Terminology alert in 1Password passkeys blog post!
I've just read the 1Password blog post Passkeys vs. 2FA and TOTP: What are the differences?, and while the overall intent of the post is great, I'm alarmed at the non-standard and confusing use of terminology.
There's already an industry-standard definition of the term "Two-Factor Authentication" (2FA). I hardly need to reference it because thousands of sources clearly define it this way: 2FA is an authentication scheme in which the user demonstrates 2 out of 3 authentication factor types (inherence, knowledge, and possession).
By this definition, passkey authentication is a form of 2FA. That's because the user must first use either biometric authentication (inherence) or a some kind of passcode (knowledge) to unlock their credential - and following this, their device proves possession of a secret key (possession).
So when you authenticate with a passkey, you always either demonstrate inherence + possession (if you use biometrics to unlock), or you demonstrate knowledge + possession (if you use passcode to unlock).
That means you always demonstrate two of the three types of authentication factor, and passkey authentication is by definition a form of 2FA.
MFA, in practice, means almost the same thing. The only difference is that MFA requires the user to demonstrate multiple authentication factors - i.e. two or more. That is the ONLY difference. But since very few popular authentication solutions enforce three factors at the same time, the terms "MFA" and "2FA" can be used interchangeably in practice. 2FA is a form of MFA (because 2 is multiple), and virtually all MFA is 2FA (because there are almost always 2 factors, and not 3).
If you want a term to refer to "legacy" 2FA/MFA in which the user provides username and password followed by something else, then please find another term for that - for example, you could use "legacy 2FA", "traditional 2FA", or maybe even "2-step authentication". [*]
But please, please, please, please, please, please, please, please, please, please.... don't invent your own esoteric, non-standard, and confusing definitions of industry standard terms like "2FA" and "MFA"! There is more than enough confusion on this topic already.
For what it's worth, I think the blog post could be "rescued" by doing a search-and-replace of the term "2FA" with one of the alternatives I suggested above, or similar.
Aside from that, the blog post also contradicts itself in its use of the term "MFA":
- It first says "The added security of MFA is core to the passkey design — it’s built right in". That's correct, passkey authentication is a form of MFA.
- Later it says "passkeys may not make MFA entirely obsolete just yet". What??? The whole point of passkey authentication is to provide strong, convenient, and seamless 2FA/MFA. Why would it make 2FA/MFA obsolete? It's the exact opposite of that. Passkey authentication makes strong 2FA/MFA seamless and (hopefully) brings it to mass adoption.
[*] For an example of better use of terminology, see the FIDO Alliance whitepaper How FIDO Addresses a Full Range of Use Cases. This refers to legacy forms of 2FA using terms like "two-factor authentication with a dedicated TOTP token", "phishable two-factor authentication", "consumer-space two-factor authentication mechanisms today", "traditional two-factor authentication". It never equates that with 2FA in general. And it never implies that FIDO is not also a form of 2FA. The whitepaper also refers to hardware-based FIDO keys as "FIDO-based two-factor alternatives", again using the term "two-factor" to describe the same standard (FIDO2) that passkeys are based on. Finally, they refer to multi-device FIDO credentials (i.e. passkeys) as achieving at least NIST AAL2, which per the NIST Digital Identity Guidelines, is a form of MFA.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hi @semblance,
I authored Passkeys vs 2FA and TOTP: What are the differences?, and appreciate your thorough analysis. While I agree in part, I don’t believe the post is in need of “rescue.” :)
"There are two primary differences between passkeys and 2FA. The first contrast is the presence, or lack of, a password."
You’ll notice that very paragraph ends with “But your traditional password remains the first factor or step in most 2FA flows.” So that sentence should absolutely read “There are two primary differences between passkeys and traditional forms of 2FA...”
Later it says "passkeys may not make MFA entirely obsolete just yet". What??? The whole point of passkey authentication is to provide strong, convenient, and seamless 2FA/MFA.
NIST, in its current draft of SP800-63-4, defines a passkey as single factor if it’s synced. Due to the synced nature of (some) passkeys, this means the possession factor is actually contested, mostly in high-assurance/regulatory environments. Outside those environments, a passkey can be classified as having multiple inherent factors, so I used may in the article.
TL;DR The post was written for everyone in the 1Password community — including folks who may not have the level of technical knowledge you clearly possess. The intention was only to generalize, not to use terms synonymously/interchangeably, or to mislead.
We’re updating the instances of “2FA” to “traditional forms of 2FA” as we speak. Thanks again for the callout and your feedback! ♥️
0 -
Thank you @meganb for taking the time to respond to my feedback! And thanks so much for updating the blog post. "Rescued" wasn't a great choice of word, so apologies for that.
Clearly if you do a casual search for "2FA" or "MFA", a lot of people describe it as an "extra thing you need to do after you enter a username/password". But it's important to understand the context for that: they're stuck with username/password, and in that scenario the only way to achieve MFA is by adding an "extra thing". As a consequence, a large section of the general public now has it stuck in their heads that "MFA" (or "2FA") literally is an extra thing you have to do after entering your password!
However I see 1Password as an industry leader, so I expect them to shine a light and provide clarity on such topics that are misunderstood. If a blog post is written for a broad audience, I think it's even more important to get these specifics right, because you don't want to be perpetuating the myths and misconceptions.
With that said, the blog post is much better now. However, I'm still finding that in several places, it gives the misleading impression that passkeys and 2FA are mutually exclusive. For example:
Passwordless authentication is passwordless by definition – it’s designed to replace your passwords. Two-factor authentication is an entirely different concept. Rather than replacing something, 2FA adds a step (factor) to help strengthen the security of a password-protected account.
This isn't true. 2FA is not necessarily different, and it doesn't have to work by adding an extra step to password. Consider a FIDO2 hardware security key: it's passwordless, it's designed to replace password-based authentication, and it provides 2FA - on its own. Not in combination with username/password. A FIDO2 hardware security key is a passwordless MFA device.
I do take your point that the next sentence ends with "most 2FA flows”. However, I don't think a blog post should make wrong statements and then correct them in later sentences. Every sentence should be precise and correct! But I'm a bit OCD in that way 😁. If you think it's not that important in this context, fair enough.
0 -
Regarding the NIST standard:
NIST, in its current draft of SP800-63-4, defines a passkey as single factor if it’s synced.
Oh, now that's interesting. I can see that synced passkeys do dilute the notion of "possession" somewhat, since a user is only proving possession of any one of a group of synced devices, rather than a single device, so there's consequently a larger attack surface.
However if I'm reading the public draft of NIST SP800-63-4 on Authentication and Lifecycle Management correctly, if you treat something as 1FA, then it must be classified at the weakest authentication level, which they call Authentication Assurance Level 1 ("AAL1"). That implies they'll treat synced passkeys as having the same authentication strength as username/password. That doesn't sound right either! As we all know, passkeys offer many substantial benefits over username/password (even if they're synced).
Looking at the next level of authentication strength, AAL2, all the options are MFA (section 4.2.1). There is no option for 1FA. One option in particular, "Multi-Factor Cryptographic Software" (described in 5.1.8), sounds like it describes passkeys perfectly. It's software-based, it proves possession of a key, and it can be activated using either memorized secret or biometric characteristic. It even says the secret key SHOULD (not MUST) be stored in suitably secure storage (e.g. keychain storage, TPM, TEE). However, it doesn't say anything about whether they're synced or not. I guess they're assuming there's only one device, though - and that implies they're unsynced.
Once you move to the highest authentication strength, AAL3 (section 4.3.1), the previous option "Multi-Factor Cryptographic Software" is no longer available. All the options involve hardware-based keys.
mostly in high-assurance/regulatory environments
Right, so I expect there are highly regulated enterprises who want to use "Multi-Factor Cryptographic Software" at AAL2, but they don't want to allow synced passkeys. And I'm guessing they want NIST to explicitly exclude synced passkeys from AAL2?
Unfortunately this implies that synced passkeys would not really fit anywhere in the standard at all. And that implies that as passkeys get wider adoption, the NIST standard would no longer be applicable to consumer authentication scenarios. Which seems like a shame!
But like I said, I might be misreading or misunderstanding it.
0 -
This isn't true. 2FA is not necessarily different, and it doesn't have to work by adding an extra step to password. Consider a FIDO2 hardware security key: it's passwordless, it's designed to replace password-based authentication, and it provides 2FA - on its own. Not in combination with username/password. A FIDO2 hardware security key is a passwordless MFA device.
Bit confused here: is that with or without user verification?
(like PIN code or biometrics)
0 -
@XIII this is with user verification - typically either a PIN/passphrase or an integrated biometric sensor. I believe the correct name for this standard is actually FIDO UAF.
You're right there's actually another standard, which used to be called FIDO U2F (now rebranded as FIDO2 CTAP1), which describes a hardware device with a simple button. This provides only a single factor (on its own) or a second factor (in conjunction with username/password).
So yes, I should have clarified that it's UAF devices specifically, which provide true passwordless MFA. I do find FIDO's standard naming a bit confusing! It's all summarized at https://fidoalliance.org/specifications/.
For what it's worth, synced passkeys are based on the same family of standards ("Multi-device FIDO credentials").
0