suKTech24

Passkeys 101

Future of Passkeys: Why It’s Time to move on from Passwords

By suktech24, Sat 12 Oct 2024, Estimated reading time : 8-10 mins

In recent years, passkeys has gained significant attention. Tech giants like Google, Amazon, Apple, and various government agencies, have begun adopting passkey technology. But why this shift? The answer lies in the growing need for stronger, more secure authentication methods to address the shortcomings of traditional passwords which are vulnerable to phishing, data breaches, and other cyber threats.

This blog post will explore the followings:

  1. CIA Triad : Passwords
  2. Why the need for Passkeys?
  3. What is Passkey?
  4. How it works?
  5. Password vs Passkey
  6. CVE Examples of Password Attack
  7. Mitre Attack

1. CIA Triad and Passwords

To understand the importance of password security and passkey, it’s essential to connect them with the CIA Triad—Confidentiality, Integrity, and Availability—three fundamental areas of cybersecurity:

  • Confidentiality: It is about ensuring that sensitive information is accessible only to those who have the right to view it.
    • Passwords/passkeys help ensure confidentiality by restricting access to sensitive data only to authorized users. However, weak or reused passwords can be easily cracked or stolen, exposing confidential information to unauthorized individuals.
  • Integrity: Integrity refers to the accuracy and trustworthiness of data.
    • If an attacker gains access to either personal, business, or government accounts through a stolen password, they could tamper with data, undermining its integrity.
  • Availability: Information is readily available to authorized users when needed.
    • Passwords also contribute to availability by allowing authorized users access to systems or services. However, techniques like brute force attacks or account lockouts due to failed login attempts can reduce availability by denying legitimate users access to their accounts.

In recent years, passwords have faced serious challenges, ranging from phishing attacks to credential stuffing. Due to these above challenges and attacks , there is a need for stronger and more robust authentication methods.

2. Why the Need for Passkeys?

Traditional passwords are inherently insecure for several reasons:

  1. Weakness of human-created passwords: Users tend to create weak passwords or reuse them across multiple platforms, making them vulnerable to attacks.
  2. Password reuse: Users are notorious for reusing passwords across multiple accounts, which means that if one account is compromised, all the other accounts using the same password fall like dominoes.
  3. Phishing and credential theft: Even if a password is strong, social engineering techniques phishing attacks can trick users to go to fake login pages and giving away credentials.
  4. Brute force and dictionary attacks: Automated methods can try millions of password combinations in seconds, compromising accounts with weak passwords.
  5. Data breaches: In large data breaches, encrypted password databases are stolen, and attackers use sophisticated methods to decrypt them.

2.1 Passkey Background History

As the digital landscape evolves, passkeys have emerged as a more secure and user-friendly alternative.

Passkeys is the developed by FIDO (Fast IDentity Online) Alliance, established in July 2012 as a collaboration between technology industry leaders, such as Google, Microsoft, PayPal, and Lenovo.

The FIDO Alliance’s primary mission is to develop open standards that enable simpler, stronger, and more secure online authentication that eliminate the reliance on passwords and enhance online security.

3. What is a Passkey?

According to FIDIO Alliance, “Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords (knowledge-based credential ), passkeys are always strong and phishing-resistant.​

Passkeys simplify account registration for apps and websites, are easy to use, work across most of a user’s devices, and even work on other devices within physical proximity.​

Built on public key cryptography technique, passkeys eliminate the need for users to remember or type passwords. Instead, they use a cryptographic key pair: a public key stored on the server and a private key stored on the user’s device.

4. How Does Passkey Work?

Passkeys work by leveraging public and private key cryptography. Before diving into how passkey authentication processes work, the following concepts are helpful to know.

Preliminary Concepts

  • Asymmetric cryptography: a well-known technique in public key infrastructure (PKI).
    • In PKI, a public key is used to encrypt data, and a corresponding private key decrypts it.
    • In the case of passkeys, the public key is used to encrypt data and is shared with the authentication server.
    • The private key is stored securely on the user’s device. This private key is the “passkey” , is used to decrypt data, and is never exposed to the web, unlike passwords.
  • WebAuthn: The web authentication API, shortened to WebAuthn, is an open standard that enables applications to authenticate users with possession-based and biometric authentication.
    • Passkeys are based on WebAuthn and FIDO2 standards. 
  • Biometric authentication: Biometric authentication is the process of validating a person’s identity using immutable factors such as fingerprints, facial scans, iris scans, or voice patterns. 

Registration and authentication processes

  1. Key Pair Creation: A passkey creates a public key (stored on the server) and a private key (stored on your device). The private key is only accessible to the user, ensuring secure authentication.
  2. Authentication Process: When you attempt to log in, the server sends a challenge (a random string of data) to your device. Your device uses its private key to sign the challenge and sends it back to the server.
  3. Verification: The server verifies the signature using the public key. If the signature matches, authentication is successful.

To deep dive into passkey authentication two processes ( registration and authentication), go to the following link.

Unlike passwords, passkeys cannot be phished because the private key never leaves the user’s device. It also minimizes the risks associated with credential leaks or data breaches since an attacker cannot replicate the authentication process without the user’s private key.

5. Password vs. Passkey

AreaPasswordPasskey
Created byUsers create strings of charactersSystems generate cryptographic keys
Storage locationStore on servers or databasesStore public key on servers, and private on user’ device
SecurityVulnerable to phishing, brute force attacks, and credential leaksImmune to phishing, private key never shared
Ease of UseUsers need to remember or store passwordsNo need to remember anything, login is seamless
Attack SurfaceOften targeted in data breachesPublic key stored on server, private key secure on the user’s device
Human ErrorUsers may create weak passwordsNo user-created passwords, reducing risk of weak credentials
Phishing and Brute force attacksSusceptible to phishing and brute force attacksStrong protection against them

6. CVE Example of Password Attack

  • CVE-2021-40539:
    • It is a severe vulnerability in Zoho ManageEngine ADSelfService Plus
    • This security flaw allows attackers to bypass authentication mechanisms via the REST API, leading to remote code execution. 
    • It is an authentication bypass vulnerability affecting representational state transfer (REST) application programming interface (API) URLs that could enable remote code execution.
    • Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

7. MITRE ATT&CK

As we transition towards passkeys, threat detection engineers and hunt teams will need to adjust their focus on relevant MITRE tactics and techniques.

Password

With password-based systems, attackers commonly used below Mitre tactics and techniques to leverage stolen credentials for unauthorized access.

  • TA0001, Initial Access,
    • T1566, Phishing
    • T1189, Drive-by Compromise
  • TA003, Persistence
    • T1136, Create Account – often with a weak or default password, to main access
  • TA0005, Defense Evasion
    • T1027, Obfuscated Files for Information
  • TA0006, Credential Access
  • TA008, Lateral Movement
    • T1550.002, Pass the Hash
    • T1550.003, Pass the Ticket

Passkeys

With the adoption of passkeys, the threat landscape shifts. While passkeys reduce the risk of phishing and credential stuffing, threat detection strategies need to prioritize monitoring for anomalies. Example of relevant Mitre tactics and techniques are below:

  • TA0001, Initial Access
  • TA0004, Privilege Escalation
  • T1552, Unsecured Credentials

Summary

Below are the summaries of the blog post.

  • Passwords and the CIA Triad: Passwords aim to protect confidentiality, integrity, and availability but are vulnerable to threats like phishing, brute force attacks, and breaches.
  • Why Passkeys are Needed: Passwords are inherently insecure due to weak creation practices, reuse, phishing, brute force attacks, and data breaches, necessitating stronger alternatives.
  • What is a Passkey?: Passkeys, developed by the FIDO Alliance, replace passwords with cryptographic key pairs (public-private keys) for more secure and phishing-resistant logins.
  • How Passkeys Work: Built on public key cryptography, passkeys involve creating a key pair—public (on the server) and private (on the device). The private key is never exposed, making phishing impossible.
  • Password vs. Passkey:
    • Creation: User-created vs. system-generated
    • Storage: Server-side vs. split storage (public on server, private on device)
    • Security: Vulnerable to various attacks vs. highly resistant to common threats
    • User experience: Requires memorization vs. seamless authentication
  • CVE Example of Password Attack: CVE-2021-40539 highlights an authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus, leading to remote code execution via API.
  • MITRE ATT&CK for Passwords vs. Passkeys:
    • For passkeys: Focus on monitoring for unsecured credentials (T1552) and anomalies in privilege escalation (TA0004).
    • For passwords: Techniques like phishing (T1566) and pass-the-hash (T1550.002) are common.
  • Passkeys offer significant advantages:
    • Phishing resistance
    • Protection against brute force attacks
    • Elimination of password reuse risks
    • Reduced human error in credential creation

Passkeys offer a safer, more convenient alternative to passwords, addressing many of the vulnerabilities associated with traditional authentication methods. Hence, you can embrace it to make your digital experience both easier and more secure.

Leave a comment