VICTOR HABBICK VISIONS/SCIENCE PHOTO LIBRARY/Science Photo Library via Getty Images
Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Passkeys are more secure than passwords for authenticating with online accounts.
- Working with passkeys requires an authenticator and other technologies.
- The roaming authenticator could be the most complicated — and secure — type of authenticator.
Let’s face it. When it comes to passwords, we are truly our own worst enemies. Too harsh? I don’t think so. We’re doing everything we can to make it easy for threat actors to inflict their worst — from the exfiltration and distribution of our sensitive information to the emptying of our bank accounts. Given how frequently end-users continue to inadvertently enable these hackers, we’ve practically joined the other side.
In fact, research now shows that, despite receiving some thorough and comprehensive cybersecurity training, a whopping 98% of us still end up getting tricked by phishers, smishers, quishers, and other threat actors who attempt to trick us into accidentally divulging our secret passwords.
Also: How to prep your company for a passwordless future – in 5 steps
Realizing that training and education are apparently futile, the tech industry decided on an alternative approach: eliminate passwords altogether. Instead of a login credential that requires us to input (aka “share”) our secret into an app or a website (collectively known as a “relying party”), how about an industry-wide passwordless standard that still involves a secret, but one that never needs to be shared with anyone? Not even legitimate relying parties, let alone the threat actors? In fact, wouldn’t it be great if even we, the end-users, had no idea what that secret was?
In a nutshell, that’s the premise of a passkey. The three big ideas behind passkeys are:
- They cannot be guessed (the way passwords can — and often are).
- The same passkey cannot be reused across different websites and apps (the way passwords can).
- You cannot be tricked into divulging your passkeys to malicious actors (the way passwords can).
Easy peasy, right? Well, not so fast. Whereas 99% of today’s user ID and password workflows are straightforward to understand, and you don’t need any additional purpose-built technology to complete the process, the same cannot be said for passkeys.
With passkeys, as with anything related to cybersecurity, you’ll have to trade some convenience for enhanced security. As I’ve previously explained in great detail, that trade-off is worth it.But included in that trade-off is some complexity that will take getting used to.
Behind the scenes with passkeys
Each time you create a new passkey or use one to login to a relying party, you’ll be engaging with an assortment of technologies — your device’s hardware, the operating system it’s running, the operating system’s native web browser, the relying party, and the authenticator — designed to interoperate with one another to produce a final and hopefully friction-free user experience. Some of these technologies overlap in a way that blurs the boundaries between them.
Also: How passkeys work: The complete guide to your inevitable passwordless future
The word “passkey” is actually a nickname for the FIDO Alliance’s FIDO2 credential specification, which itself is essentially a merger of two other open standards: the World Wide Web Consortium’s (W3) WebAuthn standard for Web (HTTP)-based passwordless authentication with a relying party and the FIDO Alliance’s Client-to-Authenticator Protocol (CTAP). As for the “Authenticator” in “Client-to-Authenticator Protocol,” the WebAuthn makes a distinction between three different types of authenticators: platform, virtual, and roaming.
The subject of this fourth and final part of ZDNET’s series on passkey authenticator technologies is the roaming authenticator.
Limitations of a roaming authenticator
As its name implies, a roaming authenticator is a physical device, such as a USB stick (commonly referred to as a security key), that can be carried in your pocket. Yubico’s YubiKeys and Google’s Titan are two common examples of roaming authenticators. However, roaming authenticators can come in the form of other devices, including smartphones and smart cards.
Yubico offers a wide variety of roaming authenticators, most of which differ based on their ability to connect to a device. For example, the YubiKey 5C NFC can be physically connected to a device via USB-C or wirelessly via Near Field Communication (NFC). But roaming authenticators are also small and easy to misplace or lose, which is why you need at least two — one for a backup.
Yubico
Currently, when you use a specific roaming authenticator to support a passkey registration ceremony for a given relying party, the passkey is created and stored in encrypted form on the roaming authenticator in such a way that it cannot be decoupled from the physical device. For this reason, passkeys created with roaming authenticators are considered “device-bound.” In other words, unlike Apple’s iCloud Keychain, the password manager in Google Chrome, and most virtual password managers, a passkey that’s created and stored on a roaming authenticator is also a non-syncable passkey. It cannot be extricated from the underlying hardware, synchronized to a cloud, and from there synced to the user’s other devices.
Also: The best security keys: Expert tested
This limitation of roaming authenticators also reflects the current state of affairs with Windows Hello, where users have the option to create a passkey bound to the underlying Windows system. In such a case, the resulting passkey is cryptographically bound to the system’s security hardware, also known as its Trusted Platform Module (TPM). Every modern system has a cryptographically unique TPM that serves as a hardware-based root of trust to which passkeys and other secrets can be inextricably tied.
With that in mind, a roaming authenticator can, in some ways, be thought of as a roaming root of trust; it’s essentially a portable TPM. Whereas a passkey that’s tied to a TPM hardwired into a computer or mobile device’s circuitry can never be divorced from the device, a passkey that’s saved to a roaming authenticator is still cryptographically tied to a hardware-based root of trust but can then be shared across multiple devices to which the roaming authenticator can be connected. For example, a passkey saved to a USB-based YubiKey can be used in support of a passkey-based authentication ceremony on any device into which that YubiKey can be inserted (e.g., a desktop computer, smartphone, tablet, or gaming console).
The syncable passkey
The chief benefit of this approach is that you receive the multi-device benefits of a software-based, syncable passkey without the passkey being saved anywhere except in the roaming authenticator itself. It’s not saved to any of your computing devices, nor does it pass through any online clouds in order to be synchronized to and used from your other devices. Instead of syncing a passkey through the cloud, you simply connect the roaming authenticator to whichever device needs it for an authentication ceremony with a relying party.
However, roaming authenticators differ significantly from their platform and virtual counterparts in that they are not packaged with any password management capabilities. You cannot save a user ID or password to a roaming authenticator in the same way that a passkey can be saved to one. This presents a bit of a conundrum because password managers still come in handy for their non-passkey-related capabilities, such as creating unique, complex passwords for each relying party and then autofilling them into login forms when necessary. If your credential management strategy involves both a password manager and a roaming authenticator, you’ll basically end up with two authenticators — one virtual (as an integral part of the password manager) and the other roaming, which in turn will require you to decide and then remember which authenticator to use for which relying party.
Also: Syncable vs. non-syncable passkeys: Are roaming authenticators the best of both worlds?
Fortunately, there is one clear use case where it makes perfect sense to have a roaming authenticator in addition to a platform or virtual authenticator. As described in this report about a recent partnership between Dashlane and Yubico, password managers involve a bit of a paradox: If you need to be logged into your password manager in order to login to everything else, then how do you login to your password manager?
The best strategy is to do so with a roaming authenticator. After all, your password manager holds the keys to your entire kingdom. The idea of a hacker breaking into your password manager should strike a healthy amount of fear into anybody’s heart. But when the only way to authenticate with your password manager is with something you physically possess — like a roaming authenticator — then there’s no way for a malicious hacker to socially engineer you for the credentials to your password manager. Perhaps the most important point of that Dashlane news is how you can completely eliminate the user ID and password as a means of logging in to your Dashlane account.
But once you follow this path, the next complication arises.
Here’s the wrinkle: For those relying parties where your only matching passkeys are the passkeys on your roaming authenticator, you’ll need a second roaming authenticator on which to store your backup passkeys. A third roaming authenticator — a backup to the backup — wouldn’t hurt either. Unlike user IDs and passwords, you should be able to create multiple passkeys — each of them unique from the others — for each relying party that supports passkeys. If you have three roaming authenticators, you’ll want to register three separate passkeys for each relying party (one unique passkey per roaming authenticator).
Also: What if your passkey device is stolen? How to manage risk in our passwordless future
If you really think about it, the main idea behind passkeys is to get rid of passwords. Once a relying party eliminates the option to authenticate with a user ID and password, you have to be very careful not to lose your passkey (and a roaming authenticator is very easy to lose). Some relying parties, like GitHub, do not offer account recovery schemes for accounts secured by a passkey — and rightfully so. If you’re a relying party and one of your users has chosen to secure an account on your systems with a passkey, you have to assume they did it for a reason, so that there’s no other way to login.
