The Wild, Untamed, and Exciting World of Passkeys

In today's digital landscape, securing user authentication is more critical than ever. Recently, I explored the benefits of using Yubikeys and Windows Hello to authenticate users instead of traditional passwords. These technologies offer robust security and can be effectively managed to enhance organizational safety. However, there's a term I intentionally avoided in that discussion: "passkeys." While Yubikeys and Windows Hello are indeed types of passkeys, not all passkeys are created equal, so I did not want to generically support all passkey use. The passkey landscape is currently confusing and poses potential vulnerabilities for our users. This article aims to shed light on the complexities of passkeys and provide guidance on educating and restricting their use to ensure maximum security.

A passkey is a cryptographic code that replaces a password. Passkeys are either device-bound or multi-device (synced). Device-bound passkeys like YubiKeys and Windows Hello work on a single device. For instance, each Windows Hello computer has its own passkey tied to your Microsoft account. A YubiKey's passkey is linked to that specific YubiKey only. To access your account with a device-bound passkey, an attacker needs both your physical device and a second factor (PIN, fingerprint, facial scan, etc.). This method is significantly more secure than passwords, offering a simple and effective defense against attackers.

Multi-device passkeys utilize a cloud service to synchronize passkeys across multiple devices rather than storing them on a single device. For example, an Apple iPhone, iPad, and iMac can have a passkey stored in iCloud, which is then synced to each device and used with biometrics to access iCloud. The integration of hardware and software, both controlled by Apple, creates a robust security ecosystem.

However, many password vault providers now offer the capability to store and use passkeys directly from their services. This convenience eliminates the need for users to set up a passkey for every device individually, but because these providers do not control the operating system and hardware, the solutions can be inconsistent and confusing to users. It is anticipated that criminals will take advantage of this confusion and develop sophisticated social engineering techniques and other methods to integrate their own devices into multi-device passkey solutions. Given the novelty and complexity of this technology, users are likely to become vulnerable to such social engineering tactics.

There are various creative implementations of passkey use, such as using a passkey on one device to authenticate a user on a second device via a QR code. Microsoft has recently introduced this feature for logging into M365, which some users may find useful. It remains uncertain how long it will take before a hacker potentially employs social engineering techniques to deceive a user into scanning a code that grants access.

The takeaway from this is that we all need to start educating our users not simply to add passkeys to any system that asks us to. We need instead to identify the passkey solution we want our users to utilize, we need to train our users to use just that solution, and if possible, we need to take steps to restrict unauthorized passkey solutions. I am still a fan of Yubikeys and Windows Hello, so I would encourage you to investigate these solutions and to avoid the multi-device solutions, at least for now!