EN 
06.10.2024 Hanuš WELCOME IN MY WORLD

This website is originally written in the Czech language. Only part of the content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
FIDO passkeys část 1 - přístupové klíče pro autentizaci

FIDO passkeys part 1 - passkeys for authentication

Edited 24.03.2024 16:30 | created | Petr Bouška - Samuraj |
User FIDO authentication with passkeys (access keys). Passkeys are a significantly more secure way to log in to a service than using a password. Private (user's own) and public (stored with the service) keys are used. Passkeys are FIDO credentials according to the FIDO2 standard. In this article we will look at how passkeys work, what their properties are and how they relate to the FIDO2 security key.
displayed: 2 314x (2 272 CZ, 42 EN) | Comments [1]

Note: For the use of passkeys, I'm focusing mostly on the possibilities of use within Microsoft Entra ID, which are currently being introduced. However, this article is general, focusing more on theory, and describes passkeys according to official documentation and standards. The next part will focus on practical use, for example within Google.

Introduction to replacing passwords with passkeys

Official information can be found on the FIDO Alliance website in the Passkeys 101 - What is FIDO section, primarily Passkeys (Passkey Authentication). Details are in the FIDO2 specification, which has two parts CTAP and Webauthn. The FIDO Alliance designed a wide range of user authentication options, but manufacturers (or platforms) may only support a certain part. An example is Microsoft's support for security keys, which has been here for some time.

A general description can also be found at Microsoft in the article What Is FIDO2?. More detailed (also for developers) at Google Passwordless login with passkeys or W3C and FIDO Alliance passkeys.dev.

FIDO Alliance passkeys logo

Dangerous passwords

The fact that passwords are not secure enough is probably understood by everyone today. A password is a shared secret that both parties must know. There is a risk of it being stolen (from the user or server) or revealed (password attacks). During authentication, it is transmitted over the network, where it can be intercepted. Attackers are increasingly using phishing to lure out passwords (or verify users). We should use a different password for each service, and it should be strong (complex). This places great demands on users. Even long-promoted regular password changes are not a solution.

As a defense, multi-factor authentication (MFA) began to be used. Common MFA methods work with a verification code (SMS or OATH) or approval of login, where we must own a specific device. But attackers manage to bypass even this security (in some cases). Using phishing, they lure the verification code or login approval from the user on a fake page and log in to the target service themselves.

Today's solution is to replace passwords with passkeys or generally phishing-resistant passwordless login. For users, this method is presented as logging in simply using facial recognition (Facial recognition / Face ID) or fingerprint comparison (Fingerprint / Touch ID). This is of course technically very inaccurate, but it may seem so to users.

I provided a lot of general information about authentication methods in the article Multi-Factor Authentication (MFA) in Microsoft Entra ID.

Passkeys vs FIDO2 (security key)

Recently, I focused on Sign-in with FIDO2 security key (mainly from a practical perspective, in this article we will discuss more about the principles of operation). FIDO2 is an open standard for user authentication from 2019. It was most often talked about earlier in connection with a security key, i.e., FIDO2 security key. Probably in 2022, a new term passkeys appeared, but a lot of attention has been paid to it only in recent months (in my opinion). Even the FIDO Alliance pages have been changed, we no longer find a link to the article about FIDO2 (the page still exists) and the main term is passkeys.

Both FIDO2 and passkeys talk about FIDO Authentication, abbreviated as FIDO (Fast IDentity Online). Which is a global authentication standard based on Public Key Cryptography. In simple terms, I would say that passkeys is a term for a pair of cryptographic keys, a more accurate term would be FIDO2 sign-in credentials, because they also contain other information (attributes). So overall, we correctly talk about FIDO Authentication with passkeys.

On the FIDO Alliance website, only the term FIDO is used. Passkeys are more precisely based on the set of FIDO2 specifications, which has two components. The W3C (World Wide Web Consortium) standard Web Authentication - WebAuthn and the complementary FIDO Alliance protocol Client to Authenticator Protocol 2 - CTAP2. WebAuthn is an API implemented in web browsers and platforms, so registered devices can perform FIDO2 verification. CTAP2 allows external authenticators (like a Security Key) to communicate with browsers and platforms for authentication. Currently, we have CTAP 2.1, CTAP 2.2 is in draft, and WebAuthn Level 2, WebAuthn Level 3 is in draft.

A FIDO2 security key is an external (roaming) authenticator, cryptographic hardware that performs FIDO authentication using passkeys. Microsoft has previously implemented the ability to log in using a FIDO2 security key. When talking about passkeys today, the use of other authenticators is considered. It can be a mobile phone, where the features of the operating system and hardware are used. Or directly the computer from which we are logging in, and its hardware (for example, Windows Hello with a TPM chip).

Later I read that Windows Hello is also FIDO2 certified (from Windows 10 1903). So it's an internal (platform) authenticator. Therefore, Windows Hello for Business also supports FIDO authentication using passkeys. If we want to create a passkey on a Windows device, Windows Hello is used (and required).

A Passkey can be tied to one device (like a FIDO2 security key, but also a mobile phone or computer) or synchronized between multiple devices through a cloud service.

Entra ID and phishing-resistant MFA methods

Microsoft Entra ID supports several Passwordless MFA methods that are Phishing resistant. They all use an asymmetric pair of private and public keys and are tied to a specific device. In principle, they are similar.

These include Windows Hello for Business (computer TPM chip), Certificate-based authentication (smartcard or computer storage) and FIDO2 security key (HW key). Currently, Microsoft is adjusting the support for FIDO2 security key, which will expand to more general device-bound passkeys.

Among the passwordless MFA methods is also Phone sign-in using the Microsoft Authenticator app, but it's not among those resistant to phishing.

What are passkeys and how do they work

In the introductory chapter, we provided a comparison of passkeys and FIDO2 security key. Ideally for those who are familiar with security keys. There is also a certain description there. Now let's describe it in more detail.

Passkeys

Passkeys are a replacement for passwords with a more secure option of passwordless authentication using multi-factor authentication (MFA). We can say that it's a simpler and faster login option that is also phishing resistant.

Passkeys are always strong (we can set a weak password) and no shared secret (password or key known to both parties) is used during login. An asymmetric pair of private and public cryptographic keys is used. It's a transition from credentials based on knowledge to those based on ownership.

They are created uniquely for each online service (the term Relying Party [RP] is used) or application to which we want to log in. It is directly tied to the service domain (RP ID) and cannot be used with another.

The word passkey, is a common term that should be used similarly to the word password. It should be written with a lowercase letter. Passkeys are FIDO credentials conforming to the FIDO2 standard (WebAuthn and CTAP2).

Passkeys are being developed within the FIDO Alliance, which brings together many large companies. They are based on FIDO standards. Support for passkeys was announced by the biggest players Google, Microsoft, and Apple in 2022. So it's built directly into the main mobile and desktop operating systems (Windows, macOS, iOS, Android) and web browsers.

Microsoft has supported them since Windows 10 1903 (in Windows 11 22H2 with KB5030310, support for management was added). Apple since macOS Ventura (13) and iOS 16. Google since Android 9. All common web browsers have supported FIDO login (the WebAuthn protocol) for a long time.

Principle of passkeys operation

There are two different operations

  • registering a passkey with an online service
  • using a passkey for login

When a user registers with an online service (supporting FIDO2), they first select a supported FIDO verification method. Then they must activate (unlock) the FIDO authenticator, for example using a PIN or fingerprint. The client device (authenticator) generates a key pair that only works for the given website or application. The private key is securely stored on the end user's device, which can be a computer, phone, or security key. Access is protected by biometrics or a PIN. The public key, along with the generated Credential ID, is encrypted and shared with the service. The service stores it on its authentication server.

Schéma FIDO2 autentizace z webu fidoalliance.org

During login, the service generates a unique cryptographic challenge, which it sends to the client. The user must unlock access to the private key. The client device signs the challenge using the private key and sends it back to the service. The service verifies the signature and data using the registered public key, thereby authenticating (logging in) the user.

Schéma FIDO2 autentizace s přístupovými klíči (passkeys)

FIDO authenticators

An authenticator is a software component or piece of hardware owned by the user that is capable of performing FIDO authentication. Authenticators are used to verify ownership and confirm the user's identity. They are responsible for generating key pairs during registration and protecting the private key.

  • Roaming authenticator (external) - portable HW device separate from the client device, an example is a mobile phone or security key, connects to the client device via USB, BLE or NFC, allows users to carry their credentials with them and use them to authenticate on multiple devices, also called a cross-platform authenticator
  • Platform authenticator (internal) - is built into the client device, such as a computer or phone, includes biometric features and hardware chips (like TPM), for example Windows Hello, Android Fingerprint or Apple Touch ID

The authenticator stores the private key and thus the passkeys are tied to a specific device. It can be a computer, where we can only log in on it. Or a security key or phone, which we can use to log in on various computers.

Cross-Device Authentication

Cross-device authentication allows the use of a passkey from one device to log in on another device. The CTAP protocol is used for communication between the authenticator and the client platform (the client uses WebAuthn with the service).

Web browsers today standardly support the use of Sign-in with nearby Device. In this case, the passkey is on a nearby device (Roaming authenticator), typically a mobile phone or security key. The mobile phone must be connected to the computer, most often Bluetooth Low Energy (BLE) is used to verify physical proximity. A security key is connected to the USB port.

Synced passkeys vs. Device-bound passkeys

Passkeys can be synchronized between user devices using a cloud service. Then they are referred to as Multi-device passkeys or Synced passkeys. Or they can be bound to the device from which they cannot be copied. We refer to these as Single-device passkeys or Device-bound passkeys.

I think the technical difference is that Device-bound passkeys have the private key stored in a way that it cannot be copied (obtained). Ideally in some cryptographic HW (cryptoprocessor), such as TPM, Smart card or Security Key. Only cryptographic operations are called, which the HW performs using the private key.

The FIDO Alliance is trying to convince users to replace passwords with a more secure method. A great advantage of passwords is that we can use them anywhere (from any device). Therefore, the alliance proposed the possibility to synchronize passkeys between devices to overcome users' reluctance in this regard.

The alliance tries to argue that it is still sufficiently secure (synchronization providers must have strong account security protection, communication is encrypted, etc.). We store synchronized passkeys (typically) according to the platform with our Apple account (iCloud Keychain), Google (Google Password Manager) or Microsoft (Microsoft account). Nevertheless, Microsoft decided to support only Device-bound passkeys for Entra ID.

Personally, I think that using specialized cryptographic HW (such as a smart card or security key) to store the private key provides higher security. Than when it is stored in the operating system (on a mobile phone or computer). There, Trusted Platform Module (TPM), Trusted Execution Environment (TEE) or Secure Element (SE) should probably be used. With the possibility of synchronization, when the private key gets outside our device, security is further reduced. However, it's better than using a password. It's necessary to look for a compromise for certain situations between security and simplicity and availability.

Discoverable credentials

Passkeys can replace not only the password but also the username during login. The user doesn't have to enter anything when logging in. It's enough to choose the corresponding login method (FIDO passkey / security key) and select an account from the list of passkeys. FIDO Credentials contain various attributes such as cryptographic algorithm, username, and service domain.

Two-step verification may be required, where the user must know their ID (enter a username) and keys are searched based on it. Credentials that can be found without knowing the ID are called Discoverable credentials (previously referred to as resident key). Login credentials must be created as Discoverable credentials already during registration.

What is the strength (category) of passkeys authentication

Multi-Factor Authentication

Authentication using passkeys meets the basic principle of multi-factor security (MFA). Keys are stored on a device (something the user has) and biometrics (something the user is) or a PIN (something the user knows) must be used to use them. It's important that an attacker cannot obtain the private key from the user's platform (for example using a stolen password, then they would need only one factor to log in).

Passwordless Authentication

Logging in using passkeys is referred to as passwordless login because we don't use a password to log in to the application or website. So no form of password is transmitted over the network. Instead, a private key is used and it signs data that is sent to the service. So even the key is not transmitted over the network.

Access to the key on the device is protected using the same biometrics, PIN, or password that the user uses to unlock it (log in). The user approves logging into the application or website using the given method. Biometric information or PIN/password is used only locally on the device and is not sent to the target server.

In many cases, we can use a PIN to access the key. To the user, it may seem like they are logging in with a PIN, which is essentially a password. The meaning of passwordless login is that this PIN (password) is not used for verification with the target service. If an attacker obtained the PIN, they couldn't use it to log in, they would also have to obtain the device.

Phishing resistant login

A private key is used for login, but the user doesn't work with it directly and in most cases doesn't even have access to it. So it's not possible for an attacker to lure it from the user, as can happen with a password (by displaying a fake dialog where the user enters it).

The second thing is that logging in using passkeys can only be done on the device where the keys are stored. Or on another device in physical proximity (Roaming authenticator). We also need to unlock access to the authenticator. If we use login approval on a mobile phone (Phone sign-in) for MFA, we can approve an attacker's login somewhere on the internet (which they fraudulently lured from us).

Protection against MITM (Man-in-the-middle attack)

All documents about passkeys emphasize that they are resistant to phishing. In some places, it's also stated that they are resistant to man-in-the-middle attacks (MITM). This information is directly in the WebAuthn specification. It's harder to find details on how this is achieved.

A passkey is tied to the service domain and can only be used for it. If an attacker creates a spoofed page, the URL doesn't match and the passkey is not used. It's contained in the technology, so even the user cannot bypass this feature and try to log in. The service domain (RP ID) is also sent during the verification communication.

In the authentication process, a challenge is used, which is created by the service in the first step of the credential request. It must be unique, cryptographically secure (unpredictable), with limited validity. It protects users against replay attacks. The Transport Layer Security (TLS) protocol is also used, i.e., certificates and domain verification.

Author:

Related articles:

Azure AD / Entra ID identity and authentication

Articles related to user and device identity (not only) in Microsoft Entra ID. Different login and authentication options. Areas such as modern authentication, multi-factor authentication, password-less login, etc. Often involving the use of FIDO Authentication, for example using the FIDO2 security key or Windows Hello for Business.

FIDO Authentication

FIDO authentication is based on the FIDO2 standard (WebAuthn and CTAP2). It brings a more secure option to log in to online services. It belongs to Passwordless MFA (multi-factor authentication without a password). At the same time, it increases the convenience of users (it supports the use of biometrics). These are, for example, Windows Hello for Business, FIDO2 security key and generally passkeys (access keys).

If you want write something about this article use comments.

Comments
  1. [1] J.j.

    Velmi děkuji autorovi tohoto článku za podrobné popsání principů dle mého názoru nejpokročilejší bezpečné autorizace a popisu toho jak se užívá v praxi za použití různých zařízení používaných k autentifikaci a autorizaci. Jsem rád že vývoj těchto technologií podle mého názoru konečně dospěl tak daleko, že lze důvěřovat tvrzení některých institucí užívajících tuto technologii o tom, že je komunikace s nimi zabezpečená na nejvyšší úrovni. Chtěl bych používat externí hardware klíč s passkeys. Bohužel mi není známo které naše banky tuto novou technologii už podporují. Zatím se bohužel většinou užívají jen mobilní bankovní aplikace, které privátní klíče ukládají v zašifrované podobě přímo v mobilu. Už to je veliký pokrok, ale mobily jsou zařízení které jsou nejčastěji ze všech věcí člověku ukradená nebo je někde nejsnáze ztratí protože je stále nosí se sebou. Pokud někdo zná identitu původního vlastníka mobilu a dostane se k jeho otiskům prstů a úspěšně je použije k odemknutí telefonu což není tak těžké tak se dostane ke všemu. Mobil s face id je dobře zabezpečený, takže jej nikdo cizí nemůže snadno zneužít, ale pokud je vlastníku ukraden tak mu to pořádně zkomplikuje život. Všechny banky by proto měly co nejvíce podporovat a propagovat hw keys s touto novou technologii a ne obecně tvrdit že pouze mobily bez externího hw klíče jsou pro pro mobilní bankovnictví to nejlepší. A přitom banky ani pořádně nevysvětlují jak moderní technologie funguje.

    Thursday, 19.09.2024 11:10 | answer
Add comment

Insert tag: strong em link

Insert Smiley: :-) ;-) :-( :-O

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)