Passkey Demos previews what to expect for passwordless authentication

Apple, Google and Microsoft are in the early stages of implementing their plan to provide authentication keys based on the FIDO Alliance’s new passwordless authentication standard. But eliminating passwords won’t happen overnight.

In May, the three major device and platform vendors collectively announced that they would integrate the new passwords into their respective platforms. Security keys are based on the FIDO2 standard, which includes the World Wide Web Consortium (W3C) Web Authentication (WebAuthn) specification and the FIDO Alliance Client-to-Authenticator Protocol (CTAP).

Access keys begin to roll out

As expected, Apple became the first vendor to provide security keys with its iOS 16 release late last month, giving millions of iPhones and iPads the ability to use security keys. Mac users will also be able to implement passkeys when Apple releases its latest operating system update, macOS Ventura, which is expected to arrive this month. Last week, Google released passkey betas for Android and Chrome.

Once a user has set up a passkey on an Apple device, they can sync with any other supported Apple client or service using iCloud Keychain. Additionally, when a user enrolls a device with a password, they can automatically enroll any other Apple device and service that supports it.

The Google Security Keys beta allows users to create and use security keys on their Android devices and sync them securely through Google Password Manager. Google software engineer Arnar Birgisson explained in a blog post that passkeys in Google Password Manager are always end-to-end encrypted.

“When an access key is backed up, its private key is uploaded only in its encrypted form using an encryption key accessible only on the user’s own devices,” Birgisson noted. “This protects the security keys from Google itself, or for example a malicious attacker inside Google. Without access to the private key, such an attacker cannot use the security key to log into their account. corresponding line.”

Demonstrate the future

Google and Microsoft showcased their passkey implementations to hundreds of identity and security experts at this week’s Authenticate 2022 conference in Seattle. Google identity and security product manager Christiaan Brand showed how to sign in to an account with passkeys, which will appear in an Android update by December. Brand said anyone can sign up for the developer beta on the Google Play Services channel.

“As soon as you sign up with a particular Google account, you will be able to get the latest updates on your device within minutes,” Brand said. Passkeys for Chrome OS are on the roadmap for release next year, he added.

Brand experts and other identity and security experts at the conference pointed out that authentication with access keys is considerably more secure than passwords, as they are not vulnerable to phishing attacks. or other compromises. Security keys are also easier to use because they consist of cryptographic keys that can run on supported devices and cloud services.

Although Microsoft does not plan to offer security keys in Windows until next year, the company demonstrated its implementation and shared various observations. For example, Microsoft would like to run passkeys alongside the company’s Authenticator app, according to Scott Bingham, senior identity program manager.

“Passkeys are cross-device FIDO credentials that are a really compelling solution,” Bingham said. “It can be synced through a cloud platform and available to use on all your devices when you log into the same platform account.”

Although Windows Hello provides biometric authentication to unlock a PC’s operating system screen, it will also enable new passwords.

Integration of online services and applications

For security keys to take off, websites and companies that use usernames and passwords for authentication need to add support for security keys. Thousands of organizations around the world have deployed or are deploying FIDO authentication, enabling them to support access keys, according to FIDO Alliance Executive Director Andrew Shikiar in his keynote address to the conference.

Among them is PayPal, which last year hired FIDO Alliance founding member Marcio Mello as a product manager for the PayPal identity platform. Mello said PayPal plans to offer US passkey support for a limited number of customers.

Using an iPhone with the new iOS 16, Mello demonstrated how to create a password with PayPal. He then explained that while using iCloud Keychain on a Mac with the updated OS, the password is available automatically. When using a device that does not yet support passkeys, if the user had already created one, they could access it by generating a QR code.

“It provides this amazing combination that we’ve been waiting for, both convenience and security,” Mello said. “Something that’s absolutely necessary for us to achieve the mainstream rollout we’ve been looking for around the world.”

Although passwords remain the most common credentials for authentication, they are costly for organizations, according to the FIDO Alliance’s Online Authentication Barometer, released this week. The study found that 59% of respondents give up accessing online accounts when they can’t remember their password, and about 40% give up shopping for the same reason. The survey also revealed that 39% are familiar with security keys.

Adoption will be slow

Throughout the conference, hosted by the FIDO Alliance, identity and security experts appeared to be largely optimistic that standardized cryptographic keys promised to usher in a future of passwordless authentication. for devices, online services and applications.

“Access Keys are meant to immediately eliminate passwords for hundreds of millions of consumers,” Shikiar said. How passwords immediately replace passwords remains to be seen, but it will likely be years before they become mainstream, as some people have pointed out in their presentations.

Widespread adoption of security keys is promising because users can reuse their credentials across different vendor ecosystems, said Gartner analyst Paul Rabinovich. Because security keys saved on one device can complement authentication from another device, “we will finally see wide adoption of software roaming authenticators” embedded as mobile apps or in enterprise systems. exploitation, he said.