[LINK] The problem with Passkeys

Kim Holburn kim at holburn.net
Mon May 29 14:14:58 AEST 2023 

https://www.androidcentral.com/phones/the-problem-with-passkeys

The problem with Passkeys
By Jerry Hildenbrand


We're not ready to make the move.

Google and other companies have been working with the FIDO Alliance to change how online security works using a concept they are 
calling the Passkey. It's a great idea with a few flaws that mean it's not really something Google should be pushing out to everyone.

Passkeys work using two critical elements: Special hardware already inside most of the best Android phones and cryptography software 
that meets all the specifications to make it what's called a FIDO credential.

When you set up your phone, a unique key will be created and stored in your phone's secure enclave. This identifier will be used 
with the FIDO standards to create a set of credentials that can be passed along to any device that's in communication with your 
phone, or any software that's running on that device, like the web browser or an app.

After everything is set up, all you need to do is unlock your phone to provide these secure credentials.

Setting up a USB Security Key

You're not supplying any information that can be used to identify you but every set of credentials is still unique. The only online 
component is a backup key stored in the cloud to help you recover your accounts.

In simple terms, this means that your phone will store a key. When you want to access an online account that works with passkeys, 
you unlock your phone and the key proves that you are really you.

I like this future where passwords and usernames don't really exist. Not as much as Apple and Google who know that you almost have 
to have a compliant phone to use it and there are only two real choices there — iOS and Android — but I think it's a step in the 
right direction.

Having said that, I don't recommend you jump in a turn it on as soon as you see a prompt or get an email from Google. It's just not 
completely ready.

Passkey generation

The onboarding process itself is a bit half-baked. Some of my colleagues here at Android Central have semi-successfully waded 
through it and after fiddling with a QR code displayed on a phone and asked to scan it with the same phone, URLs that are broken and 
don't actually do anything when you tap on them, and being told that the USB security key needed to be inserted even though one was 
never set up we all came to the same conclusion — this is not ready for prime time.

That doesn't mean it can't be or won't be ready in the future. We've seen this from Google before — rush a feature out the door that 
still needs plenty of polish before you give it to billions of users — and we've seen Google quickly turn it around and make it work 
as intended. It means right now, setting up your account with a Passkey might be a really poor experience.

That's not the real problem though, at least in my opinion. My issue is that it's tied to a physical device you must have on hand if 
you want to use an online service.

That device doesn't have to be a phone. You can also use a physical security key, a wearable, or anything with the correct hardware 
and software support to act as an authenticator. And that works well — I use a FIDO-compliant USB Key as a two-factor authentication 
method to access my accounts. I also know that I have an easy backup solution for the times when I don't have my key like today when 
I'm not at home in my own office. Google Authenticator or even SMS can be a lifesaver.

Google FIDO authentication

Most people are going to use their phone as a passkey, though. You already have it, you spent a lot of money on it, and the company 
you bought it from told you how secure everything about it is. Besides, Google makes it easy to use your phone because it wants you 
to be even more reliant on your phone.

Ask yourself, though, might you ever lose your phone? That's where things aren't as easy.

Theoretically, all you need to do to reenable your secure key is sign into your Google account with a new phone. Even the 
"passwordless future" will still need a password I guess. While I haven't been able to test this, I will say it probably works as 
intended because it's the least complex part of the system — keep a backup of the important, but useless on its own, part in the 
cloud to retrieve if you ever need it.

Hopefully, you aren't locked out of your Google account and can remember the actual password you were told you no longer need, and 
you have a way to get an SMS from Google or sign in to an authenticator app. All without your phone in your hands. Lord help you if 
your phone was stolen and someone hosed your account by trying to get into it too many times.

These are real issues that we hear about every day. It's already horrible to not be able to help someone get back into their account 
where years of photos are stored. Having their logins for things from Netflix to their bank inaccessible while everything gets 
sorted out is a nightmare.

Soon enough we'll all be using passkeys because we will have no choice. Before that happens I sure hope someone is thinking about 
making the system more user-friendly.

-- 
Kim Holburn
IT Network & Security Consultant
+61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list