Passkeys—Microsoft, Apple, and Google’s password killer—are finally here

Big Tech insists that the password is going to die soon. Those assurances have been empty for a long time. Password alternatives introduced as many security and user issues as they solved. We are on the verge of a password alternative that will work.

Pass keys are the new alternative. Passkeys are a concept that has been around for more than a decade. Microsoft, Apple, and a group of other companies have come together around a single passkey standard. Passkeys are completely resistant to account take-over attacks and are easier to use than passwords.

On Monday, PayPal said US-based users would soon have the option of logging in using FIDO-based passkeys, joining Kayak, eBay, Best Buy, CardPointers andWordPress.com as online services that will offer the passwordalternative. Since the beginning of the year, Microsoft, Apple, and Google have all updated their operating systems. Passkey support isn't always reliable. Pass keys can be used on Windows but the reverse isn't yet available. All of that should be fixed in the next few months.

What, exactly, are passkeys?

Passkeys work almost identically to the FIDO authenticators that allow us to use our phones, laptops, computers, and Yubico or Feitian security keys for multi-factor authentication. Just like the FIDO authenticators stored on these MFA devices, passkeys are invisible and integrate with Face ID, Windows Hello, or other biometric readers offered by device makers. There’s no way to retrieve the cryptographic secrets stored in the authenticators short of physically dismantling the device or subjecting it to a jailbreak or rooting attack.

Even if an adversary were able to extract the secret, they would still have to give the PIN that is associated with the token, which is a combination of fingerprints, facial scans, and irises. Hardware token use FIDO's Cross-Device Authentication flow to verify that the device is in close proximity to the one trying to log in.

FIDO-based security keys have been mostly used for multi-factor authentication, which requires a separate factor of verification in addition to the correct password. The additional factors offered by FIDO typically come in the form of something the user has, such as a phone or computer with a hardware token, and something the user is, such as a fingerprints or facial scans.

So far, attacks against FIDO-compliant MFA have been in short supply. An advanced credential phishing campaign that recently breached Twilio and other top-tier security companies, for instance, failed against Cloudflare for one reason: Unlike the other targets, Cloudflare used FIDO-compliant hardware tokens that were immune to the phishing technique the attackers used. The victims who were breached all relied on weaker forms of MFA. Advertisement

Passkeys rely on no password at all, whereas hardware token can give one or more factors of security. Passkeys roll a variety of factors into a single package. Passkey management is done by the OS. If the user chooses, they can use a cloud service from Apple, Microsoft, or another provider to store their data.

Passkeys are "discoverable", meaning an enroll device can push one through a tunnel to another enroll device that is trying to sign in to a user's account. When signing in, the user must use the same password or PIN for both on- and off-device devices. The mechanism replaces the traditional usernames and passwords with a simpler one.

Andrew Shikiar, FIDO's executive director and chief marketing officer, said that users don't need to enroll each device for each service. To enable the private key to be securely sync across an OS cloud, the user needs to only enroll once for a service, and then is pre-enrolled for that service on all of their other devices." This will allow the service provider to retire passwords as a means of account recovery and re-Enrolling, which is very significant.

Ars Review Editor Ron Amadeo summed things up well last week when he wrote: "Passkeys just trade WebAuthn cryptographic keys with the website directly. There's no need for a human to tell a password manager to generate, store, and recall a secret—that will all happen automatically, with way better secrets than what the old text box supported, and with uniqueness enforced."