Passkeys are here – heralded as the end of passwords. Fully supported on iOS devices and in the latest Windows update.
So the theory is good – we replace passwords with public-private key pairs stored in a password manager (so no remembering anything). The computer fields this (no typing), the private key never leaves the device (can’t be observed in transit) and the public key is worthless to anyone who obtains it (so it doesn’t matter if the site you’re using it on gets hacked). And since a password manager is doing the remembering there’s no cost to having a different key-pair for every login – so even if you obtained the full key pair for a site it’s not useful on other sites or for tracking users across multiple sites – unlike passwords that commonly get re-used. It avoids the more obvious phishing attacks since your browser looks up the passkey based on the website you’re using it on – if you’ve typed it wrong domain name (or been mislead or clicked on a dodgy link) there is no passkey to offer up. The password manager won’t sign the relevant bits without you authenticating to your device e.g. with a biometric that again isn’t shared with the website you’re authenticating with – so its claimed this is two-factor authentication as well.
So does it work? I started experimenting on the iOS device – it has the fullest support, and will store passkeys in Apple’s keychain allowing secure sharing to other iDevices. First problem not that many sites support passkeys. So tried Amazon first – and it seems to just work. I can sign in with a passkey from my iDevice, its little face ID do you want to authenticate thing popped up and it did the rest. A bit more experimenting – you can have multiple passkeys to log into a site (e.g. for different devices). Second problem is Amazon’s UI is in its early stages – you can’t delete a specific passkey, only delete all keys! The third problem is there’s no way to turn off passwords – so despite the benefits of passkeys there’s still a guessable / hackable / leakable credential floating around. Setting it to the longest string of random characters I can dream up and forgetting it seems like a workaround I shouldn’t need.
Then a surprise win. Logging in on a PC Windows pops up a QR code, talks to your device by Bluetooth (which then pops up its biometric ID prompt) and everything just works. So while I could have separate passkeys scattered across devices, keeping them in one family of devices seems easier. Doesn’t seem to work without device internet though.
The Google experience is similar – but again, seemingly no way to disable passwords.
Now I have many Windows boxes – only one has Bluetooth. All the others won’t let the iDevice talk, so time to try Windows Passkeys support. Basically does the same magic – in this case your passkeys are protected by whatever Windows normally protects credentials with (Windows hello, biometrics or if you must a PIN). But it’s not as complete – there’s seemingly no way to export or backup passkeys, nor is there any way to synchronise them across multiple windows boxes unlike e.g. Edge’s password manager. So you end up having a passkey per device in Windows world.
So, er, Microsoft? They claim to support it. But many hours of swearing and you end up running Microsoft authenticator app instead, and I can find nowhere across personal or business Microsoft 365 to offer it a passkey. App, security key, windows hello, linked-to-windows, anything but passkey. Although Windows settings > Passkey seems to have auto-generated a passkey for this purpose. Curious. And even if you setup Microsoft’s authenticator app on Business 365 – it’s a sysadmin fiasco navigating the maze and I was ultimately unable to disable password login.
Paypal is then a disaster; offers to create a passkey, but gets stuck in an infinite loop authenticating you. eBay is more curious – works on iDevice; they’ve utterly defeated doing the QR code thing from a Windows box.
So after all that faff what have we learnt? When it works (which it very much does on iOS and does with limitations on Windows) it’s magic. But I’ve been able to get rid of passwords in zero cases so they linger as security holes. And people’s ability to break it (paypal, ebay), make it nearly impossible to use (Microsoft), or just have crap UI (Amazon) means the world has a long way to go to enable widespread adoption.
While experimenting bigger security holes become obvious. Back in the day closing a web-browser meant all the state vanished. Whereas in the modern world browsers are remarkable good at remaining logged in to sites, and even sync this information across multiple computers. So the chore of remember to log out resurfaces – otherwise no authentication at all.
Nothing much changes if you lose a passkey – like forgetting a password a similar reset procedure is needed. Again, control of your email address is your most valuable credential.
There’s also the usual annoyance – old devices don’t understand all of this, so if you want to be password free you need to turn your old devices into landfill; personally I’m not so happy about this.
So after some experimenting there’s a glimmer of hope that passwords can be consigned to the dustbin of history. It’s sad is this is built on stuff like public-private key pairs which we knew how to use long before the internet existed, and that the tweaks to web protocols to make it handle passing the keys around could likewise have been implemented two decades earlier. I guess the game-changer is smartphones handling the biometrics on-device needed to keep keys secure. But I fear passwords will be with us for a while.
eddylangley.net 