The Rise of Passkeys
Verifying user identity is an age-old problem. Since we stopped doing business physically in person, there’s been a need to verify that the person we’re dealing with is who they say they are. If they’re not, we could be giving valuable goods, services, or confidential information to someone with bad intentions.
Background
This problem really came to a head when the internet rapidly grew from a government project to a major medium for electronic commercial transactions. Thanks to the application of advanced math and science, Public Key Cryptography was used to develop a means of securing ecommerce over the internet.
WebAuthn
Public Key Cryptography allows a merchant or customer to send a 'secret' encrypted message using a public key and only the owner of that public key can decrypt it with their private key. Then, in turn, they can digitally sign that message and use that secret to set up an encrypted session to send it back and then both parties can communicate bidirectionally securely.
However, while this allowed the merchant or customer to send information securely, it did not verify their identity and make sure the person sending the secure transmission was who they said they were. So, we began with the use of passwords. Skip ahead several years, and it’s widely known that they are problematic. Using concepts from Public Key Cryptography WebAuthn was born to verify identity securely.
Web Authentication API (also known as WebAuthn) is an open standard developed jointly by the FIDO Alliance and the World Wide Web Consortium (W3C) in 2019. It was conceived as a means of providing secure authentication to web sites using a private-public keypair, using public key cryptography techniques, instead of problematic passwords.
Passkeys
Passkeys are the credentials derived from WebAuthn public and private key pairs. Originally, they were static and bound to the secure enclave on the device where they were generated. Then to support recovery in the event of a lost or stolen device, and drive their growth, they were designed to be synced securely. Apple iCloud enables this today allowing their distribution securely between supported endpoints.
Future
The use of passkeys on consumer sites has grown rapidly, yet questions remain about their use in the Enterprise. While the passkeys are stored securely and enable verified session access, how do you know the endpoint is a trusted device and will not put the organization at risk? This requires identity and access management vendors to provide extra protection to establish device trust before they can be used.
Trusted Endpoints
Cisco Duo can enhance the security of passkeys with its Trusted Endpoints functionality. A user preregisters and has Duo Desktop (Windows and macOS) or Duo Mobile (iOS and Android) installed, which uniquely identify their trusted devices. Then, at authentication time, the user’s device must be known or “trusted,” otherwise they are not be allowed to use it to authenticate.
Summary
Passkeys are here to stay and it’s important for Enterprises to plan to invest in them. They are strategic to identity security and represent a win-win-win for companies-admins-users. See Duo documentation to learn how Duo Passwordless, Trusted Endpoints, and passkeys can help protect user identities and secure access to your environments today!