I’ve lost count of how many RSA Tokens, Yubikeys, and the like I’ve collected, lost, misplaced, replaced, and cursed over the years. While they’re exceptionally secure, they’re a pain for both administrators to deploy and users to keep track of. Either of those makes deploying for customers challenging but when you add scale, hard tokens become impossible.
Alternatively, when we optimize for deployment, we have security questions. Security questions scale easily but are based on semi-public information making them a weak option. For a stronger but deployable option, we have factors like SMS but it depends on an easily discovered phone number and opens our customers to SIM jacking attacks.
So yet again, we’re left with the classic tradeoff in all things security: usability vs security.
This is where Passkeys become a powerful option.
What are Passkeys?
Passkeys are public/private key pair where the private key sits in your system and doesn’t travel over the wire during the authentication flow. Behind the scenes, Passkeys are an implementation of the WebAuthN API that’s widely supported in modern browsers and password managers.
In practice, when a user authenticates into your app, they’re given the option to enroll a Passkey as an multi-factor alternative. If they activate it, their browser generates a key pair and stores it. On mobile devices, the Passkey is probably protected by PIN or biometric.
Security vs Usability of Passkeys
From a security perspective, the public/private key approach gives us a credential that the end user can never accidentally share and the application doesn’t store. More importantly, since the private key stays on the local device, in order to compromise a user’s account, an attacker needs to access the browser or physical access to the device itself. Either way, we have a strong authenticator with a much smaller risk profile.
On the usability side of the tradeoff, every modern browser and mobile device already supports Passkeys without any additional extension or apps. Further, the Passkey is generated and provided in just a couple clicks so they’re suitable for limited input touch devices like phones.
The major risk of Passkeys comes with synchronization. When you enroll a Passkey and synchronize it across your devices or profiles, you have a single, consistent, secure way to authenticate easily. How you move the Passkeys becomes the risk. Most browsers can load them from USB drives but if that drive is stolen or even just lost, your Passkey and your account are now at risk. Alternatively, most password vaults - iCloud, 1Password, etc - can backup and synchronize your Passkeys for you automatically. However you choose to store and use your Passkeys, make sure they are protected at every step of the way.
Passkeys are Great but not Perfect
Passkeys still don’t solve all your problems. We’re still early in their adoption so not every application supports them. Further, Passkeys don’t protect users with weak passwords or PINs. If an attacker can get into your phone with code 12345, there isn’t an approach - Passkeys, SMS, or an authenticator app - that will protect them.
As you’re planning onboarding and authentication in your app, add Passkeys to your toolbox for a strong authentication option that doesn’t require you to re-architect your app, deploy physical hard tokens, or have your users download yet another authenticator app.
If you want to try out Passkeys in Pangea, check out our Passkeys docs to get started in minutes.