In March, we published a blog called “YubiKeys, passkeys and the future of modern authentication” which took a look at the evolution of authentication from when we first introduced the YubiKey back in 2008, to where the industry is heading with the adoption and adaptation of WebAuthn/FIDO authentication.

In the last month, there have been several news cycles about “passkeys” which has caused some excitement, as well as some confusion, about what we as an industry and driver of authentication standards are doing to move beyond passwords.

Since then, we have received questions from our customers and partners for additional clarity around passkeys, which we will highlight in today’s blog, as well as our upcoming Webinar focused solely on passkeys, your questions, and modern authentication.

With that, let’s jump in to help answer what we have seen as the most popular questions we have heard, from Yubico’s perspective.

Q: What is a passkey?

Passkeys are like passwords, but better. They’re better because they aren’t created insecurely by humans, and because they use public key cryptography to create much more secure experiences.

But passkeys aren’t a new thing. It’s just a new name starting to be used for WebAuthn/FIDO2 credentials that enable fully passwordless experiences. These types of credentials are also called discoverable credentials, or sometimes resident credentials.

We like the new term and will use it, because it helps people understand they’re a password replacement with a simple term. “Passkey” is much more understandable by most people than “discoverable WebAuthn/FIDO credential”.

The first public mention of the term passkey to a wide audience was last year by Apple at a WWDC2021 talk where they introduced a “Passkeys in iCloud Keychain” technology preview to developers.

Passkeys refer only to WebAuthn/FIDO credentials, and not to the many other keys and protocols, such as PIV, OTP, or OpenPGP Card, available in the YubiKey 5 Series.

 

Q: Why is the term passkey in the news a lot recently?

Platform vendors such as Apple, Google, and Microsoft, started shipping support for fully passwordless experiences using external authenticators like YubiKeys, and also using the security focused hardware built into their devices such as TPMs, as early as 2019.

Some of that work is still happening, but the platforms appear to be getting closer, and have started publicly signaling their intent to complete support, to add a couple of features, and their ongoing commitment to standards bodies such as W3C and FIDO.

We expect to see much more about passkeys in the news once the implementations ship and evolve over the next year or two.

 

Q: What additional changes are coming that are being talked about in association with passkeys?

At the highest level, there are two new things coming in order to increase service and consumer adoption of WebAuthn/FIDO:

  1. Android and iOS phones that have passkeys on them can be used, mostly via bluetooth and the internet, to log into other devices such as laptops. This is exciting, and has always been part of Yubico’s vision for the protocols we’ve worked to create and proliferate.

Yubico helped create the original bluetooth FIDO transport and even built a proof of concept bluetooth YubiKey. That helped us collectively learn how unreliable some bluetooth implementations and features can be in the wild. This new “phone as security key” functionality uses what we collectively learned from that protocol, and uses internet connectivity to mostly avoid bluetooth except for proving proximity. (If you’re feeling curious, the protocol is called caBLEv2, and is soon to be renamed to the “hybrid” transport)

 

  1. Platform FIDO credentials will now be automatically copied to other devices logged into the same platform password manager by default, the same way passwords are today.

This was done to help ease recovery from the loss of a device, but comes with security tradeoffs.

How these new things work are still in beta and subject to change, but you can expect to see a lot more about them as implementations near completion. You can read more here in our previous blog post on this topic.

We’ll make sure to continue to publish our take on them as they ship, and will also provide detailed developer guidance to navigate the protocol and code changes that will be needed to take full advantage of the flexibility afforded by these changes while implementing the security required by the applications that depend on them.

 

Q: How are passkeys different from YubiKeys?

They’re the same, and they’re different.

They’re the same because YubiKeys have had the ability to create these passwordless enabled FIDO2 credentials (passkeys) since the YubiKey 5 Series became available in mid-2018. Currently, YubiKeys can store a maximum of 25 passkeys. We are evaluating increasing this in the future because of the likely increase in fully passwordless experiences across the web that require them.

They’re different because Platform created passkeys will be copyable by default using the credentials for the underlying cloud account (plus maybe an additional password manager sync passphrase), whereas passkeys in YubiKeys are bound to the YubiKey’s physical hardware where they can’t be copied.

 

Q: What terms will Yubico use to talk about passkeys?

We like the term passkey and plan to use it. Because many things are being talked about at the same time, we will try to use terminology consistently to make the differences or similarities clear depending on the situation. This is still a work in progress across the industry, and we will adapt as things change.

Here are a couple of examples that may help for now:

  1. Copyable passkeys are often called “multi-device”, “syncable”, “backup enabled”, or similar terms.

Some of these terms are easily confused with the WebAuthn/FIDO concept of an authentication device’s “attachment” which can have the values “platform” or “cross-platform”.

We prefer to use “copyable” because it clearly describes what can be done with the credential, but does not imply any goodness or badness and does not use overloaded or confusing terms.

  1. Non-copyable passkeys are sometimes called “single-device passkeys”.

We prefer to use “hardware bound” because it describes the location of the credential clearly without implying the credential can only be used with one device (as opposed to from one device).

 

Q: What are the security tradeoffs between copyable and hardware bound passkeys?

Hardware bound passkeys, such as the ones that are on YubiKeys, are the gold standard for modern, phishing-resistant authentication and security. They are very easy to reason about and build systems around: no device, no access. However, for consumers registering credentials to many sites, managing multiple authenticators can present challenges.

Copyable passkeys can make it easier to recover in the event of a lost device if the user can obtain a device that works with the cloud syncing service they used, and can recover their account. In the absence of a compromised device, the presence of that copied credential proves that there was access to a device which was logged into the user’s cloud account. This can be a useful additional signal, but does not provide the same level of security as a hardware bound passkey.

We’ll expand more on this in future content for different audiences as implementations ship.

Q: What is Yubico’s overall guidance about passkeys?

  • Copyable passkeys offer roughly the same security as “Sign-in with Google/Apple”, plus an additional key sync password.
  • Much like today, banks, enterprises, and those wanting or needing high security will not rely solely on the security of a consumer cloud account, even if copyable FIDO/WebAuthn credentials are used to provide that trust instead of federated login protocols like SAML, OpenID Connect, or OAuth such as Sign-in with Google/Apple.
  • The multitude of high security use cases faced by many organizations need more protocols than just FIDO, and they need the security guarantees and cryptographic attestations provided by hardware backed credentials.
  • Services should continue to request and store attestation information so that they can make risk decisions based on the type of credential that is used. Our guidance on attestation is provided in more detail on our developer site.
  • We hope that a consumer focused push about passkeys will entice more services to enable support for WebAuthn/FIDO.
  • More use of WebAuthn/FIDO hopefully means that eventually fewer people will use, and fewer services will have to deal with creating and securing dangerous username and password-based systems.

We are happy that the standards we co-created and have worked on improving for years are seeing even wider adoption, and are hopeful that these motions will continue to reduce harm and advance our mission to make the internet safer for all.

Source: Christopher Harrell