As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.

Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a banking app — there was an implied emphasis on convenience rather than security.

Until very recently, hardly any of the services I’ve used communicated its benefits in terms of greater security. Plenty of services compel customers to reauthenticate with their password periodically to allow for continued logins using biometrics. This completely misses the point.

A vague sense of passkeys’ convenience being more relevant than their security is one thing. An impression that they’re actually less secure is another.

This recent LinkedIn poll by Auth0 compelled me, in part, to write this piece.

The fact that the extra security benefits come only third in the poll is striking. My colleague Jeff Crume has recorded two excellent videos on the topic here and here.

I’m taking a slightly different tack. Before allaying concerns with the new thing, I intend to flip the question around.

Why do we unduly (or even blindly) trust the security status quo?

Many IT leaders and engineers remember the earlier days of cloud adoption when cagey executives placed more burden of proof on big cloud providers for security and resiliency than they did on their own server cabinets housed in leaky janitors’ closets.

Putting the spotlight on the implication that the incumbent thing is automatically good has always been a favorite exercise of mine.

The fields of cognitive psychology and behavioral economics conduct studies of some relevant interrelated and overlapping phenomena here. The godfathers of these fields, Daniel Kahneman and Amos Tversky, postulated the availability heuristic, whereby the most easily recallable things are erroneously judged to be the most true.

A closely derived spin-off of this heuristic is the familiarity heuristic. Subjects were shown fewer but more famous female names than the more numerous but non-celebrity male names. The familiarity of the female celebrity names caused them to believe that they were more frequent in the deck.

But the phenomenon that best fits our considerations here is Robert Zajonc’s mere-exposure effect. As fascinating as it is scary, his body of work describes robust evidence that liking/disliking is what really drives our decisions, with cognition playing a startlingly minor role the majority of the time. This effect, in turn, can be hacked simply by repeated exposure to a stimulus.

More insidiously, Zajonc demonstrated that low-level, less noticeable stimuli can get under our radars and cause us to like something via feelings of familiarity without our being conscious of it. More recent scholars of the lineage appear to support the assertion that usually, very little cognition is involved in forming attachments or aversions, with familiarity and repetition being the greatest contributors to them.

In light of this, it’s easy to see what fuels the dynamic whereby a lie told often enough becomes truth. This tendency can cause us to put misplaced trust in the commonplace as a false corollary to our suspicion of the novel.

Nassim Taleb rightly points out in his discussion of the Lindy effect that the tried, the tested and the longstanding are usually those very things for good reason, but that shouldn’t blind us to their weaknesses.

As a result of all these factors, people would likely be reluctant about passkeys even if services communicated their enhanced security benefits. To that end, let’s compare how passwords and passkeys work and examine which ones are more secure.

How passwords work

First, let’s take a quick look at password creation, storage and authentication.

When a user creates an account and defines a password, the password is fed through a hashing algorithm like sha256. This allows the hash’s value to be used to verify passwords without the service provider ever storing the password or knowing what it is.

To illustrate, let’s take the passwords “MySecurePassword123” and “MysecurePassword123” (the difference being the s for “secure” in the latter is lowercase).

See how radically different their hash values are:

• MySecurePassword123 -> 1a5b06de7c27f493f0b246de9ab71dc35fc2171c38dc4c2b54f37e065a85e6f5
• MysecurePassword123 -> d3f05a7223df23f4295a7e3be9a6f64c1f9bf5b90068b8e4a1b5e0e0440bb594

Let’s continue with the example “MySecurePassword123.” To ensure that two users with the same password don’t end up with the same hash values, a string of random characters is generated and appended to the start first. This is known as “salting.” This random string of salting is added to the beginning of the password that the user defines.

Let’s step through the process:

• Original Password: MySecurePassword123
• Generate Salt: \x8e\xd7T\xe7\xd6\x84\xbb\x18\x1a\xed4sBp\x06
• Combine with Password:
  • \x8e\xd7T\xe7\xd6\x84\xbb\x18\x1a\xed4sBp\x06MySecurePassword123
  • (or \x8e\xd7T\xe7\xd6\x84\xbb\x18\x1a\xed4sBp\x06 + MySecurePassword123)
• Hashed combination Salt+Password:
  • 35f3b09d68e4c0059d06d2b259c21dd67c5b33a520ff2b1980ad5dcafc764de1

This final hashed combination, along with the salt value generated at registration time, is what finally gets stored:

• Salt: \x8e\xd7T\xe7\xd6\x84\xbb\x18\x1a\xed4sBp\x06
• Hashed combination Salt+Password:
  • 35f3b09d68e4c0059d06d2b259c21dd67c5b33a520ff2b1980ad5dcafc764de1

For each authentication, the saved string of salt is retrieved, added to the beginning of the password entered by the user, fed through the same hashing algorithm and checked against the hash value stored in the directory.

This means a user entering “MySecurePassword123” as their password will have the stored salt value added to the beginning every time and always end up with the same hashed combination value.

The main drawback is that users still need to transmit their passwords over the internet every single time. Not only that, they can be hacked or cracked by brute force, credential stuffing or dictionary attacks.

Now, let’s compare this with passkeys.

How passkeys work

To put the most important information first, passkey authentication is based on a protocol called Fast Identity Online 2 (FIDO2). Its headline security benefit is that it negates the need to transmit credentials over the internet by sending pieces of cryptography instead. Also, because of its use of private and public keys, it leaves hardly anything to hack or crack, as we’ll see.

Let’s take a look at the typical process whereby a user enrolls their device for biometric authentication with Google by creating a passkey and then authenticating with it.

1. The user registers a fingerprint, face or PIN with a FIDO-enabled device’s OS for use during local authentication later. A hash of this biometric or PIN credential data is stored in a secure, partitioned hardware component on the device known as a Secure Element or Trusted Execution Environment.

2. As part of creating a passkey for Google login, the FIDO-enabled device generates a private and public key pair conceptually similar to the ones used in HTTPS communications. The public key is sent to the service with which the passkey is being registered. The private key is kept in the same secure hardware cordon with the biometric credential hash.

3. The next time Google receives a login request from this username, it sends a challenge to the FIDO-enabled device.

4. The FIDO-enabled device authenticates the user locally by scanning their face or fingerprint.

5. If the biometric matches, the FIDO-enabled device sends a digital signature generated with the private key created when registering with Google in Step 2. Google can authenticate this challenge-response if the signature verifies with the public key because only the holder of that private key could have generated that signature.

FIDO uses a combination of biometric analysis and cryptography paradigms long in operation in securing network communications to achieve increased security and increased convenience. All that’s ever getting transmitted over the internet are public keys, challenges and digital signatures — pieces of cryptography that confirm authentication between devices and servers.

For a technical discussion of how FIDO protects against phishing, read this blog post by our veteran IAM engineer Shane Weeden.

Reach out to your local IBM identity technical specialist to find out just how doable it is to embed passkeys into your customer-facing websites and apps, or roll out within your enterprise!