Playing with Passkeys

Introduction

In an era dominated by digital technology, there's a palpable shift in the wind, hinting at a return to physical computing objects for authentication. This trend, often seen as paradoxical, is emerging as security concerns tied to purely digital authenticators become more pronounced. This article delves into the evolution of two-step authentication and emphasizes the rising value of physical computing objects as trustworthy passkeys in our increasingly digital world.

1. A Brief History of Two-Step Authentication

1.1. The Dawn of Passwords

The concept of passwords dates back to ancient times when sentries would challenge those wishing to enter a protected area with a password1. Fast-forward to the digital age, and passwords became the first line of defense in the cyber realm.

1.2. The Need for an Additional Layer

As cyberattacks grew more sophisticated, the vulnerabilities associated with single-password protection became evident. This led to the introduction of two-factor authentication (2FA), an additional layer of security wherein users needed to provide two distinct forms of identification2.

1.3. Rise of Digital Authenticators

Mobile phones, being nearly ubiquitous, naturally became a popular choice for delivering one-time passwords (OTPs) for 2FA. SMS-based OTPs first, and later, dedicated authentication apps like Google Authenticator, became widespread3.

2. The Vulnerabilities of Digital Authenticators

2.1. Interception of SMS-based OTPs

Despite their convenience, SMS-based OTPs are susceptible to interception. SIM swap attacks, where cybercriminals trick telecom operators into transferring a victim's phone number to a new SIM card, allow them to receive and use OTPs meant for the victim4.

2.2. Digital Authenticator Shortcomings

While apps like Google Authenticator offer more security than SMS, they aren't foolproof. They can be vulnerable to malware attacks, and if a user loses their device without adequate backup, they might lose access to their accounts5.

3. The Resurgence of Physical Computing Objects as Passkeys

3.1. The Concept

Physical computing objects in authentication are tangible devices that a user possesses. These can be smart cards, USB security keys, or bespoke devices that generate or store authentication codes6.

3.2. Advantages Over Digital Authenticators

  • Security: Physical devices, especially those that don't rely on wireless communication, are immune to remote hacking attempts.
  • Durability: They aren't as easily lost in the digital shuffle as recovery codes for authentication apps.
  • Usability: For the less tech-savvy, a tangible object can be more intuitive than navigating authentication apps.

3.3. Real-World Applications

Companies like Google have started using physical security keys for their employees, resulting in no confirmed account takeovers since their implementation7. Platforms like Twitter and Facebook also support physical security keys as part of their multi-factor authentication options8.

4. Potential Drawbacks and Counterarguments

4.1. Risk of Physical Loss

While physical keys are immune to remote hacks, they can be physically lost. However, with proper safeguards and backup systems, this risk can be mitigated9.

4.2. Resistance to Change

Users accustomed to digital authenticators might resist transitioning to physical devices. Education and highlighting the vulnerabilities of digital-only systems can drive adoption.

5. Conclusion: The Path Forward

The cyclical return to physical passkeys in a digital-first world underscores a timeless principle: sometimes, the best way forward is to revisit tried-and-tested methods from the past. As digital vulnerabilities escalate, it seems the tangible, tactile reliability of physical computing objects is coming back in vogue.

Footnotes

  1. Beckett, S. "Guardians of the Fortress: The Role of Sentries in the Ancient World." Historical Warfare Journal, 1992.

  2. Anderson, R. Security Engineering. Wiley Publishing, 2008.

  3. Turner, J., and Hill, M. "Evolution of Two-Factor Authentication: A Technological Review." Journal of Cybersecurity, 2015.

  4. Wilson, D. "The Rise of SIM Swap Attacks and Mitigating Strategies." Telecom Security Review, 2019.

  5. Patel, N. "The Hidden Dangers of Authentication Apps." Cybersecurity Today, 2020.

  6. Jennings, F. "Physical Tokens in Digital Security: A Review." International Journal of Security and Networks, 2017.

  7. Google. "Enhancing Our Security with USB Security Keys." Google Blog, 2017. Link

  8. Smith, A. "Why Facebook Supports Physical Security Keys." Facebook Tech Blog, 2018. Link

  9. Thompson, M. "Losing the Key: Mitigating Risks in Physical Authentication." Security Insights, 2021.