For almost a decade, I have been advocating against passwords, enthusiastically embracing the superior alternative: passkeys.
Passkeys were designed to offer the perfect combination of enhanced security and ease of use, encouraging widespread adoption. However, a recent article highlights four significant challenges faced by this technology…
Enhanced Security with Passkeys
Passwords pose various security risks, such as:
- Websites can access them, even if they are allegedly encrypted
- Many users tend to reuse passwords, making data breaches extremely concerning
- Passwords are susceptible to phishing attacks
Passkeys address these vulnerabilities. Instead of entering a username and password at login, we utilize a passkey. The website or app requests our device to authenticate us using Face ID or Touch ID. Our device then confirms our identity to the website.
The web server relies on our device for authentication just like payment terminals trust your iPhone or Apple Watch during Apple Pay transactions—because it knows our identity has been verified locally through biometric methods.
In Theory, Passkeys Should Simplify Login
Creating an account should present us with the option to use a passkey, requiring nothing more than our consent. Our device authenticates us to create our account. For future logins, we simply use Face ID or Touch ID and gain access.
However, There Are Four Major Issues
If you exclusively use Apple devices and browse with Safari on all of them, passkeys come close to seamless. iCloud synchronization allows an account created on one Apple device to be accessed from all others.
Yet, as Arstechnica notes, various situations reveal a gap between expectations and reality, particularly regarding inconsistent user experiences.
The process of logging into PayPal with a passkey on Windows differs from logging in on iOS or using Edge on Android. Attempting to log into PayPal using Firefox? That browser isn’t supported for this feature across any OS.
Moreover, passkeys are restricted to particular browsers.
For example, after creating a passkey for my LinkedIn account in Firefox, I opted to sync it with my 1Password password manager. This setup theoretically allows me to utilize the passkey wherever I log into my 1Password account. However, it’s not that straightforward. In LinkedIn’s settings, the passkey appears tied to Firefox on Mac OS X 10, even though it functions across all browsers and operating systems I use.
Another concern is that tech companies like Google and Apple may nearly compel you to utilize their own passkey management systems, even if you prefer alternative solutions or have a passkey already configured.
I simply want to access LinkedIn using the passkey synced by 1Password across my devices. Yet somehow, the entity managing this (Google, in this instance) has taken control of the process, attempting to persuade me to adopt its platform.
Additionally, consider the demo on WebAuthn.io, showcasing how the standard functions across various scenarios. When a user wishes to register a physical security key for login on macOS, they receive a prompt encouraging them to use a passkey instead and sync it via iCloud.
Finally, despite the goal of passkeys being to eliminate the vulnerabilities linked to passwords, nearly every service still compels users to create a password for login as well.
Among the numerous sites that support passkeys, I don’t know of a single one that permits users to abandon their passwords entirely. Passwords remain mandatory… Threat actors will develop hacks and social engineering tactics that take advantage of this flaw, leaving us facing the same issues as before.
The complete article is definitely worth a read.
Photo by TheRegisti on Unsplash
FTC: We use income earning auto affiliate links. More.
