FIDO2 Passkeys

Types of Passkeys:

• Device-Bound Passkeys: Stored exclusively on a single device (such as a hardware security key or specific smartphone). These cannot be synced across devices, offering maximum security for high-stakes scenarios.
• Multidevice Passkeys: Synchronized across a user's devices through platform providers like iCloud Keychain, Google Password Manager, or third-party password managers. These provide seamless cross-device usability while maintaining strong security.

Security Comparison:

• Device-Bound Passkeys:

  • Highest Security: Private keys never leave the device, eliminating sync-related attack vectors
  • No Cloud Risk: Not susceptible to cloud provider breaches or account takeovers
  • Hardware Protection: Often stored in dedicated secure elements (e.g., TPM, Secure Enclave)
  • Trade-offs: Single point of failure if device is lost/damaged; requires backup strategy

• Multidevice Passkeys:

  • Strong Security: Still cryptographically secure and phishing-resistant
  • Sync Risks: Introduces dependency on cloud provider security and account protection
  • Account Takeover Surface: Vulnerable if ecosystem account (Apple ID, Google Account) is compromised
  • End-to-End Encryption: Reputable providers use E2E encryption for synced credentials
  • Trade-offs: Slight increase in attack surface for significant usability improvements

Key Advantages:

• Security: Immune to phishing, credential stuffing, and password database breaches due to public-key cryptography
• Simplicity: Users authenticate using familiar biometrics (fingerprint, face recognition) or device PINs
• Convenience: One-time enrollment enables authentication across apps and websites without re-registration
• Recovery: Available even when switching to new devices (for multidevice passkeys)

How It Works: When signing into an app or website, users simply approve the sign-in using the same method they use to unlock their device. The passkey replaces both username and password, providing a consistent and secure experience.

Lifecycle Considerations:

• Registration/Enrollment:

  • Users create passkeys during account setup or when adding authentication methods
  • Organizations should provide clear guidance on which passkey type to choose
  • Consider offering both options for different security/usability requirements

• Active Usage:

  • Regular authentication strengthens user familiarity and trust
  • Monitor adoption rates and user feedback to identify friction points
  • Ensure fallback mechanisms (e.g., recovery codes) are available during transition

• Device Changes:

  • Multidevice: Automatically available on new devices within same ecosystem
  • Device-Bound: Requires re-registration on new devices
  • Plan for device upgrade scenarios in user communications

• Recovery Scenarios:

  • Lost device with device-bound passkey requires account recovery flow
  • Compromised ecosystem account may require passkey revocation and re-enrollment
  • Implement secure recovery mechanisms (recovery codes, backup passkeys, trusted contacts)

• Revocation:

  • Users should be able to view and remove registered passkeys from their account
  • Automated revocation when devices are reported lost/stolen
  • Audit trails for passkey lifecycle events in enterprise scenarios

• Migration and Sunset:

  • Plan for migrating from passwords to passkeys with coexistence period
  • Consider long-term strategy for users who cannot or will not adopt passkeys
  • Eventual deprecation of legacy authentication requires careful communication

Deployment Considerations: Organizations can implement passkey-based authentication for various use cases, from consumer applications to workforce scenarios. Service providers may offer passkeys as the primary authentication method or as an alternative to passwords for both sign-in and account recovery.