Beyond Passkeys: Why We Need More Than Just a Password Replacement

Think of your password as a secret handshake with your online accounts. It’s intended to get you past a gatekeeper with minimal effort, yet secure your intentions through a piece of data that only you know. The problem is, even though we’re all acclimated to using them, passwords simply do not provide an adequate level of security. Consider just one recent, but massive event: in July, the "RockYou2024" breach was discovered. It was a colossal collection of nearly 10 billion stolen passwords leaked on the BreachForums underground forum, compiled from breaches spanning two decades. And that is just one of many, many, many breaches that have already done significant damage to individuals and institutions.
‍

Passwords have long been accepted as the solution for digital access, but the time has come to evolve past them. Some are advocating for passkeys, which are being widely adopted as a preferable alternative. From a technology perspective, they offer stronger reinforcement and more rigorous authentication protocols. Tech giants like Apple are rapidly spreading the use of passkey technology as a way to improve the customer experience. While there are clear advantages to using passkeys over passwords, there are still issues with relying on a passkey-only approach. We’ll explore these below.
‍

Google Goes All-in on Passkeys

Now, even Google is fully committed to a passwordless future, and passkeys are their chosen replacement for the massive ecosystem of Google services and products. To make this transition, they're introducing updates to Chrome that simplify passkey management and syncing across devices.

Google has stated that they believe that passkeys are more secure than traditional passwords and offer a simpler login experience. Instead of remembering complex passwords, they can use biometric authentication (like your fingerprint or face scan) for a faster and safer login.

Previously, Google's Password Manager only allowed users to save passkeys on Android. Using them on other devices meant grappling with QR codes – a clunky process that pushed many users towards alternative passkey solutions like 1Password and Apple.

But Google's latest updates eliminate this hurdle. According to the company, users can now save and use passkeys seamlessly across devices without relying on QR codes. This enhancement makes Google Password Manager a far more convenient and competitive option for those ready to embrace a passwordless world.

Clearly, the effort to simplify the experience for users was a primary factor in Google’s decision, and they will undoubtedly score major points with customers. But security concerns remain, and the reality is that passkeys alone will not make users safe.
‍

The Limitations of Passkey Authentication

While passkeys offer a significant security upgrade over traditional passwords, they don't inherently address the need for stronger authentication in certain situations, like when multi-factor authentication (MFA) is required.

Google's proposed passkey syncing removes the possibility of adding extra authentication steps. If your passkey is synced across devices, you lose the ability to have the authentication include 'something you have' as it is no longer representative of the specific device.

This limitation highlights a key digital security principle, as outlined by the National Institute of Standards and Technology (NIST): strong authentication relies on multiple "credentials" – different types of evidence that prove your identity. These credentials fall into three categories:
‍

• Something you know: Passwords, PINs, security questions.
• Something you have: Physical tokens, your phone, a security key.
• Something you are: Biometric traits like fingerprints, facial features, or your voice.

To meet truly effective security requirements, especially in high-risk scenarios, it's crucial to combine at least two of these credential types.

The solution lies in leveraging phone-centric identity signals and device possession:
‍

• Device possession: Your phone itself becomes a "something you have" factor. By requiring access to your phone to use a passkey, you add an extra layer of security.
• Phone-centric identity signals: These signals can include your phone number, SIM card information, or even behavioral patterns like your typing style. This information can be used to confirm possession of “something you have” in conjunction with your passkey.

By integrating these elements, users could actively enhance their passkey security with an additional factor. This approach provides a more secure authentication process without sacrificing the convenience of passkeys.
‍

Passkeys Are a Step in the Right Direction, But Can’t Operate Alone

Passkeys are designed to be more secure and convenient than traditional passwords. Unlike passwords, which are stored on servers and vulnerable to data breaches, passkeys reside on your device (like your phone or computer). This eliminates the need for memorization and cumbersome two-factor authentication codes, as highlighted in Google's blog post, So Long Passwords, Thanks For All the Phish.
‍

However, there's a catch. While passkeys themselves are strong authentication tools, their reliance on user accounts with providers like Apple and Google, or even traditional password managers, introduces a potential weakness. These accounts, while linked to the tech giants or known providers, aren't inherently tied to a user's device.

This leads to a critical issue: distributing passkeys to new devices.

When you get a new phone or computer, you need to access your Apple or Google account to set up your passkeys. But how do you access those accounts? Ironically, you often need traditional methods like passwords and one-time passcodes (OTPs).

This creates a circular dependency:
‍

• You need your passkeys to log in securely.
• But you need passwords and OTPs to access your passkeys on new devices.

It's like an authentication paradox – the very system designed to replace passwords ends up relying on them. This undercuts the goal of a truly passwordless future.

Essentially, while passkeys offer a more streamlined and secure login experience, their current implementation still hinges on older, less secure authentication methods for account recovery and device management. This highlights the need for a more robust and independent identity verification system to fully realize the potential of passkeys.
‍

The Faulty Logic in Sync’d Passkeys

Think of it this way: if your passkey is synced across all your devices, a bad actor gaining access to any of those devices could potentially compromise your accounts. This undermines the "something you have" factor that's essential for robust MFA.

The promise of passkeys was to deliver strong, multi-factor authentication in a single step. However, as Apple and Google have prioritized portability and cross-device syncing, a critical element of security has been diluted: proof of device possession.

Prove is helping deliver passwordless authentication, advocating for advanced identity solutions that leverage the inherent security of mobile devices. This approach, known as deterministic authentication, has gained significant traction in the financial services industry and beyond.

Instead of relying on vulnerable passwords, deterministic authentication utilizes a combination of factors tied to a user's mobile device to authenticate with a high degree of confidence. This includes elements like possession of the device, phone number reputation, and ownership verification.

By championing this more secure and user-friendly approach, Prove has helped drive the adoption of passwordless technology, enabling businesses to enhance cybersecurity while offering a frictionless experience for their customers.
‍

Here's how:
‍

• Device-bound authentication: This adds an extra layer of security, ensuring that even if a passkey is compromised, it can only be used from a registered and trusted device.
• Phone-centric identity signals: Prove goes beyond simple device possession by analyzing a wealth of phone-centric signals – including phone number, SIM card data, network information, and even user behavior patterns – to establish a strong link between the user and their device. This allows us to distinguish between legitimate device changes (like upgrading to a new phone) and potentially fraudulent activity.

This approach, utilizing cryptographic keys like your SIM card, offers a better way to authenticate than strong passwords OR passkeys alone, and provides these benefits:
‍

• Universal Accessibility: Almost everyone owns a mobile phone, making this solution readily available across the globe.
• Freedom from Passwords and OTPs: No more remembering complex passwords or waiting for one-time passcodes. Enjoy seamless authentication across all your devices.
• Improved User Experience: Experience a smoother, more convenient login process with simplified authentication.
• Effortless Device Authentication: Securely authenticate any device, anywhere, using methods like app notifications or biometrics.
• Cost-Effective Security: Reduce authentication costs by eliminating expenses related to password resets and OTP generation.

Why is this approach more secure than passkeys?

While passkeys offer improvements over passwords, they are still tied to accounts protected by...passwords! This creates a vulnerability. In contrast, mobile-based authentication relies on physical possession of the device, making it significantly harder for attackers to compromise. This "possession check" adds a powerful layer of security, making fraudulent activities far more difficult and less scalable.

By leveraging the inherent security of mobile devices, authentication not only strengthens security but also enhances user experience. It capitalizes on the one device people always have with them – their phone – to provide a simple, secure, and user-friendly authentication solution.

This contrasts sharply with traditional identity methods like social security numbers or passwords, which are static or slowly changing and vulnerable to theft. Stealing someone's phone-centric identity is far more difficult, requiring a fraudster to not only acquire the phone but also unlock the device and mimic the legitimate user's behavior over time.

By combining the convenience of passkeys with the security of phone-centric identity, Prove delivers a truly robust and trustworthy authentication solution. We restore confidence in passkeys, ensuring that they fulfill their initial promise of simple yet strong multi-factor authentication.