Passkey Verification

Passkey verification is starting to move away from bespoke network access solutions to a wider Internet access model.  It is supported by IOS 16 together with some versions of Android and browser software.  Apple plan to automatically assign users passkeys in the release of IOS17 and macOS Sonoma.

Passkeys are a combined hardware and software solution to security.  The hardware is built into more recent iPhones and Android devices but accessed through a USB FIDO Security Key on PCs where their operating system and browser are able to support it.  Not surprisingly Google as the origin of Android and Chrome is pushing passkey support.  This is not a solution for re-purposed older devices and might be seen as an ingress of new technology that will swiftly make older devices redundant.

The crux of the solution is that a specific hardware device is signed and cryptographically secured as a trusted connection.  As it is the device that has access any passkey solution also needs to make sure that the authorised user is accessing it.  In the case of a phone that will be by the keycode or biometric method used to unlock the device.  For a computer some method of additional verification will be needed, such as a password.  This sort of protection is required to prevent theft or fraud of the hardware device but does mean that the solution cannot be completely password-less.  Kindus’ warning on ‘shoulder surfing’ specifically applies here.  There is some compensation that a single password or biometric sign-in will cover all sites that the passkey is used to access.  The passkey itself is transferrable between compatible devices and accounts.  For example a replacement phone with the same operating system and account would pick up the key details from the original.

For the present there are relatively few on-line sites that a passkey can be used on.  One notable inclusion is PayPal.  With Google on-board the numerous websites that allow sign-in through a Google account will be supported.  Passkey activation is not automatic.  A user will need to access a supported website (almost certainly through an existing password-based account) and register the passkey with its supported device. Future log-ins will then work through the passkey process.

Losing control of a single point of signing on would lose access to the related account.  So any passkey system is going to need a means to recover it and set the same access to a replacement device.  This will be some variant of a support website with a traditional password or passphrase to recognise the valid owner.  There is no easy way to get around this and any details required to reset passkeys needs to be kept especially safe and not lost.  Users would be in a similar situation to cryptocurrency holders who have lost the access and backup credentials to their currency.  Although those funds would be perfectly safe they are useless because they cannot be spent.  Theft of the backup credentials for example through phishing or malware could allow a criminal to reset an account using their own information.  These are factors that will affect almost any ‘secured’ remote access system.  There will always be an ultimate responsibility on the end user to take reasonable care of their account access details.

More from Security

03/09/2024

Google and Facebook Single Sign On (SSO)

Single Sign On (SSO) options are commonly seen through providers such as Google, Facebook and to a lesser extent Apple.  There are also less …

Read post

13/08/2024

Ransomware in Healthcare

The ThreatLabz 2024 Ransomware Report highlights the relative susceptibility of the healthcare industry to ransomware attacks.  312 attacks on the Healthcare industry were reported …

Read post

29/07/2024

Bad Bots

Kindus has discussed the role of bots on the Internet and how webmasters can use ‘robots.txt’ to control them.  Unfortunately many bots do not …

Read post

22/07/2024

Lessons from the Cloudstrike Outage

On July 19, 2024 at 04:09 UTC, CrowdStrike released an update for ‘Falcon Sensor 7.11’ or above to Windows systems.  This caused a system …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories