Recently, words such as "Passkeys" can be seen in IT-related news. It's a hot topic in the security community, but I don't think the general public understands it. To be honest, I can't say that I understand the whole picture, but I would like to explain it with the meaning of the summary in my mind.
■ What is a passkey?
Passkey is a general term for new WEB authentication technology that replaces passwords. The word "passkey" itself has multiple scopes at the moment, and it's hard to understand, but the fact that what was called "WebAuthn" in the past came to be called "passkey" in broad. First of all, I think it would be quicker for you to experience the passkey (=WebAuthn) in its broadest sense, so I would like to introduce the demo site and explain how it works.
"WebAuthn.io"
You can experience user registration and user authentication using WebAuthn on this site. Feel free to try it out.
■Try passkeys "in the broadest sense" (WebAuthn)
First, let's register. Enter your username, and click "Register" to display the registration popup. From this point onwards, the behavior will vary depending on the browser, OS, and OS login (logon) status, so please use this as an example only. I'm using Windows 11, and Edge(the latest), and log on to Windows using my Microsoft account.
In my case, I have three options:
External security key or built-in sensor: Authentication via FIDO2 security key or Windows Hello (on Windows).
Smartphone name (Device logged in with another Chrome / Android device connected with (3)): This operation verification is mainly logged in with a work Google account, and the work profile is set only for the smartphone that is normally used. Probably for that reason, the name of the smartphone was displayed by default. If you select this, the operation of (3) will be performed without reading the QR code.
A different device: This is a method of using another smartphone as an external security key. Read the QR code on the screen with the camera and authenticate with the lock screen authentication on the smartphone side. To use it, the smartphone must also support this function. I directly confirmed iOS15, Android13, or later. Even if the OS supports it, the authentication relay may not be possible depending on the camera application, so if it does not work, it is a good idea to try several camera applications.
(1) corresponds to so-called FIDO2 authentication, (2) and (3) correspond to Hybrid authentication (formerly known as caBLE) in FIDO2 authentication. Hybrid authentication will be explained in an aside.
For now, let's register with a PIN for Windows Hello, one of the FIDO2 authentication methods (You need to set the PIN in advance from Windows Settings → "Accounts" → "Sign-in options"). This corresponds to the actual movement of the explanation part of the PIN explained in the article "Differences Between Password and PIN".
Click "External security key or built-in sensor".
When the PIN input screen is displayed, enter the set PIN.
Registration has been completed!
Then let's try authentication. I think that the username is set at the time of registration, so click "Authenticate" as it is.
Enter your PIN.
Authentication succeeded!
The reason why these PINs are not sent to the server during registration and authentication is as explained in "Differences Between Password and PIN". It transmits authentication information protected by a TPM (security chip), making it much more resistant to attacks over the network than password authentication.
(quoted from "Differences Between Password and PIN")
This time, I tried registering and authenticating with a PIN as an example, but as you can see from the multiple options at the time of registration, "passkey" supports various authentication methods.
Various authentication supported by the OS (PIN, fingerprint, face authentication).
External security key authentication (PIN/fingerprint authentication on the security side).
Authentication by smartphone (PIN, fingerprint, face authentication on the smartphone side).
All of these authentications meet the requirements of multi-factor authentication, and as with the PIN example, authentication factors (the PIN itself, fingerprint information, etc.) do not flow over the network. So they are established as a sufficiently strong authentication mechanism.
(Click to enlarge)
These mechanisms that have been explained so far are no different from the technologies that have been implemented under the names of "WebAuthn" and "FIDO2". At first, I explained that the word "passkey" has multiple meanings, but the explanation up to this point is only a "broad sense" of the passkey. Next time, I will explain the "narrow meaning" of the word "passkey" and the core part of passkey that OS vendors (Apple, Google, Microsoft) are implementing.
■ Digression ①: Phishing resistance
Originally, one of the mechanisms implemented in WebAuthn/FIDO2 since the term "passkey" did not exist is called phishing resistance. I think many people have heard the word "phishing scam", but to put it simply, it is "a scam that leads you to a fake site with a similar URL and makes you enter your authentication information to steal your account, information, money, etc." called phishing.
WebAuthn is resistant to such phishing attempts. Since the password is manually entered by the user, even if the URL (domain) of the fraudulent site is different, the password may be entered carelessly and the authentication factor (here, the password) may be passed to a malicious third party. However, WebAuthn always checks the domain name mechanically and passes the authentication information (result) only to the matching site. Your authentication factors, and also your authentication information is never passed to a third party.
Currently, the damage caused by phishing does not appear to decrease but with the spread of passkey, it is believed that account hijacking by fake sites will be considerably suppressed.
■ Digression ②: Hybrid authentication (former name: caBLE)
Hybrid authentication as briefly explained above, is a mechanism that uses another device such as a smartphone as an external security key. In the case of Google Chrome, there is authentication with an Android device logged in with the same Google account and device authentication using a QR code. As the word "BLE" is included in the old name, both methods ultimately connect devices via BLE (Bluetooth Low Energy) and exchange authentication information. Android device authentication for the same account is supported from Chrome version 94 (2021/09/21), and Hybrid authentication using a QR code is supported from version 100 (2022/03/29). You can use it not only on Android devices but also on third-party products such as iPhones by applying the latest updates.
When it comes to authentication on smartphones, one-time password authentication by SMS is often seen. But in the case of SMS authentication, there is a weakness in that the authentication can be broken if the attacker can check the SMS in some way because the one-time password can be delivered even if the smartphone is in a remote location. On the other hand, in this Hybrid authentication, the device to be authenticated and the smartphone that authenticates perform short-range communication via BLE. So it is possible to reliably satisfy the "possession" of the authentication factor, and the "knowledge" or "inherence" authentication factor is also confirmed by the authentication mechanism of the OS on the smartphone side. From there, you can have strong multi-factor authentication.
Continue to the next part.