Fixes TODO

ERRORS to address:

  • ...
  • ...

Mention at least Persistent Linking from https://passkeys.dev/docs/reference/terms/. Is there anything else from there for the Glossary?

News on client platforms

News from https://passkeys.dev/device-support/ Last Updated: May 09, 2024
Synced - Ubuntu - Browser Extensions

  • Autofill UI - Android Edge from 122+; Safari and Windows - Firefox from 122 (Jan 2024), Edge from 122+; Ubuntu Browser Extensions
  • Added Native Apps support section
  • Added Client Hints section to Advanced, only partially in Chrome on Chrome OS and partially (4,5) in Chrome and experimental/partial support in Edge on macOS, Ubuntu and Windows

Remove this, not crucial??: Passkey support will be available on the Wear OS smartwatch platform [https://www.techtimes.com/articles/304767/20240517/google-o-new-passkey-updates-coming-android-15-wear-os.htm].

User adoption

Google Trends:
- https://trends.google.com/trends/explore?date=2023-04-01%202024-12-31&q=%2Fg%2F11stj9b049&hl=en
- https://trends.google.com/trends/explore?date=2023-04-01%202024-12-31&q=passkey&hl=en

Passkeys have  been used to authenticate users more than 1 billion times across over 400 million Google Accounts till May 2024 (https://blog.google/technology/safety-security/google-passkeys-update-april-2024/)

An independent survey commissioned by the FIDO Alliance found that:

  • Most people are aware of passkey technology (62%).
  • Over half reported enabling passkeys on at least one of their accounts (53%).
  • When they adopt at least one passkey, nearly 1 out of 4 enables a passkey whenever possible (23%).
  • Most believe passkeys are more secure (61%) and more convenient than passwords (58%).

The 2,000 respondents from the US and UK were invited by email.

Some are not as enthusiastic, especially for enterprise applications: https://www.scmagazine.com/resource/are-users-ready-to-go-passwordless-why-its-better-to-move-slowly
Only 36% of participants in the Bitwarden Developer Survey 2024 believe FIDO2 and passkeys could replace passwords. https://bitwarden.com/resources/the-survey-room/

Sites and apps adoption

In another study, the FIDO Alliance found that passkeys are supported by 20% of the world’s top 100 websites and 12% of the top 250, with 13 billion accounts able (potential, not a fait accompli) to leverage passkeys for sign-in.
https://fidoalliance.org/content-ebook-consumer-password-and-passkey-trends-wpd-2024/

Convincing new selection from https://passkeys-directory.dashlane.com/ (for intro update):

  • Adobe
  • Air New Zealand
  • Amazon
  • Apple
  • Arpari
  • Best Buy
  • Binance
  • BMW (UK and USA)
  • Carnival
  • Cloudflare
  • Coinbase
  • Discord
  • DocuSign
  • eBay
  • GitHub
  • Google
  • Kayak
  • LinkedIn
  • Magic
  • Microsoft
  • Nintendo
  • Nvidia
  • PayPal
  • PlayStation
  • Twitter
  • Uber

Passkeys can now be used to sign in to Microsoft apps and websites, including Microsoft 365 and Copilot on desktop and mobile browsers. Support for signing into mobile versions of Microsoft applications using passkeys will follow soon:

Besides on-device sign-in:
- https://www.microsoft.com/en-us/security/blog/2023/09/26/new-security-features-in-windows-11-protect-users-and-empower-it/
- https://support.microsoft.com/en-us/windows/passkeys-overview-301c8944-5ea2-452b-9886-97e4d2ef4422

It is also possible to use Microsoft Entra ID to log in with passkeys:

Still, using Windows Server Active Directory Domain Services (AD DS) to access on-premises resources using only local services is not supported: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-passkey-fido2

Passkeys with your Google Account: https://myaccount.google.com/signinoptions/passkeys

Added support to WhatsApp: https://faq.whatsapp.com/1850567238795036/?helpref=uf_share

Implementation

Good hints on implementation and common misconceptions and problems: Corbado Blog - https://www.corbado.com/blog/passkey-implementation-pitfalls-misconceptions-unknowns

Browsers are continually improving their Web Authentication API supporhttps://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API#browser_compatibility. WebAuthn Level 3 is currently in editor's draft and the standard is expected around the end of 2024: https://w3c.github.io/webauthn/

Some user authentication solutions, such as Hanko and Auth0, focus strongly on passkeys and are significantly improving passkey support. https://www.hanko.io/passkey-api , https://www.hanko.io/changelog, https://auth0.com/features/passwordless

Currently, there is no extensive support for the standardised method (REF!!) for signalling that a website supports passkeys so that users could upgrade their authentication for the newly supporting accounts. Currently, a password manager supporting this is Google Password Manager as an initial implementation, but this needs broader support from websites and other credential managers.

Credential providers

Credential providers, such as 1Password and Dashlane, are now leveraging the passkeys management APIs on iOS 17 (ASAuthorization API), Android 14 (Credential Manager API) and other operating systems. (https://www.dashlane.com/blog/dashlane-passkey-support-ios https://android-developers.googleblog.com/2023/10/simple-and-secure-sign-in-on-android-with-credential-manager-passkeys.html, https://developer.android.com/identity/sign-in/credential-provider). These API provide unified but platform-specific interfaces for passwords, passkeys and other credentials. They also streamline using passkeys in native applications (https://developer.android.com/identity/sign-in/credential-manager, https://android-developers.googleblog.com/2023/10/simple-and-secure-sign-in-on-android-with-credential-manager-passkeys.html).

Case studies

For an e-commerce company, passkey implementation improved security and end-user experience. Although previously implemented passwords with SMS OTPs were successful in combating phishing attacks, they were costly and not user-friendly nor entirely effective. Passkeys addressed these issues by improving security, reducing costs and enhancing user experience. As a result, 900,000 accounts registered passkeys, increasing the sign-in success rate from 67.7% to 82.5% and decreasing the sign-in time from 17 seconds to 4.4 seconds. [https://fidoalliance.org/mercaris-passkey-authentication-speeds-up-sign-in-3-9-times/]

A government department sought to enhance security and end-user experience for their digital identity solution for over 10 million users. They chose to implement passkeys to replace passwords and SMS OTPs, which were costly and vulnerable to phishing. Their goals were to streamline the login process, decrease the strain on the help desk and fortify security. Based on prior experiences, they required a standards-based solution with interoperability and vendor neutrality. They created a tailored user experience based on findings from usability studies. Within six months, more than 100,000 devices enrolled in passkeys and there was a significant reduction in help desk calls for password resets. Future targets include migrating all users to passkeys, implementing authentication for the workforce and incorporating FIDO authentication into the state’s Zero Trust Identity strategy. [https://fidoalliance.org/state-of-michigans-milogin-adopts-passkeys/]

New uses

Emerging use of passkeys for end-to-end encryption with the PRF WebAuthn extension (https://github.com/w3c/webauthn/wiki/Explainer:-PRF-extension, https://w3c.github.io/webauthn/#prf-extension) which is used to provide access to anf encryption key from a passkey for particular site, which can then be used to reliably encrypt and decrypt data. One of uses for this is to provide the client with vault data ( https://bitwarden.com/blog/log-into-bitwarden-with-a-passkey/).

For developers

Test Sites & Tools: https://passkeys.dev/docs/tools-libraries/test-sites/

Passkeys design guidelines:

Risks and new approaches

There are potential security issues with passkeys and solutions to address them [https://www.scmagazine.com/feature/identiverse-2024-deepfakes-passkeys-and-more]. Some passkey implementations are less secure, particularly when user verification is not required. As some passkey authenticators do not support user verification, the best option for relaying parties is to set it as "preferred" rather than "required."

Device-bound passkeys are considered strong enough to not require MFA for internal users. However, passkeys synced across devices pose a security risk as they are stored in the cloud, making the trust model dependent on the security of the passkey provider. This necessitates certification of these platforms, the development of which is in progress. Without enforced user verification, there is a phishing risk, especially if private keys are not encrypted during credential manager changes.

The FIDO Alliance is developing a credential-manager migration and exchange standard [https://fidoalliance.org/specifications-credential-exchange-specifications/]. However, stolen or phished passkeys without user verification might not be identified unless it becomes possible to detect if credentials have been migrated.

The alliance is also offering independent testing and certification programmes that address key elements of passkeys, including functional certification of authenticators (at three levels with two increments) and biometric components [https://fidoalliance.org/certification/, https://fidoalliance.org/certification/fido-certified-products/]. Establishing an integral scheme for passkey authenticator and provider implementations would greatly benefit their adoption in more secure scenarios.

Enhancement on our Wiki

Provide links to the text at https://wiki.geant.org/display/GWP5/Passkey:

Metadata (v1)
- Published date: 27 November 2023
- https://zenodo.org/records/10210492
- https://resources.geant.org/wp-content/uploads/2023/11/GN5-1_White-Paper_Passkeys-Use-and-Deployment-for-RE-Services.pdf (https://resources.geant.org/project-output/gn5-1-white-papers/)
- Working versions: https://wiki.geant.org/pages/viewpageattachments.action?pageId=661521578

  • No labels