The rise of Passkeys as the next generation authentication method
For users, logging in to services and logging into their account online is part of everyday life. For a long time, this required traditional passwords, which are considered insecure and cumbersome. Passkeys are an alternative that simplifies many things and offers numerous advantages in everyday use for both users and companies or organizations.
Introduction: What are passkeys?
Authentication is necessary in the digital world to protect users' online services and accounts. Unfortunately, however, conventional methods such as passwords are often very cumbersome and user-unfriendly. They are even insecure, because phishing attacks have repeatedly been successful in the past in connection with password-protected accounts. Cryptographic keys are intended to remedy this situation and provide a more secure and easier-to-use alternative.
The key pairs can be seen as a kind of next-generation authentication method. However, the introduction of this technology also presents challenges that first need to be overcome.
Technical basics
Instead of classic passwords, cryptographic key pairs are used with passkeys. One of these is public and the other private. The aim is to implement a secure, convenient and efficient login process.
Public key infrastructure
The public key infrastructure (PKI) plays a crucial role in the functioning of the cryptographic keys. The key pairs are based on the principle of asymmetric cryptography, which is derived directly from the PKI. In this process, one key is stored on a public server, while the other private key always remains on the user's device. The PKI is used to generate these keys and store them. When the key is used, a server sends a so-called challenge to the user device. Authentication is only successful if this device can sign the challenge using the private key.
FIDO2 protocol
The standards and protocols required for implementing the passkey method are defined in FIDO2. This makes it possible to use the key pairs in different applications and on different platforms. FIDO stands for “Fast Identity Online”. It is an open standard developed by the FIDO Alliance. In addition to registering the keys and performing the login process, FIDO2 ensures that the passkeys can be used universally and therefore with a wide range of services on the internet. The protocol thus serves to establish the necessary interoperability.
WebAuthn
FIDO2 consists of two main components, one of which is WebAuthn (Web Authentication API). The W3C (World Wide Web Consortium) is responsible for developing this standard. This API makes it possible to authenticate yourself from a FIDO-enabled device using a cryptographic key. The task of WebAuthn is to create an interface between the respective authentication device, such as a smartphone, and the web browser. Secure and passwordless authentication is therefore possible directly in the browser. The supported authentication devices include external hardware tokens, such as those on a USB stick, and biometric sensors.
CTAP
CTAP is the second component that makes up FIDO2. It is responsible for communication between the authenticator, such as a USB security key, and the client device, such as a smartphone. The connection can be established using various methods, such as Bluetooth or NFC for near field communication. USB is also an option. CTAP should therefore be compatible with a wide range of devices and cover a wide range of use cases. Thanks to CTAP, anyone can log in to an online service using an external authentication device, securely and easily, without a password.
Advantages
Passkeys, with their asymmetric cryptography, offer a whole range of advantages for authentication and could therefore have a significant impact in this area.
Security
One of the most important advantages of cryptographic keys is protection against phishing attacks. Private keys can significantly increase resistance because they never leave the user's device. This thwarts phishing attacks at the outset. In addition, it is no longer possible for cybercriminals to steal passwords because they are not necessary. Brute force attacks are therefore also ineffective. Overall, this dramatically increases security during authentication processes.
User-friendliness
One of the key advantages of this authentication method, which is based on asymmetric cryptography, is that it is more user-friendly. After all, if you don't have to create passwords, you don't have to remember or manage them either. Signing in is much easier and there is no need to remember or manage complicated passwords. Authentication is much faster, which is particularly the case with facial recognition or fingerprint scanning. In addition, the technology can be seamlessly integrated into various devices and platforms. This makes it easier to create a consistent user experience across different services. Password resets and the associated cumbersome process are also a thing of the past.
Data protection
A key advantage for data protection is that the storage of private keys and, for example, biometric data is only done locally on the user's own device. The risk of data breaches is reduced if the data never leaves the local environment. Password databases are also no longer required. In the past, these were a favorite target of attackers because they were a central storage location for potentially valuable information. Thanks to the new technology, such massive thefts in connection with the compromise of databases are no longer possible. Furthermore, the amount of data that users have to share with various services is reduced. Authentication is now possible without the disclosure of sensitive data.
Challenges in implementation and adoption
One of the technological hurdles is that not all devices and platforms yet support cryptographic keys. Therefore, it may be necessary for companies and other organizations to upgrade their systems, which requires corresponding investments. It is also important to create the necessary acceptance among users. Therefore, it is important to keep the entry barriers as low as possible when implementing the technology. The habits of users when dealing with passwords should not be underestimated. Even if they may be cumbersome, many users may not know any other methods and therefore hesitate to switch to a different authentication method.
It should also be noted that logging in using the passkey method is no longer possible if the user loses their device. Mechanisms should therefore be in place to ensure that the keys can be restored or transferred to a new device in such a case.
Future prospects and possible effects on the IT security industry
In principle, the introduction of passkey technology has great potential for the IT security landscape and could fundamentally change it. The advantages in terms of easier use and greater efficiency in the login process are obvious. However, the use of this authentication method also means that a realignment of the security strategy could take place. From now on, the main focus will be on protecting the end devices, because this is where the private keys are stored, without which a login will not work. Phishing should no longer play a major role in the future. Instead, it can be assumed that cybercriminals will look for new vulnerabilities for their attacks and, for example, focus on manipulating the end devices. The industry must prepare for this.