How Brave Are You? Passkeys Entering Mainstream Slowly

Last week Google announced support for Passkeys. This week Amazon quietly announced support for them.

So what are passkeys anyway?

Passkeys are a replacement for passwords. Basically, using the passkey process (which is open), your device (phone, pad, computer) creates a public and private cryptographic key pair. The public key, which is not a secret, is sent to the web site to keep. Each web site has its own key pair. This means that if Site A (for Amazon 🙂 , maybe) is compromised, site G (for Google, maybe) is not compromised. Also, since they only thing they have is a public key that ONLY works for their web site and which is public, they don’t have a secrets database which could get compromised. In theory, all of this is handled behind the scenes.

One part of the security is that the private key is controlled by you. IF you don’t synchronize those keys between devices, which makes things way less useful, that private key never leaves your device. Even if you do synchronize them, since they are tied to your PIN or biometrics, they are probably still secure.

When you are ready to log in, the web site sends your browser a one time bit of data. Your browser encrypts it with your secret key, which only you have, and sends the result back to the web site. The web site decrypts that bit of data with the public key you sent it when you enrolled. If the decrypted result matches what the web site sent first, than you are authenticated.

I enrolled with both Amazon and Google to see how things worked.

The good news is that I was able to enroll in both cases.

I was also able to log in to both web sites. All good.

But not exactly seamless.

I was using Windows; it may work better on other platforms, but that is the growing pains.

Since I use two factor authentication, I still needed to do that part of the sign in manually. You might be able to disable 2FA if you use passkeys, but your company is going to need to agree to that if you use it for work.

Also, I didn’t see an option to disable logging in the old fashioned way with a password, so until they allow you to do that, it is no more secure that it always has been.

It also seems like there is no way, in Windows, to backup or restore your passkeys, so that is kind of a problem. I just spoke with Microsoft tech support and there is no way to manage passkeys on Windows at this time. Probably will be a way some time in the future. That by itself is a deal killer for any real use.

I also had to enter my PIN each time. For the computer I was using, it does not have a fingerprint reader and Passkeys didn’t recognize my camera, so I had to enter a password. For Windows, that MUST be your Windows HELLO PIN/Password. Other platforms are different.

The standard Windows HELLO authentication is tied to a computer. You need to set up Windows HELLO and enroll on each computer you use. Enterprise versions of HELLO, which are not free, work better between computers.

Also, for Amazon, they use Google’s implementation of passkeys, which is buried in a menu in Chrome three or four levels down. Not very friendly.

The good news is that it is way more secure.

Unless someone steals your secret key and your Windows HELLO authentication method, it really doesn’t matter what information they do have; they will not be able to log in.

Neither will you if you lose that information.

I think there are a lot of kinks to work out here, but potentially, with the use of biometrics for authentication, it will be both a hell of a lot more secure and also more convenient. Say goodbye to all of those wacky passwords.

BUT, every web site that you want to use passkeys on has to implement the passkey authentication into the authentication process. So far, I found two – Amazon and Google. While this is great because collectively that have several hundred million (or billion) users, the process is far from smooth, you have to trust Google (which is a stretch), you have to make it work across all of your devices (which works if you have drunk the Google or Apple Kool-aid and use the same ID to log into every device (I fail on all of those metrics) and you better understand the backup process unless you want to get locked out of all of your accounts. If you want to use your Apple ID on Windows you can’t and while you can use your Google ID on both, most Apple users don’t use Google for the core authentication method.

I would say that it is not ready for “prime-time” but it probably is time to start learning.

I do think that once all of the kinks are worked out, it will be both simpler and way more secure.

As always, if you need assistance, please contact us.