On WebAuthn and PassKeys
Heya,
WebAuthn, also known as passkeys, is a standard which makes authentication easier on the web.
Common other methods of authentication have their weaknesses:
A username and password means that the user must remember the password. Humans, XKCD notwithstanding, are not great at creating secure passwords. When a password is shared between different applications or systems, if one gets compromised, all are at risk. Use a password manager.
A federated login provider delegates authentication to Google, Apple or another remote identity provider. (I also wrote about Federation vs Passkeys a few months ago.) For the application, this lowers authentication friction, but the developer may want more information about the user than the provider offers. This method also requires your users trust the remote server and have an account there that they want to share with you.
Submitting their mobile number or email address for a magic link. In this case, access to the message authenticates the user. Similar to federated sign-on, app devs are decreasing friction but increasing the single point of failure--if someone loses their email inbox access, they can't get into your application.
With WebAuthn, there is a private key stored in a secure area of the user’s computer or device, which corresponds to a public key stored in a remote server. These keys are tied to a domain name and only served over HTTPS. When the user wants to authenticate, the remote server sends down data, which is signed by the private key after they authenticate to the device. That signature can be validated by the remote server using the public key, authenticating the user. You can learn more about the WebAuthn standard and how to implement it here.
However, WebAuthn has its weaknesses, too: that pesky private key. Like any private key, the user must keep it secret, because if someone else has it they can masquerade as the user. So keeping it on the device is great. But if the user loses the device, they can no longer log in. Self-service account recovery is one of the key features of CIAM so this situation is problematic.
Some options if you are considering using passkeys for your accounts:
Trust in a remote server to back up your private keys. Google supports that on some operating systems. Apple does as well. I know the folks at Google and Apple are crazy good with great security chops, but wow, what a great target the passkey storage system for millions of users is.
You can use passkeys as a re-authentication method. That is, you can register initially using one of the above methods and then add a passkey as another form of authentication. Use it to make logging in frictionless. When you need to recover your account, use the other method. But now you are now dealing with the weaknesess of two forms of authentication.
You can register two or three or N passkeys. This works well for high value accounts that can support multiple passkeys, but may be a hassle. Nothing compared to being locked out of your account, however.
In short, WebAuthn is a great new secure method of authenication. It is wiedly supported, secure by default, and built on public/private key cryptography. But it isn’t perfect.
Dan