Passkeys have no multi-factor authentication and are a security risk
Everybody in the world is trying to sell passkeys as the next big thing in security. But passkeys have a huge security hole: it is single-factor authentication.
As I understand passkey authentication - it's a simple public/private key challenge/response. The server will allow any device to authenticate if it has the private key - regardless of whether it's holding the private key legitimately or illegitimately. There is no other factor.
I've raised this problem in a few places, and I get one of two responses:
(1) "The 'second factor' in passkey security is that the passkey never leaves your device."
Response: This isn't true for the vast majority of use cases and users.
The hype about passkeys invariably emphasizes that not only are they secure, but they are more convenient than passwords because they are "synced across all of your devices." How does device #1 sync a passkey with device #2? By transmitting it. And not even by an airgapped mechanism like a cable, but wirelessly. And not even locally wirelessly, but through the cloud.
Yes, "single-device passkeys" exist that are tied to a device. The vast majority of users are not going to use those because they are unwilling to manage unique passkeys on each device.
So the reality is that "synced" passkeys are flying over the Internet just like "synced" passwords. If they're stolen in flight by an eavesdropper, the eavesdropper can use it without any other credential to login as you. That is single-factor authentication in a nutshell, and that risk is exactly why multi-factor authentication was invented in the first place.
(2) "The 'second factor' in passkey security is that the user authenticates with the device via biometrics or some other mechanism, so passkeys are 'inherently' multi-factor."
Response: This isn't valid because no such authentication is required of the passkey authentication mechanism.
When a server receives a request to authenticate, the server does nothing to verify the security or identity of the submitter. Maybe the submitter is the user's device and it's protected by biometrics. Or maybe the submitter is the device of an attacker who stole the passkey. The server doesn't ask, doesn't know, and doesn't care. As long as the device can answer a public/private key challenge using the passkey as one factor, the login succeeds.
"Security" that is 100% optional is not "security" at all.
So what does "the second factor is an expectation of device security" amount to? Blind trust. The server merely... trusts... that the submitting device or client is secure. "Blind trust" is not a valid factor in multi-factor authentication.
I don't know why passkeys are being pushed so hard given these security risks, but it is troubling.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hello @tambo! 👋
I would be happy to share the security model that supports passkeys, specifically passkeys stored securely in 1Password.
Passkeys are a modern alternative to passwords – they enable people to log in to their online accounts without having to enter a password. Passkeys are based on a public-private key pair – one key is public and connected to the website or app you’re using, the other key is private and stored in 1Password.
So the reality is that "synced" passkeys are flying over the Internet just like "synced" passwords. If they're stolen in flight by an eavesdropper, the eavesdropper can use it without any other credential to login as you.
Your passkey's private key cannot be stolen from 1Password by someone who is snooping on your internet connection. Your passkey is protected using end-to-end encryption and, while at rest, an attacker would need both your account password and Secret Key to decrypt and access your passkey. When you use your 1Password account to make your passkey available on all of your devices, the attacked would need your account password and Secret Key and they would also need to break two other layers of encryption to get to your passkey: SSL and SRP. You can read more about the encryption protecting your 1Password account here:
- Three layers of encryption keeps you safe when SSL/TLS fails
- How Secure Remote Password protects your 1Password account
So what does "the second factor is an expectation of device security" amount to? Blind trust. The server merely... trusts... that the submitting device or client is secure. "Blind trust" is not a valid factor in multi-factor authentication.
Two-factor authentication was designed to add an additional layer of protection to passwords against phishing. Passkeys can't be phished like traditional passwords because the underlying private key never leaves 1Password – this also makes them resistant to social engineering scams. Two-factor authentication, in the form of time-based one-time passwords (TOTP), also does not prove to the server that the submitting device/client is secure.
The weaknesses of passwords, such as the ability for a fake website/app to convince you to enter your password by tricking you into believing that it is the real website/app that you're trying to sign into, have been fixed in the design of passkeys. 1Password will only use a saved passkey to sign into the website or app that the passkey was saved for.
That being said, where you store your passkey matters. Choosing to store your passkey in 1Password, where it is protected using end-to-end encryption and can't be accessed or used unless someone has both your account password and Secret key, is an important step in keeping your authentication information secure.
-Dave
0 -
Hi @Dave_1P!
Every discussion I've seen about passkeys assumes that the passkey store is trusted. Zero knowledge encryption is great, but the private keys are vulnerable in the client. Suppose for example that either a vulnerability in the client lets a malware read the keys, or that a rogue binary is sent on the next update, which will exfiltrate the keys. TOTP (generated somewhere else) was protecting about that. I don’t think passkeys do, but I’d love to be proven wrong, as I’d much rather just put everything in 1Password and forget about it :-)
Right now, I guess the most secure thing to do is to just put passkeys on yubikeys, but that’s certainly not the most convenient.Cedric
0
