Are Passkeys the Future of Passwordless Authentication
When Google, Apple and Microsoft announced on May 5 that they are going to partner together to usher in the passwordless era, there was a big cause for celebration. After all, over 80% of data breaches are related to password issues and the use of stolen credentials accounted for $24 billion in account takeover losses, a staggering 79% increase, according to Javelin Research. Solving the password problem has been the mission for the three tech giants in collaboration with the FIDO Alliance, which has made this their mission since 2012.
What the FIDO Alliance came up with is a set of interoperability protocols designed to simplify the adoption of passwordless authentication techniques. The protocols marry device biometrics (like FaceID and TouchID) with cryptographic keys that talk to specific online services. Piggybacking on a seamless user experience, FIDO has made it easy for enterprises to accept biometrics as a form of user authentication. Nonetheless, there were always two major limitations that hindered FIDO adoption. Firstly, the use of FIDO essentially authenticates the device owner; it does not validate the account owner, as will be discussed in greater detail in this blog. Second, as mentioned in our last blog on the topic, the other main challenge has been that FIDO credentials are generated for specific devices; each device or browser must be separately provisioned. This hampered adoption among consumers that utilize multiple devices. (It is estimated workforce applications make up the overwhelming majority of FIDO implementations.)
Towards a Passwordless Authentication Future
The Google/Apple/Microsoft announcement was a major step in the right direction to enable users to authenticate themselves across multiple devices. They allowed for two major enhancements. The first was to enable users to use the FIDO credential on their mobile device (FaceID, Fingerprint) to sign in to an app or website on a nearby device (e.g. their laptop). This would be achieved via Bluetooth or near-field communication (NFC) connectivity between the devices. While the user experience of enrolling and using a mobile device to authenticate to other devices may be clumsy or cumbersome (i.e., what happens if you want to authenticate but leave your phone in another room), it does reduce the need for dedicated FIDO tokens in many scenarios. Users generally have their mobile phones readily available to them at all times, and utilizing them for cross-platform authentication makes total sense. This advancement alone should propel the adoption of FIDO authentication with consumers.
The second enhancement will allow users to automatically access their FIDO sign-in credentials (referred to by Apple, Google and Microsoft as “passkeys”) on multiple devices, even new ones, without having to create a new FIDO credential with every online service that requires biometric authentication. This development is meant to address a major shortcoming of the FIDO framework, which used to require a user with a new mobile device or laptop to authenticate into each application with their username/password and then request new FIDO credentials associated with that application on the new device. With the new development, this is no longer needed because a user would be able to leverage their FIDO credentials from their original mobile device.
What this doesn’t solve for, however, is the security of the keys themselves with the cloud providers, and there is great concern that this will become the weak link for attackers to exploit. When Microsoft first came out with their passwordless authentication solution, Jimmy Fallon released a skit that described what the experience feels like from the user point of view. All jokes aside, the fear is that this is what will ultimately become the weak link for attackers to exploit.
As outlined in the FAQ document that went along with the announcement, in order to support the FIDO sign-in on a new device, the cloud providers will have a backup of the FIDO credentials (cryptographic authentication keys) on their cloud and make them available on the new device that the person signs in with. This means that all of the users’ FIDO credentials will now be protected by their Google/Apple iCloud or Microsoft account credentials and the requisite security measures. Once again, this means that if an attacker can gain access to a person’s Google/Apple/Microsoft credentials - they can regenerate a person’s authentication keys on their own device and access all their accounts. Considering that millions of Gmail, iCloud, and Microsoft account credentials are available on the dark web and the explosive growth of SIM swaps, this scenario is definitely not a hypothetical one.
Another unanswered question is how keys can get migrated across platforms (i.e., Apple to Google or Microsoft and vice versa), if a person or organization decides to switch. For consumers, this may not be as big of a deal, but any situation where a third-party has access to all the “keys to the kingdom” (pun intended) should always be a cause for concern at the enterprise level, and figuring out a way to move keys between providers also creates security headaches.
So in a twisted outcome of fate, even though there is the capability to migrate keys and share keys between devices, the new announcement by the tech giants and FIDO may actually perpetuate the dependency on passwords instead of eliminating them and may have left us with a false sense of security that fraudsters will be more than happy to exploit.
Enabling Cross-Device FIDO Authentication Within the Circle of Identity
FIDO is made possible because it leverages the biometrics (face, fingerprint, iris) that mobile device vendors store in a secure hardware enclave as part of their commitment to users' security and privacy. From a biometric security standpoint, it means that the template is secure and cannot be extracted or tampered with. But as we have been discussing, this also means that when Google, Apple, or Microsoft log you in on a new device - they actually do not know who they are authenticating; multiple people may share a device for example, or as described above, an attacker gaining a person’s FIDO credential can use their own biometrics to be validated to the service but no one would know it is not the authorized user.
This has always been one of the weaknesses of FIDO and this new development does not change the equation. For a service to be assured of the identity of the person using it, they must be able to connect and validate that it is the same person that was originally registered and onboarded. We call this the Circle of Identity. When the Circle of Identity is closed, the selfie that is captured in the registration process is ingested into a core identity system and becomes the anchor of trust to the user journey with the service. Whenever a person tries to authenticate from a new device for the first time, their biometric identity is verified and FIDO keys can be generated and assigned to a particular device. The same process holds true if new keys need to be generated for any reason and can prevent multiple keys from being generated for a person using an application on multiple devices. With a closed Circle of Identity, consumers and enterprises can rest assured that the existing gaps for attackers to exploit are eliminated.
The way to achieve the Circle of Identity without deviating from one of the other fundamental principles of FIDO - privacy - is to leverage a decentralized cloud-based framework that can support biometrics along with other personal data and digital assets. A framework such as this enables biometric matching from any device, even shared devices, ensuring that people are who they claim to be from wherever and from whichever application they come in from. These types of decentralized biometric frameworks can also bind FIDO keys to specific identities and link them to the original registration so that an attacker is not able to circumvent authentication protocols with weak account recovery processes.
We at Anonybit applaud the FIDO Alliance, Microsoft, Google and Apple for the tremendous progress they have made in promoting passwordless authentication and believe that by connecting their passkeys to secure backend ecosystems, and by linking the different parts of the identity lifecycle we can truly get to a secure world, a world of trust and a world in which security is not traded off for convenience and expediency.
To learn more about Anonybit and how we enable a secure, passwordless future, click here.