Passkeys

Instead of using passwords which can be stolen (via phishing - the most common vector for stolen credentials - setup Passkeys here

                       

Overview

• Why This? Static Passwords Suck
• 1Password managers
• The safest password is no password
• Newest versions needed
• No more switching browsers!
• Reference sample implementation: Safari browser
• Passkey Registration
  • Sign in using Passkey
  • Use Apple biometrics
• Key recovery differences
• Google Chrome Autofill
• Gmail Account Passkey Setup
• Few other apps support Passkey now
• Keep using 1Password?
• Cross-platform authentication
• Enterprise LIFO server
• Google Passkey for Passwordless Login
• References

This article presents a guided tour with commentary to describe the latest mechanisms you can use to protect yourself from that eventuality.

NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

Why This? Static Passwords Suck

Eventually, you’ll click on a link that installs malware or log into a pretender (phishing) website thinking it was real.

Visit haveibeenpwned.com and type in your email. Chances are, because of so many leaks of user data from many websites over the years (Facebook, LinkedIn, Yahoo, etc.), your private information (email, residence address, birthdate, Social Security Number, etc.) have been leaked by some website. Leaked information are then sold to data brokers and aggregators who provide subscriptions to anyone.

CAUTION: Users who reuse the same password (or use a simple pattern of different passwords) on several sites are providing hackers a very easy way to be hacked everywhere.

1Password managers

So security-conscious people store passwords in a vault such as in the 1Password app, which can either only store secrets locally or store in their 1Password cloud.

But it’s still a hassle to provide a password to every website.

Hackers have been known to fake requests to steal (via Telegram) One-Time-Password numbers from Authy app users.

PROTIP: In 1Password, construct an account with an email for use in sign in. I say “construct” because if your name is “John Doe” and you have a gmail.com account, you should create in 1Password a entry such as

johndoe+3413@gmail.com

In 1Password track that you allocated “3413” to each website.

The safest password is no password

In late 2022, the FIDO Foundation introduced “Passkey” as a way for users to NOT have to remember passwords.

How “Passkey” operates was defined as an “open” standard by FIDO (Fast Identity Online) in cooperation with main operating system vendors: VIDEO: * Apple * Microsoft * Google

Newest versions needed

REMEMBER: Use a supported browser on a supported operating system to sign up to use Passkey on a website that supports Passkeys.

You’ll need to upgrade all your browsers and apps to a version that supports Passkeys.

Only the latest version of operating systems currently support Passkey:

• macOS 13 Ventura onward supports Passkey.
• iOS 16 and iPad 16 onward support Passkey.
• Windows 11 onward supports Passkey, not Windows 10.
  
  

Apple built preview Passkey support into its Safari browser across all its operating systems in iOS 15, iPadOS 15, and Safari 15 with macOS 12 Monterey.

VIDEO

1. Open Settings
2. Scroll to select “Passwords”
3. Password Options
4. Checkmark on “iCloud Passwords & Keychain” so Passkeys created will be sync’d across your devices.

No more switching browsers!

Previously, you can enter your password to log in using various browsers on various operating Systems.

That’s more difficult with Passkeys.

The private key generated for use with each website is stored in the operating system’s specific secrets store, you now need to stay with the same operating system and browser/app used you registered with.

REMEMBER: A Passkey created on Google’s Chrome browser will NOT ordinarily be recognized on your Apple iPhone, macOS Safari browser, or any Windows device.

When using Apple’s iPhone, iPad, or macOS, it’s easiest if you use Apple’s Safari browser.
When you use Google’s Android, it’s easiest if you use Google’s Chrome browser.

Where does that put alternative browser vendors such as Firefox, Brave, etc.? DoesFIDO2 Passkeys hinder them? I think so.

Reference sample implementation: Safari browser

1. Let’s start with the Safari browser app on a macOS laptop accessing a Passkey-enabled website.

2. A website was created as a reference implementation for other websites to emulate:

   passkeys.io

3. To sign up, type your email on the passkeys.io website.

4. Verify your email.

5. After it responds that your email is new. Notice you don’t have to invent a password to sign up.

   Passkey Registration

   With Passkey, there is no password complexity frustrations because the key is automatically generated, and so is guaranteed to meet complexity to make guessing very time-consuming. Thus, it says:

   “Your device supports passkey authentication. If you use biometrics, we will never see or store your biometric data.”

   With Passkey, when a user initially registers with a website, a paired set of encryption key files are created on the user’s operating system: a private key file which is never supposed to leave the device where it was made, and a public key which can be openly shared. Thus, the approach is called “public-key cryptography”.

   Because the private and public keys are different, this is also called “asymmetric encryption keys”. Complex mathematics enable the private key to decrypt what was encrypt based on the public key. This approach has been widely used to secure networking using https, Linux SSH, etc.

   The public key can’t be used for login but rather to show that you possess the private key.

6. Click “Set up a passkey” to complete sign-up. That means a key pair was created and stored in your device’s operating system. And your public key was sent to the website to hold.

7. Click “Continue” for the “You are logged in” message.

8. Click “Logout”.

   Sign in using Passkey

9. Return to the website.

   The browser automatically presents the public key. That’s why each browser needs to be upgraded to provide Passkey support.

10. Click “Sign in with a passkey” instead of email, Google, Apple, Facebook, or other “federated” sign-in providers.

    Use Apple biometrics

    On an Apple iPhone or iPad, you can use FaceID on the keyboard to read your face or TouchID to read your fingerprint as the “keys” to authenticate yourself for access.

    Apple now supports Passkey in iOS 16, iPadOS 16, and macOS Ventura for apps and websites. The credentials are synchronized between the devices of the same user via iCloud. And if you need to log into that app or website via another platform, you can generate a QR Code of the unique key stored on your device to authorize a new one.

    Since these keys are not visible to the user, it’s more difficult for attackers to gain access to them.

11. On an Apple app/device, when you tap on the user name field, you can choose from a list of credentials shown. The fingerprint icon means you can use Touch ID or Face ID instead of typing a password.

12. Click “Sign in with a passkey”. You should see this:

    

13. Put your finger on top of the TouchID keyboard button, which should result in “You are logged in”.

14. Click “Logout” when you’re done with what you want to do.

SUMMARY: The browser or app used, the user’s operating system, and the website visited all need to be enabled with coding to use the “WebAuthn” standard to register, accept, store, and interact with a Passkey.

Key recovery differences

The first generation of FIDO stored certificates on small physical USB-based “key fobs” (from Yubico or from Titan for Google, etc.).

There is a high likelihood of fobs being misplaced, so another authentication method (passwords) for key recovery was necessary.

## Key storage in the cloud?

With FIDO2, operating system vendors (Microsoft, Google, Apple) provide not only a (safe) place to store keys locally but also backup keys in each of their back-end systems on the internet cloud: * Apple’s iCloud keychain * Microsoft’s Azure * Google

Being on the cloud, keys can be uploaded (synced among multiple devices of the same user.

BLAH: QUESTION: With FIDO Passkeys, can one opt-out of having their crentials sent out to some cloud server?

BLAH QUESTION: How can you be sure the cloud vendor can be trusted to safeguard your credentials from hackers?

BLAH QUESTION: Are you comfortable trusting your data at a company (such as Google) which makes most of its money selling users’ information?

PROTIP: If you are concerned about having secrets of any kind in any cloud rather than locally, continue to copy 1Password files onto each of your devices via a USB key fob.

Google Chrome Autofill

1. Install and open Google Chrome. Click the three dots at the upper-right corner, then click “Settings”. Click “Autofill and passsords” on the Settings left menu. Alternately, reach that screen with this:

   chrome://settings/autofill

   PROTIP: “Autofill” is a misnomer for Passkey because Passkey doesn’t fill a password form field.

2. Click “Password Manager”.

3. Click “Manage Passkey”. Notice it says:

   “These Passkey are only saved on this device. They aren’t saved to your Google Account.”

   PROTIP: “this device” means the crypto storage mechanism for the operating system you’re using.

Implement passkeys with form autofill in a web app

REMEMBER: You need to keep using Chrome for sites you setup to use Passkey. So if you have 1Password, add “#Passkey Chrome” to the Note for each account you setup.

---

Gmail Account Passkey Setup

1. In a Chrome browser, sign in using a Gmail.com account.

   “If you have a Google Workspace account (one with a custom host name) through your school or employer, you will not be able to use passkeys to sign in at this time.”

2. In the Security, “How you sign in to Google”: https://myaccount.google.com/u/1/security?hl=en
3. Click “Passkeys” with the blue icon.
4. Enter your password if prompted.
5. Click “Create a passkey”.

6. Click Continue to this pop-up:

   Passkeys are easy to set up and let you securely sign in to your Google Account using your fingerprint, face, screen lock, or hardware security key. You can create a passkey on this device, or use another device.

7. If you are on a Mac, click “Continue with Touch ID” after reading

   Passkeys are saved in your iCloud Keychain and are available for sign in on all your devices.

8. Touch your finger over the biometric on/off button on your mac.

9. Click “Done” after reading:

   You can now use your fingerprint, face, screen lock, or hardware security key to verify it’s really you signing in.

   https://support.google.com/accounts/answer/13548313?hl=en&visit_id=21686971469165-3022533863124587967&p=passkey_sign&rd=1#account_has_passkeys

---

Few other apps support Passkey now

As of this writing in June 2023, only some tech-savvy websites have gotten on board with Passkey:

• Travel website kayak.com app for iOS.
• Website provider GoDaddy.com
• Financial services Paypal
• Technology store Best Buy
• Dashlane.com
• Auction site Ebay
• Website hoster WordPress.com
• CardPointers (20% off for 9to5Mac readers)
  
  

Keep using 1Password?

REMEMBER: You’ll still need to continue using 1Password on websites who are slow to upgrade to FIDO Passkey.

Among board-level, sponsoring, and associate members of FIDO are familiar consumer-facing and IT companies which presumably know about Passkeys:

Tech & E-commerce:

• Apple.com
• Amazon.com
• Intel
• Intuit
• Meta
• Microsoft
• Mozilla
• Red Hat
• Salesforce
• Samsung
• Sony
• Twilio
• Twitter
• VMware

Financials:

• American Express
• Bank of America
• Chase
• Discover
• ING
• Mastercard
• PNC Bank
• Rakuten
• US Bank
• USAA
• Vanguard
• Visa
• Wells Fargo

Retail:

• CVS Health
• Walgreens
  
  

---

Cross-platform authentication

1. The FIDO Passkeys spec addresses the use case of you using a friend’s laptop, which does not have your credentials.

2. On any web browser and operating system that supports Passkeys, type in the URL of the website.

3. Type in your username

4. Select “Add a new phone” for a QR code to scan using your mobile phone’s camera.

   

5. Click on the yellow bar to make use of the URL provided by the QR code.

6. Click “Continue” to confirm “Do you want to sign in?”.

   VIDEO: Behind the scenes, Apple accomplished the above using Bluetooth as a proximity check – to ensure that the actual user is actually nearby and in control. So this requires Bluetooth to be constantly activated (and using up power) on your devices for cross-platform interoperability.

   You can also share passkeys with others (one at a time).

---

---

Enterprise LIFO server

REMEMBER: Enterprise website operators need a FIDO server to work with Passkey.

• PingIdentity offers their DaVinci “no code” orchestration platform

• Okta

Auth0

---

Google Passkey for Passwordless Login

https://developers.google.com/identity/passkeys

1. Go to the application and sign in using the existing sign-in method.
2. Click the “Create a passkey” button.
3. Check the information stored with the new passkey.
4. Use the device screen unlock to create the passkey.

References

• https://9to5mac.com/2022/06/07/Passkey-passwordless-sign-in-ios-16/
• https://www.macworld.com/article/917751/how-to-use-Passkey.html
  
  

---