Passkeys and ‘tech bro’ Privilege
I've been getting quite annoyed by Passkeys recently. Usually, I'd herald any attempt to save the older generation from getting scammed on the internet as a 'good thing', but Passkeys, despite what the tech press is trying to tell you – are not a good solution.
Before I explain why I have this view, let me explain what a Passkey is and how they work.
How do Passkeys work in simple terms?
In non-technical terms, a Passkey is like a 100-dollar bill that is automatically created by your computer when you choose to use (or are eventually forced to use) Passkeys to authenticate yourself with an online service.
Like all note-based money, this 'bill' has a unique code on it, which makes it one-of-a-kind.
What the Passkey system then does is tear this virtual bill in half, much like the image at the top of the post. Each half of this bill only fits the other half.
One-half of the bill is securely stored in the system that runs the online service. The other half of the bill is securely stored on your computer.
When you next visit that online service, your computer will present the service with your half of the bill. The online service will look at the unique code on your half of the bill, find the other half of the bill with the same unique code, and see if the halves fit together perfectly. If they do, your computer is told that the Passkey is valid, and you are automatically logged into the online service. No Usernames and No Passwords. It all just happens in the background without you having to do anything.
Not only is this more convenient for you, the end user, but it is also more secure. Only the real online service has the other half of the bill, so fake websites can't impersonate the online service and steal your half of the bill to use elsewhere. Your computer only has your half of the bill, which is useless without the other half that is stored in the service. This means that bad software, such as malware, can't snoop on your computer and steal your half of the bill, as it is also useless without the other half.
Note: Before any technically minded people get all indignant about how I've described this – yes, I know exactly how Passkeys work 'behind the scenes,' but none of that is relevant to this post.
So far, so good, right? It seems more secure than usernames and passwords, and it is. Plus, you don't have to remember anything or write anything down, which is always a plus.
However…
There are a few issues with the specification that I have a problem with.
Passkeys are non-shareable
The specification says that Passkeys can be of two types. The first type allows for the user part of the torn 'bill' to be synced to other devices; the second type prevents any syncing at all and locks the user part of the torn 'bill' to the device it was created on.
My problem with this is that when the specification says 'sync', it means that it can only be copied and managed by an approved 'authenticator'. An authenticator is your Google, Microsoft or Apple account, or it can be one of a few approved Password Managers.
Even though it is your half of the 'bill', and it belongs to you, you have no actual ownership over it. You are expected to store it in a cloud solution with a vendor that you trust implicitly so that it can be restored to a replacement computer or phone or shared between multiple devices that you use. Large password breaches are due mostly to the vendor's own systems being compromised, so this does not feel like a secure solution.
The online service itself controls the option to enable synchronisation between devices of a Passkey. There will be several service providers who, 'for your security', will disable this option and lock your half of the 'bill' to your current device. If you wanted to log on to that service on both your phone and your tablet, you wouldn't be able to because the service provider has blocked it.
Passkeys only work if your device is secured
Contrary to popular belief by the technology community, not everyone locks their devices. People should be free to use their devices however they choose, and not setting a login PIN, password, or biometric is a user choice.
Yes, there are security risks to this, and we can all agree on that, but it's still the end user's choice not to lock the device, and technology shouldn't override freedom of choice.
This leads on to the next issue…
'One Person = One Machine' is a Myth
This is where we get to the click-baity title of this post. There is a massive and almost blanket assumption in the 'tech bro' community that everyone has the latest and greatest device in their pocket that belongs to them alone, running the latest and greatest OS for that device.
This is plainly wrong.
Some people ONLY have access to a family iPad. Some people have no devices at all and must borrow other peoples. Some people use a library computer that has no concept of persistent or unique user accounts.
People on work machines may work in a company that wipes user profile information on every logoff.
None of these people are in a position where Passkeys will work them. There is an option to store a few Passkeys on a USB device (Yubikey), but many computers in shared areas have their USB ports disabled.
Finally, with this issue is the scenario that no one likes to talk about openly: People in long-term relationships share passwords.
Many couples who share a household have 'joint' logins for some services. Food shopping sites, maybe an Amazon account, the utility companies' portals, the Parent's portal for their kids' schools.
In many of these cases, it's a convenience that either person can just 'jump on to' the online service and do what needs to be done without having to wait for the other person to be available, as they are the ones who originally set up the account.
Passkeys do not, and never will, support this scenario as it's deemed 'insecure'.
Proponents of the Passkey system are quick to point out that Passkeys can be stored inside some Password Manager applications, and those applications can support multiple account access. This leads back to trusting your secure logins with a third-party provider. There is a history of organisations that provide Password Manager software being breached and user information stolen.
What if you are Locked Out?
So far, Google has shown that it does not care if you lose access to your Google account, even if it's not your fault. Imagine if your Google account was taken over, and you've lost access to it. If you stored all your Passkeys inside that Account (via Chrome or a Chromebook login), you will have also lost access to all of those as well. If any online services do not allow you to log in by an alternative means, you will be locked out of those as well.
If online services also allow you to log in using a traditional Username and Password alongside the Passkey, you should question why the Passkey exists in the first place for that service, as it would effectively be reduced to performing the same function as a 'remember me' checkbox on the login page.
Conclusion
Passkeys are going to be pushed upon us. There's no doubt about that. The Vendors love the idea of them, as they enable what is called 'vendor lock-in' where the friction of leaving a service (in this case, the holder of the Passkeys) is so great that no user ever leaves.
Unlike a username and password, Passkeys are not yours. You never see them, you can't control them, you can't share them. You have no agency over them whatsoever.
What's the alternative to Passkeys? I personally do not know. I do know that everyone should try to achieve good security practices by having passwords that are long multi-worded with some numbers and symbols. And if you can, have different usernames for different services.
(And you most certainly shouldn't keep all your usernames and passwords in a little bit of paper inside your wallet or purse…)
I am not naïve enough to think that my mini-rant that is this post will have any bearing on the rollout of Passkeys, but even if one person reads this and has second thoughts about Passkeys, then at least I can say I tried.