Passkeys have no multi-factor authentication and are a security risk

tambo
tambo
Community Member
in Unlock with passkeys

Everybody in the world is trying to sell passkeys as the next big thing in security. But passkeys have a huge security hole: it is single-factor authentication.

As I understand passkey authentication - it's a simple public/private key challenge/response. The server will allow any device to authenticate if it has the private key - regardless of whether it's holding the private key legitimately or illegitimately. There is no other factor.

I've raised this problem in a few places, and I get one of two responses:

(1) "The 'second factor' in passkey security is that the passkey never leaves your device."

Response: This isn't true for the vast majority of use cases and users.

The hype about passkeys invariably emphasizes that not only are they secure, but they are more convenient than passwords because they are "synced across all of your devices." How does device #1 sync a passkey with device #2? By transmitting it. And not even by an airgapped mechanism like a cable, but wirelessly. And not even locally wirelessly, but through the cloud.

Yes, "single-device passkeys" exist that are tied to a device. The vast majority of users are not going to use those because they are unwilling to manage unique passkeys on each device.

So the reality is that "synced" passkeys are flying over the Internet just like "synced" passwords. If they're stolen in flight by an eavesdropper, the eavesdropper can use it without any other credential to login as you. That is single-factor authentication in a nutshell, and that risk is exactly why multi-factor authentication was invented in the first place.

(2) "The 'second factor' in passkey security is that the user authenticates with the device via biometrics or some other mechanism, so passkeys are 'inherently' multi-factor."

Response: This isn't valid because no such authentication is required of the passkey authentication mechanism.

When a server receives a request to authenticate, the server does nothing to verify the security or identity of the submitter. Maybe the submitter is the user's device and it's protected by biometrics. Or maybe the submitter is the device of an attacker who stole the passkey. The server doesn't ask, doesn't know, and doesn't care. As long as the device can answer a public/private key challenge using the passkey as one factor, the login succeeds.

"Security" that is 100% optional is not "security" at all.

So what does "the second factor is an expectation of device security" amount to? Blind trust. The server merely... trusts... that the submitting device or client is secure. "Blind trust" is not a valid factor in multi-factor authentication.

I don't know why passkeys are being pushed so hard given these security risks, but it is troubling.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided