkey.io and webauthn.io are ideal to help people understand about the the behavior of WebAuthn and passkeys across different platforms.

Adoption Funnel

As with every new technology, we will see an extended transition phase from passwords to passkeys. While support is currently limited, the adoption will also be dictated by how fast relying parties will be able to implement support for WebAuthn/passkeys and motivate their userbase to adopt to the new way of authentication.

Relying parties have to see a value in making investments in their authentication infrastructure to make this step. While adoption across consumer platforms is low, they might be hesitant to do so. One of the immediate benefits a Relying Party can gain in supporting passkey early on is to reduce churn for people who tend to forget their passwords. Even if passwords can’t be phased out yet, having a passkey on file will make transitioning between devices of the same ecosystem easier and more successful.

Underlying Platform Accounts

With the wider adoption and use of passkeys, attackers are likely going to target the underlying platform accounts to gain access to these credentials. It’s important to keep in mind that these accounts already carry sensitive information, including synced passwords, and should be protected with the available protections offered by companies like Google, Apple, Microsoft, etc.

The dependency on the underlying accounts has raised concerns by security practitioners. Enterprises are concerned that passkeys make their security more dependent on the platform accounts, usually in control of the employee and that this can reduce the security baseline. While these risks are justified and need to be considered, they need to take into account how passkey-based authentication raises the bar against most types of online attacks.

Passkey & Existing Frameworks

Passkey is a paradigm shift in many ways that changes the way people authenticate to their online accounts. While the FIDO Alliance positions it as a replacement for passwords (something you know) it entails characteristics that come from more traditional 2-factor authentication methods (something you have and something you are).

The National Institute of Standards and Technology (NIST) has defined three levels of assurance for authenticators in SP 800-63B. Phishing-resistance of passkeys means that it offers a higher assurance than what AAL1 (Authenticator Assurance Level 1) requires.

In order to be compliant with these levels, organizations must look at passkeys as an element of the whole solution.

FAQ:

Q1: Will my biometrics be saved to the cloud with the use of passkeys?

No. Passkeys don’t include information about the user’s biometrics. Biometrics used on the devices are stored and used locally. Passkey itself doesn’t offer assurance that the person using it on device A and device B is the same individual.

Q2: Are passkeys a replacement for hardware- or software-based 2FA?

Not necessarily. Depending on the risk accounts are exposed to it is still sensible to deploy a 2-factor-authentication strategy. While passkey raises the security baseline, likely to be sufficient for many accounts, it is not a silver bullet against account take over.

Q3: What happens if my platform account (e.g., iCloud, Google) gets compromised?

If someone gets access to their victim’s platform accounts, which carries the passkeys, they are at risk of losing exclusive access to these credentials. Compared to a simple username/password login, this attack vector is much more expensive.

Q4: What happens if I lose access to my passkeys?

Relying Parties will still have to offer recovery mechanisms in case users lose the primary credentials.

Useful References

Here are some useful links to keep up to date on the passkeys ecosystem.

Resources from the FIDO Alliance

Test pages for WebAuthn & Passkey

Directory of which applications support passkeys

CSA Zero Trust Circle online community - discussion about passkeys as a component of Zero Trust initiated by Jim Reavis.

Develop and demonstrate an in-depth understanding of Zero Trust with CSA’s Certificate of Competence in Zero Trust (CCZT). Learn more here.