FEITIAN Technologies
FIDO Alliance introduced passkey back in March 2022, and then the three major platform players, Apple, Google, Microsoft, announced their plans to support passkey in May, followed by wider announcements at the RSA Conference in June. All in all, it seems like we are really ‘securing’ a passwordless future!
As a long standing member of FIDO Alliance and an organization who partners with major identity providers driving the ‘passwordless’ effort, FEITIAN Technologies is happy to share more about passkey. There are already numerous writings, interpretations, and even speculations around this topic, so we will try to be succinct and just show you the top 3 things to know about it!
Top 3 things to know about FIDO passkey
What is a passkey? Why? Who is it for?
OK we cheated a little here since that’s really 3 questions, but please bear with us as their answers tie together as one.
Passkey is a moniker for ‘FIDO Multi-device Credentials‘, its intention is for “accelerating the availability of simpler, stronger passwordless sign-Ins’. It is built to be the next evolution of the well-known stack of WebAuthN and CTAP2 that’s inside every modern FIDO security keys such as FEITIAN’s
Conceptually, passkeys are ‘keys’ secured by FIDO’s strong public key cryptography tech, carried in users’ cyber wallets in the forms of Android authenticator, Windows Hello, and iCloud Keychain (respective to the type of device being used). Since they are backed up and synced by these major platform providers, it simplifies and minimizes the account recovery process.
Now you would be right to ask ‘why would I trust these platforms to keep my spare keys?’ and that’s indeed the trade-off of the current passkey implementation. Traditionally, FIDO and the existing hardware security keys (such as FEITIAN’s) store these keys in its security hardened, phishing resistant, tamper proof hardware element, and they are not transferable (no copying, no backing up, no syncing), thus a user’s credential is highly secured yet ‘device-bound’. This creates the challenge when the physical hardware is lost, and there’s no easy way to ‘restore’ that key bound to the hardware device. FIDO passkey solves this by trading off a bit of security to solve portability & account recovery issues for wider adoption.
The immediate targeted users would be consumers, and for small to midsize businesses built with cloud-first strategy with infrastructure stack already in Microsoft, Google, and Apple’s ecosystems.
Is Passkey NOT for Enterprise at all?
With the current implementation, FIDO passkey is not suitable for large Enterprise environment with complex SSO (e.g. SAML, IAMs integration) setup and various services such as VPN, firewalls etc. It’s also not suitable for regulated industries (who may require to follow the Authentication Assurance Levels – AAL defined by NIST) or ‘high-value consumers’.
An idea to make the passkey also applicable in these areas was proposed to WebAuthn: Device Public Key (DPK) Extension – it is essentially a wrapper around passkey that provides the RP (relying parties, or, the service provider that supports FIDO sign-in) an option to require a device bound key for each passkey. From FIDO’s whitepaper from March 2022:
“… a proposed new extension, which will allow relying parties to recognize when a user presents an existing FIDO credential from a new device, and to create an additional device-bound cryptographic key on that new device. This device-bound key can later be used to (re-)authenticate the user on this device without extra verification steps, and without depending on the account security mechanisms of the underlying OS platform.”
It is still too early to say how DPK may or may not be developed into a state that can satisfy various requirements from enterprises, regulated industries, and high value consumers.
Is there a future for hardware security keys?
Totally. With the current implementation of FIDO passkey, hardware security keys (such as FEITIAN’s) remain the most secure option for anyone. For regulated industries, enterprises, and high-value consumers, we would also recommend to utilize the attestation option of FIDO to establish the highest level of security. FEITIAN is proud to announce our achievement to obtain CTAP2.1 certification – the latest update of FIDO that enabled Enterprise Attestation (among many other key new features).
Conclusion
To sum up, we are happy that as a long time FIDO board member/participant, we are seeing the ‘light at the end of the tunnel’ to get rid of passwords securely, with ease of use! – FEITIAN’s many authentication portfolios, from PKI, OTP, smart card, to FIDO are all part of the effort to provide secure ways to eventually go passwordless.
As you can see, no matter where you and your organization are in this journey of authentication technologies – FEITIAN Technologies has everything you will need. Contact us today to start the conversation!
References
- FIDO Passkey site / infographic
- Passkey’s whitepaper at FIDO Alliance (March 2022)
