Obtuse Networking

The thing to understand is that there are no passwords...

Michael Graves -

I'm late on commenting on this news. No surprise!  Google, Microsoft, and Apple announced their support for the "passkey" standard from the FIDO Alliance.  

Woot!  No more passwords... that's gotta be a good thing... right!  Maybe, maybe not.

Single Factor Authentication (SFA)

We all have too many usernames and passwords to remember and/or our desks are not big enough for all the sticky notes.  Some of us still use the same username and even the same or similar passwords across multiple sites.  (If that is you, please stop.  Not for my sake, but for yours)  Others of us, including myself, have graduated to using a password manager that keeps our usernames, passwords and other secrets... well, secret.  I'm not going to get into which password manager is the best.  The fact that you are using one is already a huge step up.  And with browser integration and phone integration, using a password manager to help input passwords has made the hassle of passwords almost tolerable.

However, usernames and passwords have been shown not to be enough.  With breaches (the ones that are actually reported) happening all the time, even a complex password isn't any good if it's public.  So what is next...

Multi Factor Authentication (MFA) / Second Factor Authentication (2FA)

Well, 2 passwords!  Or rather a password and something else physical.  This is often referred to as "something you know (password) and something you have (token)".  There are may types of tokens.  RSA tokens with scrolling numbers, YubiKey tokens which provide many functions, "smart cards", and more.  There are even Apps for your phone that can act as a token.  Swinging back to the password managers, the good ones have the 'token' function built right in.  Regardless of the token type they all provide the same basic thing.  They prove that you have possession of the token at the time of authentication.

Doesn't having a 2nd factor token, regardless of the form, make you more secure?  Yes.

There are pros and cons of the different types of 2FA devices, but the fact that one is used for authentication is a huge hurdle in securing yourself online.

"Passkeys" are just tokens 2.0! Right?

Not exactly.  To summarize the document that was publish (which never actually uses the term passkey), passkeys are a way for a site to ask a browser to communicate with a users token device to verify the authentication.

My concerns breakdown as follows...

First is browser.  The browser is not a safe place.  Google, Microsoft, Apple spend, what I assume are, enormous man hours and dollars trying to secure the browsers.  And to be fair, they do a good job.  None the less, browsers are not safe.  There are exploits and malicious add-ons being found all the time.

Second is communications between the browser and the users token device.  There are 2 examples given in the paper that concern me.  First is that the browser will be given access to the OS to communicate to outside devices.  This means that if there is a bug between the OS and the browser an attacker can now communicate to devices physically near me.  In addition, if those devices are not perfectly secure, they could now be compromised.  The second example is that the token device would be a cellphone. How would this communication to a cell phone occur?  We will just plug our cellphones into our computers with the USB cable? Right? (While that would actually negate my next concern I doubt that will even be an options).  Unlikely.  The suggested protocol for communicating with a nearby device is Bluetooth.  I actually like Bluetooth.  it makes is easy for nearby devices, such as my headphones, to communicate with my phone.  I can easily listen to podcasts and music while spinning in my chair, without any cords getting in my way.  However, one thing Bluetooth isn't is secure.  So the recommendation to use a totally insecure protocol to communicate security tokens seems... flawed?.  Anyone see a problem with that?  If I'm at home the risk is limited.  If I'm out and about, the risk is unlimited.  Anyone with a Bluetooth  sniffer can potentially capture what they need to impersonate me.  And because there are "no more passwords", the barrier to compromise has just been lowered.

The third concern is maybe more esoteric (and grossly over simplified here).  Tokens work by having an authentication server have some secret knowledge shared between the token and the site.  When the token authenticates to the site the shared secret is used to confirm the token.  My concern is where are these shared secrets going to be kept?  At every site?  Or are they going to be consolidated into a few or single site. (Google, Microsoft, Apple, ???)  What happens when one of those sites gets it's token database compromised?  What happens when one of those sites goes "offline".  Any site relying on them for the token authorization will be brought to it's knees. How will it impact you?  Email and games... bummer, but not a big deal.  How about not being able to get to your bank? Unemployment check?  Social services?  Now things start to get real.

Conclusions

It is too early to tell if any of my concerns will actually be realized or if I'm just polishing my tinfoil hat.  At this point I'm not optimistic and will not be getting rid of my password manager or tokens anytime soon.