Passkey Verification
Passkey verification is starting to move away from bespoke network access solutions to a wider Internet access model. It is supported by IOS 16 together with some versions of Android and browser software. Apple plan to automatically assign users passkeys in the release of IOS17 and macOS Sonoma.
Passkeys are a combined hardware and software solution to security. The hardware is built into more recent iPhones and Android devices but accessed through a USB FIDO Security Key on PCs where their operating system and browser are able to support it. Not surprisingly Google as the origin of Android and Chrome is pushing passkey support. This is not a solution for re-purposed older devices and might be seen as an ingress of new technology that will swiftly make older devices redundant.
The crux of the solution is that a specific hardware device is signed and cryptographically secured as a trusted connection. As it is the device that has access any passkey solution also needs to make sure that the authorised user is accessing it. In the case of a phone that will be by the keycode or biometric method used to unlock the device. For a computer some method of additional verification will be needed, such as a password. This sort of protection is required to prevent theft or fraud of the hardware device but does mean that the solution cannot be completely password-less. Kindus’ warning on ‘shoulder surfing’ specifically applies here. There is some compensation that a single password or biometric sign-in will cover all sites that the passkey is used to access. The passkey itself is transferrable between compatible devices and accounts. For example a replacement phone with the same operating system and account would pick up the key details from the original.
For the present there are relatively few on-line sites that a passkey can be used on. One notable inclusion is PayPal. With Google on-board the numerous websites that allow sign-in through a Google account will be supported. Passkey activation is not automatic. A user will need to access a supported website (almost certainly through an existing password-based account) and register the passkey with its supported device. Future log-ins will then work through the passkey process.
Losing control of a single point of signing on would lose access to the related account. So any passkey system is going to need a means to recover it and set the same access to a replacement device. This will be some variant of a support website with a traditional password or passphrase to recognise the valid owner. There is no easy way to get around this and any details required to reset passkeys needs to be kept especially safe and not lost. Users would be in a similar situation to cryptocurrency holders who have lost the access and backup credentials to their currency. Although those funds would be perfectly safe they are useless because they cannot be spent. Theft of the backup credentials for example through phishing or malware could allow a criminal to reset an account using their own information. These are factors that will affect almost any ‘secured’ remote access system. There will always be an ultimate responsibility on the end user to take reasonable care of their account access details.