No More Passwords: Tech Giants Back Passwordless Future

2023 will be a bad year for passwords.

By the end of 2023, Google, Apple and Microsoft will all have implemented passkeys, a password-less user authentication scheme. Most password manager apps will support passkeys by year-end.

This broad support will give websites and apps the option of using passkeys instead of passwords to govern access on Android, iOS, Windows 10 and Windows 11. Passkeys is already supported by the latest versions of Chrome, Safari, Firefox and Edge.

Why Passwords are Problematic

Many passwords are a security incident waiting to happen.

They are too easy to guess, share, steal, and reuse across multiple sites.

Even when individuals keep their passwords safe, that may not be enough. The organisations those passwords are entrusted to may drop the ball. Passwork leak alert service Have I Been Pwned has seen password hashes and/or passwords stolen from a huge range of reputable sites including LinkedIn, Dropbox, Tesco, Sony, Adobe, Kickstarter, Patreon, NVIDIA, MyFitnessPal, Avast, BitTorrent, Canva, Forbes, SHEIN,  tumblr, Yahoo and Adecco.

Using a leaked password hash to guess the user’s password is becoming quicker and cheaper. Any eight-digit password hashed with bcrypt can be cracked within 48 minutes if the cracker has access to 8 Nvidia RTX 4090 graphics cards, costing around £1500 each. 

Attempts to fix password problems by forcing greater password complexity and regular password changes make passwords harder to remember and fiddly to type. That may not be a problem for you – with your cross-platform password manager – but it’s a problem for many users.

Firms that take cyber security seriously have also had to add a second layer of authentication,  so a password is no longer sufficient to gain access to important systems.

Passkeys are a long overdue initiative to eliminate such password problems.

How do passkeys work?

Instead of asking the user to set a new password, websites can allow each user’s passkey manager to generate and store a passkey specific to that user and site. When the user wants to log on, no password will be needed. Instead, their device will ask them to confirm whether they want to log on to the named site. If so, they’ll be asked to prove their identity by supplying a fingerprint, a facial scan or by entering a pin code.

The passkey scheme uses public-key encryption to prove possession of the private key, which is stored on the user’s local device.

Users can access their passkeys on all their devices, with technology firms like Google/Apple/Microsoft arranging for passkeys to be copied between duly authorised devices.

Does Passkeys Constitute Two-Factor Authentication?

In theory, no. In practice, yes, most of the time.

The user’s private key for the site/app is really ‘something they know.’ If the user proves possession of their device by entering a pin code, that’s also ‘something they know’ - not a second factor.

However, most passkey login attempts involve two factors - a private key and a biometric scan of either the user’s fingerprint or face.

Where there is just one factor, there may be additional security behind the scenes that can provide additional reassurance.

High-end mobiles such as those from Apple and Samsung feature secure hardware modules that make it almost impossible for local malware to access private keys. The keys may be ‘something you know’ but the passkey manager will limit access such that possession of the private key is strong evidence of  ‘something you have’ - one or more duly-enrolled device(s).

Passkeys can be shared among the user’s devices, so possession of the relevant private key isn’t proof that the user possesses a specific device. However, passkey managers from Apple/Google/Microsoft will likely perform device fingerprinting and additional verification checks before giving a new device access to a copy of existing passkeys. Attempts to transfer passkeys to a new device may generate email notifications to the user, warning them of the transfer. Users may need to supply their Apple/Google/Microsoft account password on the new device before being allowed to take a copy of the passkeys.

There are ongoing discussions over whether passkeys can be used in situations where two-factor authentication is mandatory. We suspect pragmatism will prevail. Current two-factor authentication implementations aren’t without security flaws already, such as susceptibility to phishing attacks involving reverse proxies, so it’s not as if it’s a downgrade from flawless security.

Ultimately, it’s very easy to implement passkeys so it provides genuine two-factor authentication by disallowing the use of pin numbers and unlock patterns.

When is Passkeys Arriving?

Google added support to Chrome on Windows, macOS and Android in late December 2022.

iOS 16 and macOS Ventura gained support for passkeys in autumn 2022.

Microsoft is expected to add passkeys support to Windows 10 and Windows 11 in 2023.

Major password managers are expected to support passkeys by the end of 2023 too.

We expect most websites and apps to ignore the existence of passkeys until after broad support is in place.

Do I Have to Switch to Passkeys?

No. Initially, many websites are likely to offer passkeys as an alternative to password-based authentication.

As consumer awareness of passkeys grows, sites are likely to begin offering it as the default option for new user credentials.

Which Organisation Came up with Passkeys?

The groups responsible are the FIDO (Fast ID Online) Alliance and the World Wide Web Consortium (W3C).

Passkeys is a consumer-friendly way of implementing the FIDO2 (open passwordless authentication) standard. FIDO2 combines W3C’s Web Authentication (WebAuthn) specification and the FIDO Alliance’s Client-to-Authenticator Protocol (CTAP).

Will Passkeys Catch On?

Probably. All the main players are on board – including Apple, Google and Microsoft. There’s support from all major operating system creators, all major browsers and all major password management firms, most of which are FIDO Alliance members.

UK consumers are already used to similar cross-platform security checks. The EU’s latest Payments Services Directive (PSD2) introduced Strong Customer Authentication as a requirement. If you buy something on your laptop, you may need to approve the transaction on a different device – your mobile. Typically, your mobile banking app will ask you to prove your identity by supplying your fingerprint or face to be scanned. Once you’ve confirmed your identity to your phone’s satisfaction, you are asked to approve or decline the transaction.

A similar process is likely to become common for logging on to many major websites, especially those where you can buy, sell or trade.

It is in many companies interests to nudge new users towards passkeys and away from creating passwords, as passkeys fix three big security holes:

Password leaks are made less likely because the secret (the private key of the passkey) is never known to the web server being targeted by hackers. Credential stuffing is less likely as each passkey is unique to a given site, so can’t be used to gain access to other sites. Phishing is less likely to succeed because there’s no password or one-time-code to steal with a fake login page.

The consumerisation of IT means that passkeys are likely to be adopted by consumer-centric services first – Google, Twitter, Instagram etc. Enterprise password managers and authenticators are likely to be upgraded to store passkeys in order to handle such credentials. Business-centric websites are likely to focus on offering single sign-on.

Beyond Passkeys

Although passkeys will improve security, they don’t protect against authorised users misusing their credentials, authorised users accidentally messing things up, or malware misusing devices after the user has logged on. Zero Trust Network Access (ZTNA) and regular data backups may come in handy in limiting the damage from such scenarios.