In March, we published a blog called “YubiKeys, passkeys and the future of modern authentication” which took a look at the evolution of authentication from when we first introduced the YubiKey back in 2008, to where the industry is heading with the adoption and adaptation of WebAuthn/FIDO authentication.
In recent months, there have been several news cycles about “passkeys.” This has caused some excitement, as well as some confusion, about what we as an industry and as a driver of authentication standards are doing to move beyond passwords.
Since then, we have received questions from our customers and partners for additional clarity around passkeys, which we highlight in this webinar and below in this post.
We are delighted that the FIDO Alliance and W3C WebAuthn standards we worked hard to create and enhance are being embraced deeply by device, operating system, and browser vendors and will be offered as a built-in authentication feature for everyone. The security tradeoffs they will be making in their implementations will allow consumer friendly, lower assurance use and recovery options that are far better than passwords alone, and are reasonable for non-critical services. Users who want to use high assurance, hardware-bound (non-copyable) credentials, like those in YubiKeys, can do so via the same WebAuthn functionality adopted by websites, and services can choose to require high assurance, verifiably hardware bound credentials for enterprise, sensitive, or high risk users, or for all users of a service. It all works with the same standards!
With that, let’s jump in to help answer the most popular questions we have heard, from Yubico’s perspective. This FAQ will continue to evolve and be updated.* Keep checking back for the latest answers around any passkey questions you may have.
What is a passkey?
Passkeys are like passwords, but better. They’re better because they aren’t created insecurely by humans, and because they use public key cryptography to create much more secure experiences.
But passkeys aren’t a new thing. It’s just a new name starting to be used for WebAuthn/FIDO2 credentials that enable fully passwordless experiences. These types of credentials are also called discoverable credentials, or sometimes resident credentials.
We like the new term and will use it, because it helps people understand they’re a password replacement with a simple term. “Passkey” is much more understandable by most people than “discoverable WebAuthn/FIDO credential.”
The first public mention of the term passkey to a wide audience was last year by Apple at a WWDC2021 talk where they introduced a “Passkeys in iCloud Keychain” technology preview to developers.
Passkeys refer only to WebAuthn/FIDO credentials, and not to the many other keys and protocols, such as PIV, OTP, or OpenPGP Card, available in the YubiKey 5 Series.
(image courtesy of @vibronet via Identiverse)
Is ‘passkey’ the new name for FIDO and WebAuthn credentials?
Passkey is a term that the industry is rallying around for FIDO credentials that can fully replace, rather than only augment, passwords. These are called resident or discoverable credentials in the specs. We think “passkey” is a better term than “discoverable webauthn/fido credential,” because it evokes its ability to replace passwords in an accessible way.
Passkeys in YubiKeys have been supported since discoverable credentials were added in the WebAuthn/FIDO standards around 2018. However, it’s important to note that passkeys in YubiKeys are not copyable, meaning the passkey is bound to the YubiKey.
See below question: “How are passkeys different from YubiKeys?” for additional information.
Why is the term passkey in the news a lot recently?
Some Platform/OS vendors started shipping support for fully passwordless experiences using external authenticators like YubiKeys, and also using the security focused hardware built into their devices such as TPMs, as early as 2019.
Work is still ongoing on different platforms and browser combinations to complete robust passwordless experiences with both internal and external authenticators. Platform vendors have started publicly signaling their intent to complete that work, and have reaffirmed their ongoing commitment to standards bodies such as the W3C and FIDO.
Expect to see a lot more about passkeys from platform vendors such as Apple, Google, and Microsoft, as well as from external authenticator vendors such as Yubico, in the news once the implementations ship and evolve over the next year or so.
What additional changes are coming that are being talked about in association with passkeys?
At the highest level, there are two new things coming in order to increase service and consumer adoption of WebAuthn/FIDO:
- Android and iOS phones that have passkeys on them can be used, mainly via bluetooth and the internet, to log into other devices such as laptops.
This is exciting, and has always been part of Yubico’s vision for the protocols we’ve worked to create and proliferate.
Yubico helped create the original bluetooth FIDO transport and even built a proof of concept bluetooth YubiKey. That helped us collectively learn how unreliable some bluetooth implementations and features can be in the wild. This new “phone as security key” functionality uses what was learned from that protocol, and uses internet connectivity to mostly avoid bluetooth except for proving proximity. (If you’re feeling curious, the protocol is called caBLEv2, and is soon to be renamed to the “hybrid” transport because it supports multiple proximity options and multiple reliable transport options)
- Platform FIDO credentials will soon by default be automatically copied to other devices logged into the same platform provider’s password manager service, in the same way that passwords are today.
This was done to help ease recovery from the loss of a device, but comes with security tradeoffs. Those tradeoffs may be OK for consumers in some environments, but are unlikely to meet the needs of enterprises with security or compliance needs.
How these new things work are still in beta and subject to change, but you can expect to see a lot more about them as implementations near completion. You can also read more in our previous blog post on this topic.
We’ll make sure to continue to publish and update our take on these features as they ship, and will also provide detailed developer guidance to help navigate the protocol and code changes that will be needed to take full advantage of the flexibility afforded by these changes, while ensuring appropriate security for the applications that depend on them.
How are passkeys different from YubiKeys?
They’re the same, and they’re different.
They’re the same because YubiKeys have had the ability to create these passwordless enabled FIDO2 credentials (passkeys) since the YubiKey 5 Series became available in mid-2018. Currently, YubiKeys can store a maximum of 25 passkeys. We are evaluating increasing this in the future because of the likely increase in fully passwordless experiences across the web that require them.
They’re different because Platform created passkeys will be copyable by default using the credentials for the underlying cloud account (plus maybe an additional password manager sync passphrase), whereas passkeys in YubiKeys are bound to the YubiKey’s physical hardware where they can’t be copied.
What terms will Yubico use to talk about passkeys?
We like the term passkey and plan to use it. Because many things are being talked about at the same time, we will try to use terminology consistently to make the differences or similarities clear depending on the situation. This is still a work in progress across the industry, and we will adapt as things change.
Here are a couple of examples that may help for now:
- Copyable passkeys are often called “multi-device,” “syncable,” “backup enabled,” “shareable,” or similar terms. Some of these terms are easily confused with the WebAuthn/FIDO concept of an authentication device’s “attachment” which can have the values “platform” or “cross-platform.” We prefer to use “copyable” because it clearly describes what can be done with the credential, but does not imply any goodness or badness and does not use overloaded or confusing terms. Non-copyable passkeys are sometimes called “single-device passkeys.”
- We prefer to use “hardware bound” because it describes the location of the credential clearly without implying the credential can only be used with one device, as opposed to from the one authenticator to which it is bound with any device/platform.
What are the security tradeoffs between copyable and hardware bound passkeys?
Hardware bound passkeys, such as the ones that are on YubiKeys, are the gold standard for modern, phishing-resistant authentication and security. They are very easy to reason about and build systems around: no device, no access. However, for consumers registering credentials to many sites, managing multiple authenticators so you have an up to date backup can present challenges.
Copyable passkeys can make it easier to recover in the event of a lost device if the user can obtain another device that works with the cloud syncing service they used, and can recover their account. Using that copyable credential proves that there was access to a device which was logged into the user’s cloud account. This can be a useful additional signal, but does not provide the same level of security as a hardware bound passkey.
We’ll expand more on this in future content for different audiences as implementations ship.
What is Yubico’s overall guidance about passkeys?
- We hope that a consumer focused push about passkeys will entice more services to enable support for WebAuthn/FIDO.
- Copyable passkeys offer roughly the same security as “Sign-in with Google/Apple,” plus an additional key sync password.
- Today, banks, enterprises, and those wanting or needing high security do not rely solely on the security of cloud accounts provided by Sign-in with Google/Apple via federated login protocols like SAML, OpenID Connect, or OAuth. Even if copyable passkeys are used to provide that association instead, the security provided will still be insufficient for high security needs.
- The multitude of high security use cases faced by many organizations need more protocols than just FIDO. These organizations need the security guarantees and cryptographic attestations provided by hardware backed credentials to know their systems are safe, and to be able to prove it.
- Attestation is also the only way to achieve high confidence that a given credential is hardware bound.
- Services should continue to request, store, and use attestation information to make risk decisions based on the type of credential that is used. Our detailed guidance on attestation is provided in more detail on our developer site.
- More use of WebAuthn/FIDO hopefully means that eventually fewer people will use, and fewer services will have to deal with creating and securing dangerous username and password-based systems.
We are happy that the standards we co-created and have worked on improving for years are seeing even wider adoption, and are hopeful that these motions will continue to reduce harm and advance our mission to make the internet safer for all.
———
We know that there are already more questions to answer, and invite you to view our webinar: “Passkeys and the future of modern authentication: Q&A with Yubico’s CTO.” During the webinar, we dive even deeper into the topic to help bring clarity, eliminate confusion and answer any specific questions that you may have.
Additionally, read the report conducted by Enterprise Strategy Group (ESG): Devising Your Enterprise Authentication Strategy with Passkeys
* This post was last updated on November 29, 2022.
