top of page
Blog article

Blog article

Two-factor Authentication Using Passkeys Experiment

Passkeys are gradually becoming more popular, as evidenced by a news article stating that "Passkeys can be used!" to log in to the services of major companies.

However, there are still few people who have used it, right?


YubiOn FIDO Logon, our PC login security-enhanced product, can use passkeys, so I will introduce specific operating procedures to answer the question "How can we use passkeys?".


However, the passkey can be used when logging in to the FIDO Logon management web screen, not for PC login authentication.

So, I will introduce how to log in to the management Web screen of FIDO Logon with a passkey.


Table of Contents

About passkey

A passkey is an authentication method that replaces a password, and what was originally called "WebAuthn" has come to be collectively called "passkey" in recent years. It's a little confusing for those who have known FIDO for a long time, but I think that rather than using the term "WebAuthn", the intention is to spread a more acceptable term for the general public.


Please refer to other blogs for detailed information about passkeys.



This time, I will try a passkey that puts secret information on the cloud using an iPad without using an external authentication device such as a YubiKey. As for which cloud to use, there is Apple as a famous place that can be used now, so I would like to try it.


How to use the passkey

■ Example when using on an iPad


I tried the method using AppleID, but unfortunately, I don't have an iPhone, so I tried using an iPad instead.


Tried environment

Login target: Log in to the FIDO Logon management Web screen

PC: Laptop

※ The method to try this time uses the Bluetooth function, so it must be a model that can use Bluetooth.

OS: Windows 11 22H2

Browser: Edge (Version: 111.0.1661.54)

iPad Pro: iPadOS 16.2


AppleIDを利用する

・Passkey registration


Just like when using Android, register to use the passkey.


Open Edge on your PC.


Log in to the FIDO Logon management Web screen and open "User Settings" from the name display on the upper right.

Click the plus button on the top right to start the add operation.

Click "OK" on the confirmation message.

セットアップ開始

YubiOn FIDO Logon will by default show a security key setup popup, but this time we don't use a device, so click Cancel.

セキュリティキーキャンセル

The passkey creation method selection is displayed.

Select "A different device".

別のデバイス選択

A QR code for registration will be displayed on the screen.

Scan this QR code with your iPad.

QRコード表示

Scan with your iPad's standard camera app.

When you scan, a message will be displayed at the top, so touch it to proceed.

※ Since the iPad's standard camera app has a QR code reading function, you don't need to use a separate app.

iPadカメラアプリ

You will be asked to sign in with AppleID, so authenticate with TouchID and proceed.

TouchID

Authentication of the TouchID on the iPad was successful.

At this point, the passkey private information is stored in Apple's cloud.


When you return to your browser on your PC, you will see a successful registration pop-up.

登録完了

Enter a name for the registered information.

割り当てに名前を付ける

Passkey registration is now complete.

Next, try to log in with the registered passkey.


・Authenticate with passkey


Log out from the management Web screen once and display the login screen.

On the login screen, enter your email address and click the confirm button.

ログイン画面

The security key request is displayed by default, so click Cancel.

セキュリティキー呼び出し

In the case of the iPad, it does not appear in the list, so select "A different device" here as well.

別のデバイスを選択

A QR code will be displayed, so read it again with your iPad.

QRコード読み取り

Launch the camera app on your iPad and scan the QR code.

After reading, tap "Sign in with passkey" displayed at the top.

iPadでQRコード読み取り

Authenticate with Touch ID.

Apple認証操作

After the authentication of the smartphone, the login is successful.

Authentication using the passkey was successful on the iPad as well.


・Supplement (Operation on iPad browser)


I will also check the operation on the browser of the iPad.


When registering on the iPad browser


I opened Safari on my iPad and tried to register from the YubiOn FIDO Logon Management Website.

As a result, I was unable to register.


When I try to register, there is a selection for registration with the iPad, so I choose it.

Safariで登録

Next, a QR code is displayed, but since the QR code is displayed on the iPad, it is not possible to read the screen of the iPad itself and proceed further. It would be nice to be able to launch another app in this state, but it's canceled when pressing the home button, so there's nothing I can do about it...

There may be some way, but I couldn't register this time.

QRコード表示

When logging in on the iPad browser


If you have already registered, you will automatically be prompted to log in using your passkey when you log in.

You can log in by TouchID.

ログイン操作

 

■ Example when using on an Android smartphone


In the case of Android smartphones, due to the impact of our company's implementation method and the relationship between Android versions, etc., there is no way to check if private information is stored on the cloud or not currently. ※ It is expected that it will be supported in the future version upgrade.

However, the operation itself is almost the same as the iPad, so I will also introduce this pattern.


This time I tried in the following environment.

※ Please note that the display may change depending on the conditions when trying (browser account login status, etc.).


Tried environment

Login target: Log in to the FIDO Logon management Web screen

PC: Laptop

※ The method to try this time uses the Bluetooth function, so it must be a model that can use Bluetooth.

OS: Windows 11 22H2

Browser: Edge (Version: 111.0.1661.54)

Do this while logged into your Google account.

Android smartphone: Android 13

Use a smartphone that is registered with the same Google account that you used on your PC.


・Passkey registration


First, let's register to use the passkey.


Open Edge on your PC.

※ At this time, you are logged into your Google account.


Log in to the FIDO Logon management Web screen and open "User Settings" from the name display on the upper right.

On this screen, you can set two-factor authentication for logging in to the management Web screen.

By the way, authentication devices such as YubiKey can also be set here.

個人設定

Click the plus button on the top right to start the add operation.

Click "OK" on the confirmation message.

セットアップ開始

YubiOn FIDO Logon will by default show a security key setup popup, but this time we don't use a device, so click Cancel.

セキュリティキーキャンセル

The passkey creation method selection is displayed.

Select "A different device".

※ This time I'm trying on Edge. Chrome and Edge have this option, but Firefox doesn't seem to.

※ If you have already registered a smartphone device, the device name will be displayed in the list. In this case, you can skip scanning the next QR code and proceed to the registration operation.

別のデバイス選択

A QR code for registration will be displayed on the screen.

Scan this QR code with your smartphone.

QRコード表示

Read the QR code with an app that can read it.

If your standard camera has a QR code reading function, you can use it without any problem.

The behavior after reading changes depending on the application.

※ In the case of the QR code reading application (standard camera app) that I am using, after reading, select "Open in browser" to proceed to the next step.

QRコード読み取り

A confirmation message is displayed.

Tap "Allow" to proceed.

QRコード読み取り後のスマホ

At this time, the smartphone authentication operation (fingerprint, pattern, etc.) is performed.

Proceed after authentication succeeds.

デバイスの接続

The authentication on the smartphone was successful.

This time, since I used the latest Android version, the private information of the passkey is saved in Google's cloud. But in the case of the older versions, the private information will be saved on Android, although the registration operation is the same.

Also, it seems that the information of the smartphone device is also registered in the Google account of Chrome (or Edge), and the next time, the name of the registered smartphone will be displayed in the list.

Therefore, it was not displayed when operating Chrome (or Edge) in guest mode.


When you return to your browser on your PC, you will see a successful registration pop-up.

登録完了

Enter a name for the registered information.

割り当てに名前を付ける

Passkey registration is now complete.

Next, try to log in with the registered passkey.


・Authenticate with passkey


Log out from the management Web screen once and display the login screen.

On the login screen, enter your email address and click the confirm button.

ログイン画面

The security key request is displayed by default, so click Cancel.

セキュリティキー呼び出し

Since the registered smartphone name is displayed, select it.

※ This option is not available when you are not logged in to your Google account, such as in Chrome guest mode.

Even in that case, you can proceed with authentication by selecting "A different device" and reading the QR code in the same way as when registering.

デバイス選択

You will then see a message that a notification has been sent to your smartphone.

デバイスに通知

When you check your smartphone, there is a notification.

スマホ側の通知

If you open the notification and proceed to the next step, the smartphone will ask for authentication.

スマホと接続中

After the authentication of the smartphone, the login is successful.

Authentication using the passkey is now successful.


・Supplement (Operation on Android smartphone browser)


I logged in to YubiOn FIDO Logon with a PC browser, but I will also touch on the case of logging in with the Android smartphone's own browser.


When registering on the smartphone browser


When registering using a smartphone browser, the passkey cannot be registered because the registration of another device does not appear in the selection.

セキュリティキーの選択

When logging in on the smartphone browser


If you open the browser and log in with a smartphone that has already been registered from a PC, it is possible to authenticate with a passkey.


This varies depending on the implementation on the service (RP) side, but in the case of YubiOn FIDO Logon, the security key is displayed with priority. However, in the case of Android smartphones, even if you cancel the security ley selection, a different device selection will not be displayed, so you cannot register anything other than the security key.

However, if the passkey has been registered, the passkey is automatically selected, so you can authenticate with the passkey during authentication.

I think this is a difficult point to uns\derstand because the behavior changes depending on the implementation on the RP side and the device (browser) used. I tried it and got very confused.

 

Summary

By using an iPad or smartphone, I was able to log in to the YubiOn FIDO Logon management Web screen using a passkey.

This was an example of logging in to our service, but if the service you are using supports passkeys, please give it a try. Since the passkey does not use a password, there is less time and effort to type, and the security strength can be increased, so I think it is especially easy to use if you do not have a security device.

The adoption rate of paskeys is expected to increase in the future, and it is expected that they will be used in various services and sites without users being aware of it.


However, at the moment, there are parts of the OSes and browsers that have not been unified yet, and the display may change depending on the operation method, so we need to be careful until the specifications around here are solidfied.


As a member of the FIDO Alliance, we would like to continue to provide passkey information to everyone, so please continue to support us.


For details on the YubiOn FIDO Logon introduces this time, please check the product introduction page.


Thanks for reading until the end.

Comments


bottom of page