Introduction:
Passkeys are a new technology that is revolutionizing the way we authenticate online. With the rise of phishing attacks and other forms of cybercrime, traditional usernames and passwords are no longer sufficient to keep our online information secure. Passkeys offer a more secure alternative, leveraging cryptographic techniques to provide an additional layer of protection for our online accounts. In this article, we will explore the architecture behind passkeys, how they work, and what the future holds for this technology.
Architecture of Passkeys:
At its core, a passkey is a cryptographic credential that is bound to a specific device and authenticator. This means that the credential cannot be transferred to another device or used on multiple devices. The process of creating and using a passkey involves several steps:
1. Account bootstrapping: The first step in creating a passkey is to verify the user’s authentication method. This can include using MFA, hardware tokens, or other forms of authentication.
2. WebAuthn call: Once the user’s authentication method is verified, a call is made to the website using the navigator.credentials API. This call prompts the user to create a passkey on their device.
3. Passkey creation: The user is then prompted to create a passkey on their device. This involves using the authenticator (such as a YubiKey or Microsoft Authenticator) to generate a public key and a WebAuthn credential ID.
4. Response: Once the passkey is created, the website sends a response back to the user’s device, which includes the public key and the WebAuthn credential ID.
5. Reauthentication flow: For subsequent authentication attempts, the website will use the same WebAuthn API calls with navigator.credentials.get to retrieve the passkey credentials.
Technical Specs:
Passkeys are facilitated by two technical specs: WebAuthn and Client to Authenticator Protocol (CTAP). WebAuthn is a W3C standard that defines a set of APIs for authentication. CTAP is a protocol developed by the FIDO Alliance that handles communications between the authenticator and the RP (Relying Party, such as a website).
CTAP simplifies the communication with authenticators, providing a nice interaction flow between RPs and Apps. One of the key benefits of CTAP is that it allows for device-based authentication, which is more secure than traditional username and password combinations.
Future of Passkeys:
The future of passkeys looks bright. As more websites and applications adopt this technology, we can expect to see a significant increase in online security. With passkeys, we can be confident that our online information is protected from cybercriminals and other malicious actors.
In conclusion, passkeys offer a more secure alternative to traditional usernames and passwords. With the help of WebAuthn and CTAP, we can expect to see widespread adoption of this technology in the future. As security professionals, it is our responsibility to stay informed about the latest developments in online security and to advocate for the use of passkeys and other cryptographic techniques to protect our online information.