Unlocking Security: A Guide to Passkeys and Authentication

What are passkeys

A passkey, a FIDO credential stored on your computer or phone, serves as a secure means to unlock your online accounts, enhancing the overall sign-in security. Employing public key cryptography, the credential's proof of ownership is revealed to your online account only upon unlocking your phone.

For accessing a website or app on your phone, a simple phone unlock suffices, eliminating the necessity for a password in your account.

Similarly, when attempting to sign in on your computer, having your phone nearby is all that's required. You'll receive a prompt to unlock your phone, granting you access on your computer without the need for a password.

Advantages of passkeys

  • Ensuring robust authentication, each passkey possesses high strength, rendering them impervious to guessing, reuse, or vulnerabilities.
  • Protection from server breaches: public keys alone are retained on servers, diminishing their appeal as targets for hackers.
  • Immunity to phishing attacks is achieved through passkeys being intricately tied to the specific application or website they were generated for, thwarting fraudulent login attempts.
  • Stored locally and optionally synchronized with Keychain and Google Password Manager, passkeys benefit from end-to-end encryption, shielding them from prying eyes, including those associated with Apple or Google. Passkeys establish a resilient and private connection between users and your application or website.

Passkey creation process

1) Client requests passkey rules and security question.

The client (such as a web browser or mobile app) requests the rules for creating a passkey and a security question from the server. The server returns a ruleset that specifies the minimum requirements for the passkey, such as its length, complexity, and character types.

2) Authenticator requests human to verify.

The authenticator (such as a fingerprint sensor or face unlock camera) prompts the user to verify their identity. This is done to ensure that only the authorized user is creating the passkey.

3) Authenticator finishes the key pair generation.

The authenticator generates a public-private key pair for the passkey. The public key is shared with the server, while the private key is kept secret on the client device.

4) Client sends public key with signature to the server.

The client sends the public key to the server, along with a signature generated using the private key. This signature proves that the client possesses the private key.

5) Server verifies and stores the public key.

The server verifies the signature and stores the public key. The public key is used to authenticate the client in the future.

6) Client is notified of the success of the process.

The client is notified that the passkey creation process was successful. The client can then use the passkey to authenticate to the server.

Passkey Authentication process

The passkey authentication process is as follows:

  1. Client requests an authentication: The client (such as a web browser or mobile app) requests an authentication from the server. The server responds with a challenge, which is a unique string of characters.
  2. Authenticator requests human to verify: The authenticator (such as a fingerprint sensor or face unlock camera) prompts the user to verify their identity. This is done to ensure that only the authorized user is authenticating with the server.
  3. Authenticator signs the challenge using private key and sends to client: The authenticator generates a signature of the challenge using the user's private key. The signature is a unique value that proves that the user possesses the private key.
  4. Client sends the signed challenge to the server: The client sends the signed challenge to the server. The server verifies the signature using the user's public key.
  5. Server verifies the signature wrt the public key: The server verifies the signature against the user's public key, which is stored on the server. If the signature is valid, then the server knows that the user possesses the private key and is therefore authorized to access the server's resources.
  6. Session generated/ Success: If the signature is valid, the server generates a session token and sends it to the client. The client can then use the session token to access the server's resources without having to authenticate again.


Constraints with passkeys

The passkey creation process is typically performed once, when the client first registers with the server.
Also in the case of ios, if the icloud keychain feature is not turned on, user will be prompted to do so.
In the case of android, user needs to be signed in with a google account.

Conclusion

Passkeys are the future of online authentication. They are more secure, easier to use, and more convenient than passwords.

Imagine a world where you don't have to remember a single password. Where you can sign in to any website or app with just a tap of your finger or a glance at your face. That's the world that passkeys are making possible.

Passkeys are based on public key cryptography, which is the same technology that underpins HTTPS and other secure communication protocols. This means that passkeys are resistant to phishing and other online attacks.

To use a passkey, you simply need to unlock your device with your fingerprint, face scan, or PIN. Your device will then generate a unique cryptographic proof that you are the authorized user. This proof is then sent to the website or app you are trying to sign in to.