Last week, Google jumped on the passcode bandwagon, claiming that it was ‘the beginning of the end of the password’. While this statement holds some ground, passkeys also represent the beginning of the end for user control.
The passwords we use today are platform-agnostic, generally secure, and are part of a wider ecosystem. Passkeys, on the other hand, are vendor-specific, and while they may be more secure than passwords, they skip out an important part of cybersecurity — decentralisation. What’s more, the biggest proponents of passkeys are companies such as Microsoft, Google, and Apple that benefit the most from diluting user control.
Passkeys Explained
Passkeys are a new form of authentication first proposed by the FIDO (Fast Identity Online) Alliance. This new standard aims to replace passwords, claiming that the old way is easy to phish and harvest, and that they are a ‘hassle to use’. By adopting the passkey standard, websites and service providers can allow for secure password less sign-ins to their services.
The system works by using public-key cryptography to authenticate access to websites. In this method, a server on the website saves a ‘public key’, which is one part of the puzzle. The other part, a private key, stored on a users’ device, functions as a method to prove that the user is the one accessing the website.
Imagine there is a secret club, and the bouncer has a well-known pass phrase (public key). Each person who comes up to the door will be assigned a secret completion to the pass phrase, with access only being granted if the bouncer’s phrase and the customer’s phrase matches up. This is more secure than the club having just a passphrase which is passed around publicly.
Under FIDO’s standards, the passkey for every person’s credentials will be saved on their device, and can be accessed through authentication either by biometrics or a second factor (2FA). Reportedly, these passkeys will also be importable and exportable, cross-device, and compatible across passkey managers in the future.
While this might seem on the surface to be a more secure and easier alternative option to passwords, it is a tug of war between different facets of cybersecurity. Solutions to make passwords stronger, such as multi-factor authentication, or to make them redundant, such as OAuth and password managers, already exist and are widely deployed. While these options keep the power in the users’ hands, passkeys, on the other hand, give more power to the companies in charge of them.
Centralisation of authority
When taking a look at the board level members of the FIDO alliance, we can find tech giants such as Amazon, Apple, Google, Meta and Microsoft, as well as financial institutions like VISA, Bank of America, and AmEx. The list goes on, but the trend is clear — these are all companies who wish to enforce better security on the Internet.
However, in the pursuit of security, these parties seem wholly satisfied to gloss over centralisation. The idea of putting all the eggs in one basket is far from secure, especially when the basket is financially motivated to lock-in their customers.
Let’s take Apple’s deployment of passkeys for example. To activate passkeys on Apple devices, users are required to opt-in to both the Keychain service and iCloud to use the feature. Apart from iCloud’s bevy of security vulnerabilities, the service also removes transparency on how the passkey is being handled. In fact, even after a year of release, the passkeys are not exportable, preventing them from being moved around to other devices where users would wish to use the passkeys.
Passkeys allow for another venue for companies to further lock customers into their services on the pretext of security and ease-of-use. This move dilutes user power while multiplying the problem of centralised identity providers. Identity providers are companies like Google or Facebook that offer ‘Sign-in with Google’ or ‘Connect with Facebook’ as a sign-in option.
If passkeys become the sole sign-in option in the future, the idea of users having control over their own passwords fades away, replaced with centralised control by big techs. Passkeys also intrude upon the concept of self-sovereign identity, wherein individuals are given control over their information.
With measures like passkeys, users continue to give more power to centralised identity providers, handing over more of their data and agency to corporations. While decentralised identity solutions do exist, the momentum carried by FIDO and its members will prove very difficult to break, shepherding the Internet further away from its open source roots.
The post Passkeys are More Secure, But There’s a Bigger Threat… appeared first on Analytics India Magazine.