| So there's a high degree of complexity and subtlety to Passkeys. I wrote a paper about this, some key things: ● Passkeys improve security significantly, and while they make some trade-offs concerning security versus usability, they do not introduce any new attacks; they also make many existing attacks much harder or impossible (e.g., brute forcing attacks or credential stuffing) ● Passkeys will bypass the hurdle of getting people to use password managers, and will likely result in the widespread use of biometrics to secure their Passkeys ● Passkeys can potentially make account sharing harder once attestation is supported, something a lot of service vendors are in favor of. Passkeys are also easier to deploy at scale and more reliable, thanks to supporting device synchronization. Passkeys should also reduce the need for account recoveries and lower support costs when compared to passwords ● Passkey client support in both software and secure hardware tokens is widespread and available now on most platforms, browsers and many third-party password managers ● Passkeys are being supported by major vendors (e.g., as of October 10, 2023, Google announced: Passwordless by default: Make the switch to passkeys, for Gmail users, and Google Workspace administrators can enable it) https://cloudsecurityalliance.org/artifacts/beyond-passwords... And if you want to quickly check what the passkeys-related capabilities of your preferred platforms are: https://passkeys.dev/device-support/ And to see what the state is of the services you use: https://passkeys.directory/ The TL;DR: there's a LOT of good stuff with passkeys, but there are some concerns a lot of people aren't thinking about, e.g. Passkeys as a Requirement vs. Option Implementing Passkeys, as a provider, does not mean that all authentication must be done via Passkeys. For example, the Cloud Security Alliance generally supports SSO via Apple, Google, Linkedin, and Microsoft, and we support a “classic” username and password-style login. The reason for this is simple: not everyone has or can get an account with one of the SSO providers listed. This is also why we do not require 2FA/MFA: you can choose to use 2FA/MFA with your SSO provider, but the Cloud Security Alliance does not require 2FA/MFA to ensure that people who do not have access to a device that supports 2FA/MFA are also able to access and use our systems. However, for many providers, at scale, it is viewed as a better option to get rid of passwords entirely and move people over to Passkeys wholesale. Many also feel that users cannot be asked or given the option to move to Passkeys as they will simply ignore it (and based on seeing multiple 2FA/MFA rollouts, this is true). Requiring Passkeys in favor of passwords will, of course, largely put an end to phishing and credential stuffing against accounts. Phishing and credential stuffing attacks would still be possible against account recovery processes, but as previously discussed, this is not a new or significantly
increased vulnerability. Requiring Passkeys also has the ugly possibility of effectively locking out people who do not have access to a device that can use Passkeys (there are still people who do not own a smartphone or computer but instead rely on public access computers, for example). Balancing the overall security health of a large group of users vs. adversely affecting a disadvantaged group is something that vendors deploying Passkeys will need to consider, especially for “free” services that many people rely upon (like email). edit: formatting. |