News + Resources

We need to look beyond the era of logins and passwords and two factor authentication to combat the threat of phishing. The next best thing is regarded by NCSC to be passkeys. Why are they good?

• They are generated securely and cannot be guessed; 
• They cannot be phished;
• They are unique for each website, so if one website is compromised, it doesn’t screw up the rest of your credentials; and 
• They are quicker for users. (Microsoft reckons passkey authentication takes eight seconds, compared with 69 seconds using the traditional login and MFA method) 

However, whilst passkey technology is improving year on year, the NCSC does not believe now is the right time to advocate fully for their adoption. 

What are the main difficulties?

Inconsistent support and experience

There are different kinds of passkey available from different providers and therefore the user experience is not coherent. For example, passkeys can either be via a physical token or ‘device-bound’ as they stay with the device or ‘synced’ where your credential manager looks after and synchronises passkeys across the other devices that you may own. 

Groups such as the FIDO Alliance and W3C are working on standards. There is still a lack of consistency in how these are to be achieved. 

Device loss scenarios 

Can be catastrophic, with or without credential manager. 

Migration issues 

Passkeys are long lived. In some cases, users may have no need to update them. But there’s also the issue that a user may wish to migrate their passkeys from one device to another, which remains challenging.

Account recovery process 

This is the next battle space: attackers will look at account recovery and reset requests and companies need to ensure that these processes are robust and secure.

Platform differences 

There are multiple platforms and passkey logins can be inconsistent and therefore put people off. 

Suitability for different scenarios 

Passkeys assume the user has exclusive private access to an account or device for preparing and accessing the credential manager holding passkeys, but this is not always the case (e.g. shared tablets and/or workstations at home, for example). As yet there is no agreed industry-wide approach to this issue.

Further issues for applications that need passkeys:

Apps and websites that would like to offer passkeys as a means to sign in are suffering from a number of different problems, including:

Implementation complexity

Passkeys are difficult to use in cases where users need services that have multiple domains for authentication such as account.example.co.uk or account.example.com. You might need multiple passkeys to sign into the same domain. Passkeys are also inconsistently applied during the ‘authentication journey’ and it is therefore not clear how much assurance they can provide. Some websites therefore ask for the passkey plus an additional factor, others rely on passkeys alone. 

Multifactor status

There is no consensus yet as to whether passkeys count as multi-factor authentication on their own or if they need additional security like biometrics and/or a pin number.

Syncing and sharing

There is debate as to whether passkeys can be shared across numerous users given multiple reliability and verification issues.

Conclusion

The NCSC is clear: it wants passkeys to become the default method for authentication in the future. But there are a number of activities remaining, requiring more effort from all those involved to ensure that the user has satisfactory experience and does not resist implementation because it’s just too difficult. Soon, but not yet.