Passwords vs Passkeys

There's a way that you can get better security and better usability and get rid of your passwords. I did a post on passkeys in fact recently on this blog, and there were a lot of questions and I'm going to address those questions here. The number one question in particular is about what happens if I lose my device? I'm going to cover that and four other good questions in this post.

So the first one, what if I lose my device? Well, it turns out the way passkeys work in this FIDO standard that I talked about in the recent post is that you keep a private key on your device and you unlock and access your account through a biometric like your face or your finger or something like that. So it stays there, that was the idea. If you lose the device, then you lose that private key, the secret that you need. 

However, there are ways. I'll ask you, if you lose your password today, how do you recover that? In fact, most websites have an ability to do account recovery of some sort or another. You can either go back into the site and answer a set of security questions, and yes, most of the time they're lousy. But they don't have to be, there could be good secret questions. 

The credit bureaus have been doing that for years, where they base it on information they know about you already knew, as opposed to you choosing answers to trivial things like your mother's maiden name.

So there are ways to do that. So what happens if you lose your device? It's the same thing in essence as what happens if I lose my password. It's not a dramatically different kind of case. We have account recovery capabilities.

Another related question, is what if I have multiple devices I want to log in from? 

So I'd like to be able to log into my account not only from my phone, but from my laptop, from my tablet and this sort of thing. Well, what do you do in that case? Well, there's also the ability to synchronize. So in the previous post, I talked about that you would keep the private key on the device and you can. However, if you want to, there are secure synchronization capabilities where you put this in a cloud and therefore all of your systems, let's say your phone, your tablet, your laptop, and they all synchronize up to a cloud, nd therefore that private key is shared across all of these in a secure way. 

How is it done in a secure way? Well, you can go into the details of how that happens, but these sessions are authenticated and they're encrypted as well. You can actually use this across multiple devices if you choose to enable that. That's not something that's required, but if you're concerned about this, you do in fact have an option. 

Also, sometimes related to this, people will ask, well, what if I want to do this on a public terminal at a friend's house, something like that? I'm just going to say, my personal opinion is don't. If you don't control the system that you're logging into, and you don't control its security, you should assume everything you type on it is public information. Why? Because there could be malware on that system that copies every single keystroke that you make, and then sends that off to a bad guy. 

Sometimes you can say, but I trust my friend, I'm using their system. It's not about trusting your friend. It's about trusting that the security on their system is good. So if you don't control the security, assume everything you type on that system is generally available to the world. So I am going to say that's a bad idea in general.

Another question that could arise is, is it not only SSH, PGP, TLS, SSL or any other scanning things? Well, I am going to say, it's not just it's a particular application of some underlying technologies that are in there. For instance, is an electric vehicle just an electric motor? No. We could use an electric motor to be a fan. We could use it to be a clothes washer. We could use it to be time. And these standards have been around for a long time. However, what they tend to do is different.

We've addressed the first three of concerns. Now let's take a look at a few more. Some people say, really, what's the problem with passwords? I like my passwords. I'm just going to stick with those.

Well, what's the problem with passwords? I'm going to tell you, it's people, because what will people do if you ask them to follow the rules for passwords? And the rules that we generally ask them to follow are that we want the password to be complex, so that it can't be easily guessed.

We want the password to be unique. That is, we want it to be different across every different system. Because if I figure out what your password is on one system, I don't want to be able to have that so that they can get into every one of other systems.

Lastly, we want them to be always fresh. That is changing constantly because someone might be able to crack a password if given enough time. So if you take all of these things and ask these humans to actually do that, what will they do? I'll tell you what they do. They come up with exactly one password to every single system. 

By doing this, they violated all the rules we mentioned earlier for good password to follow. By picking something that they can easily remember, which makes it therefore easy to guess. And they're not so wild about changing these all the time. In fact, they end up not following any of these rules. Most people, that's what happens. 

So understand at the end of this system, there's always a human, and what the human does and their behavior matters. So that's one of the big problems with passwords.

Now, some other people say, oh, but don't you know about password managers? These things are really great and they are. In fact, I've been using password managers for more than 20 years and I think they are great.

But let's talk about what are some of the issues that could happen with password managers. So if we have a password manager, we'll depict it holding a bunch of different passwords of the user, and the user then goes and retrieves a password from the password manager, and that's locked either by a biometric or through a very strong password. Then they send that off to all the different sites that they need to log into. That's generally how password manager works.

However, what if the destination website that user wants to login is not the real website? What if it's a phishing website? That means, the user has been tricked into sending his password to a place that it's not supposed to be. Then this password, once it's on the bad guy's system or website, then it can be reused.

Again, if they have not chosen good passwords, it could get them into a lot different systems. There are other ways that this could be a breach. So one of those breaches, as I said, is a phishing attack where the credentials are phished. 

Another is a password database breach, so what do I mean by that? Wait I will explain. Over destination websites that user inputs his password, these websites maintain a database of hashed passwords. In other words, it's a one-way encryption of your password. If someone gets into these websites and takes those passwords offline, they may be able to crack those and come out with what is the actual password is, if given enough time. And if they're able to attack it, then that password can be reused. I am going to suggest to you, as long as password exists, its vulnerable.

So in other words, I think a better system, and this is the way FIDO does, is when the secret is not sent. The secret stays on your device, with the exception of these kinds of use cases that I mentioned earlier where you might synchronise across your cloud for reuse in your other devices.

During the authentication flow, the secret stay on your device with FIDO passkey. In the case of password the secret is goes anonymous and stored somewhere else, this means there's another copy of it. Therefore, the attack surface just got larger. 

So I'm going to suggest to you it's much better if you have a system where the secret stays on the device. the passkey is not the private key. The pass key is something that is time-bound. A password is not. 

A password can be reused again and again and again. A passkey cannot. Again, we've reduced the attack surface with a FIDO passkey. And by the way, in the end of all of this, it's really not about FIDO versus password managers. In fact, most of the good password managers support FIDO already today, in addition to passwords. 

So you have your choice, and I would just say, when you get a choice, choose Passkeys. This literally happened to me yesterday. I was logging into a major pharmaceutical website in order to get a vaccination scheduled. And it said, would you like to switch to using pass keys? And I said, absolutely I would like to, because that way I keep the secret on my device and I can still get to these other systems and do it in a much more secure, much more usable way. And it gave me a choice of using my password manager or using the capabilities built in my operating system.

Over 250 organizations are members of the FIDO Alliance. Thanks for reading up to this point. If you found this post interesting and would like to learn more about cybersecurity, please remember to follow Blueguard. 

With Blueguard You Stay Secured 

Print this post