What problem do passkeys solve?

Sometimes unlearning things is harder than learning

As you might have read somewhere Microsoft is busy implementing support for passkeys in their product. I was always under the impression that these passkeys were device bound, meaning that it must be available on the device where you authenticate. Yesterday I watched an announcement video about upcoming passkey support in the Microsoft Authenticator app, which raised a lot of questions from my side. You can see the video here:

So back to the basics, let’s answer some questions first:

What problem do passkeys solve?

Passkeys solve the current issue with phishing attacks caused by Adversary-in-the-Middle (AiTM) attacks, also known as man-in-the-middle (MitM) attacks. AiTM phising is done by using a proxy server, which phishes the password and session cookie right after the user performs MFA which allows the attacker to use the session cookie for as long as the cookie is valid. With more and more companies now implementing MFA, AiTM attacks are the next big thing when it comes to hacking accounts of users.

Passkeys are a pair of cryptography keys generated by your device. The private key is kept secret and secure on your device, while the public key can be shared with others. The public key can be used to encrypt (or lock) data, but only the private key can decrypt (or unlock) it. This helps keep your information safe and secure – so without the private key, the attacker cannot login on the users behalf, accessing the private key is protected by using a PIN (password) or biometric methods (like fingerprint or facial recognition)

Passkeys provide passwordless logon, where each passkey is a unique digital key which cannot be reused. Therefore they cannot be abused in AiTM attacks.

What type of passkeys do exist?

We can distinct between passkeys which are bound to a device and passkeys which can be synced across devices using for example a password manager. Device-bound passkeys are the most secure, because the private key is stored in the Trusted Platform environment of the device itself, this can be the TPM chip, but also a FIDO-2 security key.

So, if passkeys are device bound or synced, how is it possible to login on device one, and authorize that login using the Microsoft Authenticator by scanning a QR code?

Well the first thing you think, is that if the QR code is scanned, this can also be provided by an AiTM proxy. But in order to circumvent that scenario the device with which you can the QR code must be in proximity of the device which generated the QR code, therefore this can not be performed if that QR code is proxied somehow. Also since the private key is safely stored, the hacker has no way to get it in possession, in contradiction to the session cookie which can be phished.

If you want to know more about how Microsoft will implement passkeys in their products watch this video: https://aka.ms/passkeysignitesession

Conclusion

Security is a cat and mouse game and passkeys are only a solution along the way. It will be very interesting to find out what kind of trick attackers figure out in order to phish accounts from users.

1 thought on “What problem do passkeys solve?

  1. Pingback: What is this Microsoft SSE solution that everyone is talking about? - Modern Workplace Blog

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.