SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Maximising passkey implementation: 5 points from Yubico specialist
Wed, 27th Mar 2024

Passkeys are fast becoming the new de facto standard of secure authentication for apps and websites alike. With their underlying technology based in cryptography, passkeys are far more secure than traditional passwords, which is why tech giants have widely adopted them and millions of users are beginning to make the shift. However, the concept is still relatively new and many software developers and security experts are seeking ways of integrating passkeys into existing products and services effectively. David Pham, a senior solutions architect at Yubico, shares five essential considerations to maximise the use of a consumer-facing passkey implementation:

1. Pham stresses the importance of giving users more authentication options, not fewer. He notes that, “Users will always understand their own specific risks best, and giving them an easy-to-understand menu of options will more likely lead to the best level of protection.” Diluting passkey options may discourage wider use due to usability issues, hindering the enhancement of account security. Therefore, unless there is a specific and valid reason, it is best to unlock the full range of passkey options and allow users to take control of their own authentication.

2. A significant distinctive feature to recognise in passkeys compared to traditional passwords is that many passkeys cannot be copied or retrieved. Understanding how users can recover from loss of an authenticator is an essential detail when designing systems. Pham suggests, “Ultimately, incorporating support for multiple passkeys is essential. A bare minimum of two passkeys is imperative - a primary passkey for regular use and an all important backup for recovery and safekeeping.” This promotes a more robust security system and minimises the risks of losing access to an account.

3. “Discoverable credential” refers to an RP (Reliable Party) being able to invoke a stored credential on an authenticator without the user needing to specify a username. Though this makes for seamless user authentication, Pham warns against their forced use as they may present privacy concerns or face storage limitations on the authenticator. It’s thus advised to allow a fallback option for users and authenticators who might have reasonable concerns against using discoverable credentials.

4. Detecting passkey support from the browser or platform is advised, but can indeed be problematic. Despite the difficulty in gathering the necessary data, having this information is beneficial as it can present relevant and informed passkey options to the user based on what their platform and browser support. However, it should still be acknowledged as a high effort task and is only a recommendation, not a requirement.

5. On mandating any optional extensions or features, Pham warns that despite the parameters during passkey registration and authentication, the end result does not always align with the desired settings. He advises, “There is certainly room for any implementation to include discretionary functionality based on one of the many optional extensions or features under FIDO2, but never mandate its use until it has been universally adopted and verified.” The evolving nature of passkeys and their features need to be taken into account to ensure user agency in authentication decisions.

Implementing passkeys effectively and across different platforms and browsers can be a complex task, but it certainly offers a more secure authentication method. By maintaining a proactive approach and balancing convenience against security, a more seamless online authentication will be paved as passkey standards continue to evolve.