In the face of increased data breaches and account takeover attacks, there is a growing need for authentication methods that guard against phishing, credential stuffing, and MFA-based attacks. Passkeys, a new technology that simplifies the implementation of FIDO-based credentials, answers this need by providing strong credentials that not only improve the security of authentication, but deliver a more frictionless user experience than legacy authentication methods.
However, although passkeys represent a significant improvement over the security of passwords, they do not benefit from the same security of traditional FIDO2 passwordless credentials, which are bound to a single user device. To reduce these risks, Transmit Security has developed added capabilities that help businesses reap the benefits of passkeys without compromising on security.
This blog post will review what passkeys are and how they benefit businesses, the processes and security challenges that passkeys present at different risk moments and how Transmit Security helps CISOs and security decision makers strengthen the security of passkeys throughout the user lifecycle.
Passkeys are an extended version of FIDO credentials that provide a fast, easy and secure sign-in for applications and websites across all user devices. Because they are based on strong cryptography rather than shared secrets, they are phishing resistant by design and can solve many challenges around user authentication by providing an MFA method that protects against a wide range of authentication-based attacks, including prompt fatigue and SIM swapping. For a more in-depth overview, check out our introductory blog on passkeys.
To enroll in passkeys, a user will most likely have to first be registered to the application or website they would like to create a passkey for. After a user signs in by authenticating with their legacy method, such as a password and username, they can enroll in passkeys on their current device or another device belonging to them. If the user is connected to a cloud account, such as iCloud or Google Password Manager, passkeys will be synced across all the user’s devices in their cloud provider’s ecosystem.
However, with the rise in attacks targeting passwords and other legacy authentication methods, user accounts run the risk of compromise by bad actors. Once a user account is compromised by a malicious user, the fraudster can leverage their access to the legitimate user’s account to register a passkey.
After registering a new passkey, the fraudster can continue to use it to access the user’s account, even after users who know their accounts have been hacked reset their password. Because passkeys are synced across other devices in the user’s cloud provider ecosystem, users have no way to control the registration and approval of new devices.
The challenge: How do I know that a passkey is enrolled by the account owner?
To prevent risks during passkeys enrollment, businesses must gain a high level of trust for the registering device and users who authenticate during enrollment using passwords or other weak authentication methods.
Transmit Security meets this challenge by evaluating trust in users throughout their entire application journey to provide a risk score and transparent, actionable recommendation on whether to Trust, Allow, Deny or Challenge the request for enrolling with passkeys.
Risk scores and recommendations are generated by our best-in-class risk engine, which leverages machine learning (ML) with anomaly detection to collect, aggregate, enrich and analyze data from over 100 telemetry streams. This data is used during all user sessions to build user activity profiles over time, so that our services can tell with a high level of assurance whether a request is being made by the account owner or a fraudster posing as them.
On the Transmit Security Platform, you can build your own business logic so that only users that receive a Trust or Allow recommendation can complete enrollment. Enrollment requests that receive a Deny or Challenge recommendation can be rejected or challenged with an extended identity verification or data validation process.
Users with passkeys benefit from a simplified login process that is inherently two factor, leveraging a combination of who they are (using Face ID or fingerprint) and what they have. This reduces the need to remember cumbersome passwords and can be performed with a single action, as opposed to two-factor authentication via one-time passwords (OTPs), which can also be compromised via social engineering.
When a user browses a website or app to sign in, they simply enter their username to select an existing passkey on the device or another device that has the passkey enrolled on it. For devices that are not enrolled in passkeys, the user will approve sign in on the enrolled device with the same biometric, PIN or security key used to unlock the device. More information about how this works on the Transmit Security Platform is available in our Authentication Services brief.
When approving requests on new devices, users aren’t required to authenticate with passkeys that were created on or synced to the original device, as long as that device is nearby and the user approves sign in on their enrolled device. Once the request is approved, the user can authenticate with passkeys on the new device during future login attempts.
The challenge: How will users know when and where they last authenticated from to control which devices are actually accessing their account?
In cases where the user isn’t able to authenticate with passkeys during login, they will fall back to any of the legacy methods that have been used before passkeys (email OTP, passwords etc.), leaving them open to all the security risks of legacy authentication methods. In addition, hackers can use social engineering to gain access to a user’s Apple, Google or Microsoft accounts and use that access to capture all the user’s passkeys, especially if the user has not turned on MFA for the device account.
To protect against account takeover that would open users up to these risks, Transmit Security leverages the ML model of its Detection and Response Services, which is inspired by the novelty detection approach that can effectively analyze usage patterns to detect signs of account takeover. This is aided by Transmit Security’s state-of-the-art device fingerprinting, which has a 97% true acceptance rate and a 99.97% true rejection rate.
With passkeys, users can authenticate from a new device that has been synced to their cloud account by choosing the passkey they have already created, reducing the friction of enrolling a new device. In addition, users can authenticate with a device that is not synced to their cloud account by leveraging a device that is already enrolled with passkeys.
In cases where the original device is lost and the passkey hasn’t been synced to their cloud account, the passkey will need to be registered again to work on their new device. However, in this scenario, it’s important to consider the device the user is authenticating from, as a device that can be unlocked with a simple PIN code could be easily hacked to gain access to all passkeys saved on the device.
The challenge: How can we stop fraudsters from maliciously registering a passkey on a new device on behalf of a legitimate user or recover access to a passkey using a compromised or stolen device?
Enrolling new devices can present a risk to the security of passkeys if steps are not taken to ensure that lost or stolen devices can not gain access to the user’s passkeys. In cases where users need to re-enroll in passkeys or prevent recovery from a device that is no longer in the user’s possession, businesses will need to build complex logic to authenticate users in these scenarios, using legacy methods such as passwords that expose users to the same risks and friction that come with them.
To address this challenge, Transmit Security leverages two key capabilities:
Websites and applications tend to use different authentication options during different user moments, based on the required level of security and privacy for the application and request. Hence, in some cases, businesses may enable login into an application using an authenticator that has a lower level of assurance.
In such cases, risks could be introduced if an account has already been taken over by an unauthorized user. To prevent these risks during financial transactions or account changes that enable fraudsters to access account owners’ funds or lock them out of their accounts, users can be prompted with a step-up authentication method, often using a passkey to elevate the level of assurance and trust throughout the user session.
The challenge: Providing secure step-ups that ensure bad actors cannot take high risk actions on compromised accounts
Transmit Security evaluates user trust throughout the entire user lifecycle through what is commonly known as continuous adaptive risk and trust assessment (CARTA). This ensures that the full context of previous user actions is aggregated and used to re-assess risk during step-up without losing information about user’s past behavior, both historically and throughout sessions.
With this context, businesses can continue to reduce friction for legitimate users by leveraging Transmit Security’s strong device fingerprinting, which can be used to login or extend sessions for trusted users.
Because passkeys provide a better user experience and significant security advantages over legacy methods of authentication, analysts are predicting that Stripe, Vanguard, Yahoo, and other large community sites that already offer FIDO2 WebAuthn-plus-CTAP authentication will soon extend their passwordless capabilities to offer passkeys support.
Although this will enable businesses with the ability to mitigate MFA attacks like OTP phishing and prompt bombing, passkeys are not without vulnerabilities, particularly during risk moments such as registration, fallback authentication, recovery, step-up and cross-device enrollment. As a result, enterprises adopting passkeys will need to pair them with additional security measures in order to provide the highest possible level of assurance throughout the user lifecycle.By pairing passkeys with our best-in-class risk engine and state-of-the-art device fingerprinting, Transmit Security helps businesses deliver on the security and user experience benefits that passkeys promise. To find out more about how passkeys can benefit your business, check out our Detection and Response and Authentication Services briefs or contact a sales representative to schedule a free personalized demo.