🔐

Passkeys

Jul 16, 2024

Passkeys

Introduction

  • Mounting discussions about passkeys in tech and media.
  • Explanation of what passkeys are, why they’re needed, and specifics in the Microsoft ecosystem.

History of Authentication

  1. Passwords: Initially used, but inherently weak.
  2. One-Time Passcodes: Sent to users via text, but can be exploited.
  3. FIDO v1: Used second strong authentication in the form of a fob.
  4. Microsoft Authenticator App: Initial simple tap "Yes" replaced by requiring users to enter a number for more context and resistance to phishing (though susceptible to social engineering).

Strength of Authentication

  • Passwordless MFA: Included Microsoft Authenticator App.
  • Phishing-resistant MFA: Doesn’t include Authenticator App because it relies on human detection.

Phishing Vulnerabilities

  • Social Engineering Example: Described how a bad actor can trick a user into authenticating their session.
  • Vulnerability: No proof of the proximity of authenticator device.

Secure MFA Methods

  • Windows Hello for Business: TPM in the accessed machine.
  • Certificate-Based Authentication: Requires smart card insertion.
  • Passkeys: Can involve USB devices, gestures (thumbprint, PIN), proximity check.

Evolution of FIDO

  • FIDO Alliance: Developed FIDO v1 for PKI-based second factor authentication; evolved to FIDO v2 for broader applicability.
  • Enabled platform-specific authenticators (e.g., Windows Hello, mobile devices).

Passkeys Defined

  • Passkeys can be understood more simply by the average user compared to other terms.
  • Operate using PKI with public and private keys.

FIDO2 and Authentication Flow

  • Components: Relying Party (site), client (browser), and authenticator (device).
  • Process includes creating and registering a passkey, nonce challenge, user gesture verification.
  • Ensures proof of proximity and intent.
  • Demonstrated resistant to phishing and social engineering.

Implementation

  • WebAuthn & CTAP: Protocols enabling passkeys.
  • Authentication involves HTTPS and possibly Bluetooth for proximity.

Cross-Device Authentication

  • Illustrates how devices communicate via CTAP and WebAuthn for proximity and then over HTTPS for authentication.
  • Showed capability for cross-device authentication syncing across ecosystems (e.g. Apple devices, Android devices).
  • Two types of passkeys: Device-bound (cannot leave authenticator) and Synced (syncs to cloud service).

Examples & Demonstrations

  • Using passkeys within Microsoft Entra tenant and Microsoft Accounts
  • Microsoft Entra currently supports device-bound passkeys with Android and iOS 14+/17+.
  • Necessary to configure AA GUIDs within Entra tenants to enable passkeys.

User Experience

  • Same-user experience regardless of whether using Entra or Microsoft consumer accounts.
  • Microsoft accounts require synced passkeys, whereas Entra currently supports device-bound.

Conclusion

  • Encouraged adoption of passkeys due to enhanced security and user-friendly experience.
  • Future direction towards universal passkey adoption across all platforms.

Full transcript