Tue, Apr 23, 2024
Despite being a globally accepted security measure, passwords have associated issues that have led to countless breaches and compromised systems over many years of not-so-secure authentication technology. Yet passwords remain the dominant form of authentication because more secure options have not been accessible to all users. Passwords have evolved into the security risk they are today because, as the security requirements for passwords have increased, usability has decreased. Less technically capable users are more vulnerable because good password hygiene requires technical capacity and effort to maintain. Users are not to blame; this is a technology problem that can only be solved by technology. The evolution of password usage follows a repeating cycle that is failing both users and technology administrators.
While password practices have become more complex over time to defend against attackers, they demand too much of users and increase potential security risks.
Figure 1: The password usage failure cycle.
User Challenges | Attacker Wins | Defender Effort |
---|---|---|
Users have to remember passwords, so they choose something easy to remember, like their favorite sports team or the word “password.” | Easy-to-remember passwords are also easy to guess via dictionary wordlists. | Password complexity became necessary, requiring systems to ensure that passwords contain special characters, numbers and sufficient length. Password rotation is introduced to reduce the longevity of compromised passwords. |
Complexity requirements make passwords even harder to remember, so users memorize a few strong passwords and reuse them. | Reused passwords are common, and database leaks are also common due to weak passwords. Credential stuffing with lists of previously breached credentials is effective for attackers. | Passwords must be checked against breach lists. Rate limiting, account lockout and risk profiling must be implemented. |
Users must use password managers and ensure any reused passwords are updated. | Phishing and social engineering become more popular with attackers since they continue to be effective. | Multi-factor authentication is implemented. |
Passkeys use public key cryptography to authenticate users. This allows the secret key to be stored on a user’s mobile or laptop device without being exposed to another party. Access to the secret key involves verifying a user, typically by a biometric, such as fingerprint or faceprint. After verification, the device uses a cryptographic protocol to authenticate the user.
Passkeys have a number of specific properties that are critical to achieving this standard of security:
Figure 2: The Passkey dialog allows the user to choose an account and complete Face ID verification
Passkey technology has three facets that are all related and are often confused with each other:
“Passkeys” is preferred over “FIDO2” when the terms can be interchanged because the adoption by the major vendors is a key to Passkey’s success, and the term is more user-friendly.
Passkeys have been adopted by the major platform vendors, incentivizing application developers to build Passkeys into their applications. Vendors such as Adobe, Amazon, Best Buy, GitHub, Google, PayPal, Shopify and TikTok have already deployed Passkey authentication.
Kroll’s Offensive Security team provides penetration testing and other offensive security assessments to clients globally. To ensure that we are equipped to properly assess Passkeys, we have developed proprietary methodology and tooling.
As part of this, we created a BurpSuite extension called PasskeyScanner that helps our security consultants evaluate implementations of Passkeys. This plugin is freely available in the Portswigger Bapp Store to contribute some of our efforts to the community. We also presented a talk at a HackFest event where we released this plugin and gave a more detailed overview of the Passkeys attack surface.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.
Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.
Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivalled incident expertise.
Manage cyber risk and information security governance issues with Kroll’s defensible cyber security strategy framework.
Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.