In Part 1, I introduced passkey "in a broad sense", a mechanism originally called WebAuthn. This time, I will explain the passkey "in the narrow sense". It will be the story of the "?" part in the figure below.
(Click to enlarge)
■ Secret stash and its associated problems
In the passkey (WebAuthn) authentication introduced so far, the authentication factor (secret information) so not flow over the network, and only authentication information (result) is exchanged. That's not to say that there are no secrets, but there is data called a "private key" that is used when creating authentication information. The private key must be stored all the time for authentication. Let's draw a diagram of where the authentication method that has been explained so far is stored.
(Click to enlarge)
In the case of in-device or smartphone authentication, secret information is stored in the TPM of the device. Also, the security key itself is like a TPM, so the secret information is stored in the key as it is. There are some minor differences, but what they all have in common is that they are all factors of "possession" and that "the private key stored inside cannot be taken out (*1)".
If you have a keen intuition, you may have guessed from the story so far, but with this mechanism, re-registration of authentication is required when replacing or buying a new device. As a method of re-registration, for example, you can add the authentication information of the new device by logging in with the device for which the authentication information is currently registered. However, regardless of the external security key, it is troublesome to prove that the login on the old device and the registration on the new device is the same users for PCs and smartphones with a built-in TPM in the device(*2). Also, in general, when replacing a smartphone, there are many cases where the old device is taken over and the new device is obtained, and at the same time, there may be cases where there is no time to have the old device and the new device.
(*1) TPM (or security key) internally creates a "private key" and a "public key" used to verify whether the information is created with the private key when registering, and only the "public key" is returned as data. During authentication, the private key is used internally and only the authentication information is returned, so the private key is not extracted from the TPM.
(*2) If hybrid authentication can be used, it is possible to perform Hybrid authentication using the old device from the new device, log in once, and then register the new device. If Hybrid authentication cannot be used, you can think of a method such as logging in with the old device and issuing a temporary URL for registering the new device.
■ Share private key between devices (multi-device FIDO credential)
All of the methods I've talked about so far involve having the private key in some physical device. And, as a common problem, it turned out that there was a problem that re-registration was necessary when replacing the device.
The mission of the FIDO Alliance, to which our company belongs, is to contribute to "reducing the world's overdependence on passwords". But even if you create a strong authentication mechanism that replaces passwords, general users will not introduce it if its convenience is low. Therefore, we came up with a mechanism called "Multi-device FIDO Credential (MDC)" that shares the private key between devices. This is the "narrow sense" of the passkey that I have been talking about since part 1.
(Click to enlarge)
As shown in the diagram above, the private key of MDC is stored on a server on the Internet. When there is an authentication request, the server on the cloud will output the authentication information as same as what was done by the TPM or security key in other examples. The company that provides this cloud-based mechanism is called a "passkey provider".
By doing this, the existing authentication can be used on new devices without complicated operations when replacing or buying new devices. Currently, Apple, Google, and Microsoft, which provide major OSs, are actively implementing MDC. On the other hand, because it is a new technology, many issues can be seen, and various discussions are underway centering on the FIDO Alliance.
■ Try the "narrow sense" passkey (Multi-device FIDO credential)
Apple products are one step ahead when it comes to implementing MDC. I would like to try MDC using a mac and iPad. Both are currently updated to the latest OS and logged in with the same AppleID. Both use Safari browser.
Access webauthn.io using Safari on your mac, enter your username in the same way as when you used PIN and click "Register", you will be prompted for Touch ID. (The required authentication is different depending on the model and setting status.)
Follow the on-screen instructions to authenticate your fingerprint to complete the registration.
Next, open the webauthn.io page in the same way with Safari on your iPad.
Actually, it will remember the username you entered, so tap "Authenticate" without entering anything.
Follow the on-screen instructions to perform fingerprint authentication with Touch ID.
As you can see, the authentication information set on the mac side can be used on the iPad side beyond the boundaries of device.
■ Summary
So far, I have explained about "passkey", but how was it? I think I was able to convey to some extent the form of evolution from "password" to "passkey". Because it has not been long since the passkey was announced, there are still many issues to be addressed, such as the need to support OS, browsers, and WEB applications, the search for an easy-to-understand use interface, and the detailed examination of specifications. However, I feel that the goal of "A world without passwords" is just around the corner. I would like to accelerate this trend and aim for safer and easier-to-use authentication.
■ Digression: Regarding the definition of the word "passkey"
At this time, it is not clear what exactly the term "passkey" refers to. In this blog, I have selected and explained what I belive to be correct within the scope of the information I have. In this series of blog posts, we take the stance that "passkey" means "WebAuthn" or "FIDO authentication" in a broad sense, and "multi-device FIDO credential (MDC)" in a narrow sense. On the WEB, we often see cases where the Hybrid authentication part is called a "passkey".
Regarding the definition of this notation, the FIDO Alliance described it in a white paper published in March 2022 as follows:
Note that some companies are calling FIDO credentials “passkeys” in their product implementations, in particular when those FIDO credentials may be multidevice credentials.
Note that any use of the term “passkey” in this document refers to such third-party usage of the term and is not a formal term of FIDO Alliance or its specifications.
In other words, the FIDO Alliance does not define the terms Passkey or Passkeys. (If there is a story such as a clear definition in subsequent presentations, please let me know.)
As a engineer like myself, I don't like words with vague definitions. But on the other hand, I think that the word "passkey" is very easy to understand as a term used to convey to many non-computer engineers that "it's a new type of authentication that replaces passwords". We hope that the word "passkey" will spread FIDO authentication technology around the world, and we hope that we can help.
■ Reference link:
[Experimental site]
WebAuthn.io
[FIDO Alliance]
White Paper: Multi-Device FIDO Credentials (FIDO Alliance)
[Each company's opinion]
Security of Passkeys in the Google Password Manager (Google)
About the security of passkeys (Apple)