Passkeys vs. Passwords: The State of Passkeys on Cloud Platforms
Securing access to an ever-expanding list of cloud platforms is top-of-mind for many IT teams. But conventional protection solutions, like password security, fall short when it comes to efficacy. That’s why many tech companies are turning to passkeys as a more secure and convenient replacement.
We have a lot of thoughts on passkeys – some of which we’ve shared in other posts in this passkey blog series – and today we’re going to explore how passkeys stack up against passwords from the perspective of cloud platforms.
Want to learn more about passkeys in the enterprise? Be sure to tune into our webinar, The State of Passkeys in the Enterprise, on September 7th at 9am PST | 12pm EST.
Passkeys on Cloud Platforms
Passkeys have growing support from significant vendors. While there are areas where passkeys could be better, it is clear that they are the leading contender to improve authentication by an order of magnitude and bring an end to passwords.
Passkeys are better than passwords
According to the FIDO Alliance, it includes:
“Allow users to automatically access their FIDO sign-in credentials (referred to by some as a ‘passkey’) on many of their devices, even new ones, without having to reenroll on every account.”
“Enable users to use FIDO authentication on their mobile device to sign into an app or website on a nearby device, regardless of the OS platform or browser they are running.”
Apple introduced support for passkeys at its 2021 Apple Worldwide Developers Conference (WWDC) as a tech preview, introduced broader support at WWDC 2022 and announced additional features at WWDC 2023. This includes:
Conditional UI support
Legacy authenticator support
Airdrop sharing support
Enhanced iCloud Keychain integration
Enterprise attestation with platform authenticators
To get more analysis of the passkey-related announcements at each conference, including code snippets, check out Cisco Duo’s passkey development leader and FIDO Alliance technical contributor Matt Miller’s blog posts:
Users with Apple ID will automatically be assigned a passkey starting with iOS17, iPadOS 17 and macOS Sonoma. This will allow them to sign in to their Apple ID sign-in pages with Face ID or Touch ID instead of their password.
Apple Business Manager
Apple Business Manager is a web-based portal that helps you manage Apple devices and enable employee access to Apple services, apps and other software.
Apple OS releases in 2023 are targeted to include support for iCloud with Managed Apple IDs, supporting the same kind of sync capability as Apple IDs. This increases the viability of passkeys in enterprise environments.
To create and work with managed Apple IDs, Apple Business Manager needs to be federated with an organization’s identity provider. Apple is expanding which identity providers can be used with its implementation of OpenID.
Google jumped in feet first when it announced support for passkeys on personal accounts across broad services, along with the ability to store them on supported devices. So, 2-Step Verification (2SV) is no longer required with them.
At the start of the summer of 2023, Google announced an open Beta, enabling nearly 10 million organizations’ users the ability to sign into Google Workspace and Google Cloud accounts using passkeys instead of passwords.
Google Password Manager
On Android, the Google Password Manager provides backup and syncs passkeys. They are always encrypted end-to-end, with the private key only accessible on the user’s own devices, which prevents access by Google itself.
Android and Chrome
Last year, Google announced support for passkeys on both Android and Chrome OS-based devices. They are built on the existing password autofill experience, allowing users to select a passkey, similar to how they accept a saved password.
Credential Manager API
Google reports that “passkeys are strong enough that they can stand in for security keys for users enrolled in our Advanced Protection Program.” In other words, they could be used on a device in place of a Google Titan Security Key.
If a user temporarily uses someone else’s device, Google supports selecting the option to “use a passkey from another device.” It only uses the phone’s screen lock and proximity to approve a one-time sign-in.
Google supports device-bound passkey scenarios where relying parties may still require signals about the strong device binding that traditional FIDO credentials provide, all while offering the recoverability and usability of passkeys.
Microsoft’s Widows 11 Insider Preview includes support for passkeys, with the ability to go to any app or website that supports passkeys to create and sign in using passkeys with the Windows Hello native experience.
Creating and signing in using passkeys saved on a Windows device
Sign in using passkeys saved on a mobile phone
Search and delete from a list of passkeys saved to a Windows device
Passwords may be transferred between devices by password managers but need to be unencrypted for use.
Passkey private keys are transferred across cloud providers through end-to-end encryption between secure enclaves. They will also be transferred between cloud providers by passkey exchanges.
Password managers often sync to the cloud, but this comes with a risk. We saw challenges at LastPass when a developer’s credentials, and ultimately their master password, were compromised.
Portability lends itself to the ability to easily recover passkeys as a replacement for a lost or stolen device. And unlike passwords, passkeys require biometric verification to access the private key from the passkey pair.
Passkeys could be better
When passwords are cached on a local device, they leave behind a secret that malware can harvest. And when users re-use passwords across different websites, they risk password spraying attacks and put all of their accounts at risk.
While passkey portability and recovery are great benefits, the fact that they can be shared on multiple devices across multiple clouds is an unproven concern to security organizations, akin to the way identity phishing has made them reconsider MFA.
Passkeys with Cisco Duo
Cisco Duo launched passkey support with the release of the Duo Passwordless solution in 2022. Since then, it has expanded functionality with the introduction of Risk-Based Authentication and by bringing privileged access to the Duo console.
Cisco Security Cloud is an open, integrated security platform for multi-cloud environments. With a best-in-class networking security presence, it is well-positioned to be a host for passkey synchronization and management.
On 7/13/23, Cisco announced its intention to acquire Oort and its pioneering Identity Threat Detection and Response (ITDR) technology. Oort’s telemetry with predictive identity analytics could protect passkey synchronization.
Cisco Talos, with its proven threat intelligence and team of researchers, analysts and incident responders, provides leading security research and response globally, with advanced insights to protect synced passkeys.
Ready to get started on your passkey journey?
At times, we promote technology for a specific purpose, and it has a limited life. However, passkeys are poised to replace passwords in the long term. They’ve been designed to provide both lasting authentication strength and a quality user experience.
The hard work has been done, led by the FIDO Alliance developing the standards behind passkeys. And progress has been made towards replacing passwords, but the journey is still far from over.
Remember, to learn more about the state of passkeys and where they’re used within Duo’s passwordless solution, join Matt Miller, our development technical leader, Cindy Qu, our product manager, and me, Matt Brooks with product marketing, on our upcoming webinar The State of Passkeys in the Enterprise. Tune in on 9/7 at 9am PST | 12pm EST.