Cover photo
web3dom

Passkey: The Best Password is No Password

web3dom #59 18.07.24

The previous week’s Drifting Classroom had 11 attendees, and I apologize for not being able to chat with each of you properly. It was quite a coincidence that we gathered just before Happy Belly announced its closure. While saying goodbye isn’t a bad thing, I believe supporting what we value in our daily lives is more ideal. Don’t wait until the last moment to act—love shouldn’t come too late.


To prevent phone scammers from impersonating you, you could agree with grandma to use “123” as a verification code when you call. You can keep this code secure, but you can’t prevent grandma from accidentally leaking it. Is there a way to verify your identity without revealing the password to Grandma? It’s like when Grandma asks, “What light through yonder window breaks?” and, without agreeing on a secret phrase, she confirms your identity with the reply. It sounds illogical, but mathematicians have found the perfect solution: asymmetric encryption with public and private keys.

Asymmetric Encryption

Let’s say Alice and Bob agree to encrypt their messages by shifting each letter back by one position, so “KTMBGZSMNNM” becomes “LUNCHATNOON” when decrypted by shifting forward by one position. This method, where both parties know the encryption and decryption mechanism, is called symmetric encryption.

The weakness of symmetric encryption is obvious: the more people who need to decrypt a message, the more people who know the encryption method. If you and 999 others are planning a secret mission, and all of you know the encryption method, it’s easy for the enemy to find out. Moreover, the enemy could infiltrate your group, posing as one of you and spreading false information.

In contrast, asymmetric encryption uses a pair of keys: a public key and a private key. The public key is shared openly, while the private key is kept secret. The magic of this method, invented around fifty years ago, is that anything encrypted with the private key can only be decrypted with the corresponding public key, and vice versa. This invention has become the foundation for many applications that protect privacy and verify identities, widely used in Bitcoin and other blockchain technologies.

Even if you’re not into cryptocurrencies or privacy-focused apps like Signal or ProtonMail, you’re benefiting from asymmetric encryption if you use WhatsApp, iMessage, FaceTime, Google Meet, or even just browse websites with HTTPS. You might not realize it, but without asymmetric encryption, you’d be effectively “naked” online.

Asymmetric encryption serves two main purposes:

1. Identity Verification: If Bob wants to verify Alice’s identity, he can ask her to “sign” a message—encrypt it with her private key. Bob can then decrypt it with Alice’s public key. If he gets the original message, it proves the sender is indeed Alice (or someone with access to her private key, highlighting the importance of keeping it secure).

2. Message Encryption: If Bob wants to send Alice a private message, he encrypts it with Alice’s public key. Alice can then decrypt it with her private key. Even if someone intercepts the message, without Alice’s private key, they’d see only gibberish.

I’ve often stressed that while cryptocurrencies are secure, they are not private. Most blockchains, including Bitcoin, Ethereum, Solana, Cosmos Hub, and LikeCoin, use public and private keys to verify users’ identities and ensure that only the private key holder can access the assets. However, they don’t encrypt transaction details. Privacy-focused blockchains like Zcash, Monero, and MobileCoin can encrypt transaction details, but they are always targeted by the government, therefore are often heavily regulated and are difficult to on-ramp and off-ramp.

The Ultimate Solution: Passkey

Using regular passwords at home doesn’t prevent grandma from accidentally leaking them, and it's the same on the internet. No matter how cautious you are, you can’t avoid website data breaches. To avoid being implicated by less cautious teammates, you need to switch to asymmetric encryption for identity verification—this is the core of passkey.

Passkey was developed by the World Wide Web Consortium (W3C) and the Fast Identity Online (FIDO) Alliance. In May 2022, Apple, Google, and Microsoft jointly announced their support for passkeys, bringing them into the spotlight. After all, a standard isn't really a standard unless the tech giants support it.

Though I often criticize Apple for being closed, it was the first and most comprehensive in supporting passkeys among the three giants, and it deserves praise for that. Just a month after announcing support, Apple unveiled the details of passkeys at its annual developer conference, WWDC, showing developers how to integrate them. Passkeys officially entered the public eye. In 2023, Google began supporting and encouraging users to switch to passkeys, and last month, Microsoft announced that regular user accounts could use passkeys for login. With backing from these three platforms, passkeys have gradually gained support from numerous websites. Google, for instance, already has over 400 million users with passkeys enabled, and if you haven't tried it yet, I recommend giving it a go.

Image credit: FIDO Alliance

Compared to users creating their own account names and passwords, using applications that support passkeys only requires defining an account name. The system then generates a pair of public and private keys on the device, with the private key stored on the user's device (iPhone, Android, Windows PC, etc.) and the public key kept by the service provider. Since users don’t have to create and remember passwords, this method is more convenient than traditional registration. When logging in, passkeys use the principles of public and private keys to verify identity. On most supported devices, users can authenticate with their biometrics to sign with their private key. The whole process doesn’t involve passwords, making it not only more convenient but also more secure than traditional passwords.

Convenience and security usually don't go hand in hand; the more convenient, the less secure, and vice versa. However, passkeys manage to achieve both, which might seem counterintuitive. Think of it this way: if your account uses a ten-layer password system, it’s incredibly cumbersome to log in every time. However, since it only utilizes one secure factor, it's a hassle with minimal added security, especially if all those passwords are written in the same notebook—a low “cost performance” ratio. Conversely, a passkey’s private key is stored on the user's device (what you have), and signing requires biometric verification (who you are), combining two factors that elevate security to another level. Scanning a fingerprint or face takes less than two seconds and doesn’t feel burdensome.

Besides being convenient and eliminating the risk of data breaches leaking passwords, passkey also prevents phishing since before signing, the system verifies the website’s metadata. In terms of both convenience and security, passkeys outperform traditional passwords across the board.

A Password-Free World?

So, is the password-free world upon us? Well, thinking that passkeys will quickly replace passwords might be a bit naive. If survival of the fittest was the only rule, would anyone still watch TVB? User habits can outweigh many deficiencies, and old habits die hard.

For the average user, security is mostly a feeling. As long as security measures seem solid, users feel safe. Conversely, if the measures look flimsy, users will lack a sense of security, even if it's just a perception. This is the dilemma passkeys currently face, and it's why I've spent four articles explaining how passkeys manage to be both convenient and secure.

Despite being superior to passwords, passkeys are not yet flawless. The most obvious issue is what to do if you lose your passkey. Everyone knows you can reset a lost password, but passkeys handle this differently. One method is to bind multiple passkeys to an account, stored on different devices—say, one on your computer and one on your phone. If you lose one, you can still log in with the other and disable the lost passkey to prevent unauthorized access. Another method is cloud synchronization, commonly used with Apple’s iCloud Keychain. As long as your passkeys are encrypted and synced to the cloud and other devices under the same Apple ID, losing one device isn't a catastrophe. While this solves the problem, it raises concerns about centralization. However, many people seem comfortable fully relying on Apple.

Beyond the issue of loss, passkeys, though clearly defined, are still relatively new and not fully standardized. Different applications may explain passkeys in varied ways, and translations can differ, causing user confusion. Recognizing the strategic importance of passkeys, each tech giant strives to become the default, if not the sole, choice for storing passkeys, sometimes leading to a frustrating user experience.

I've encountered this firsthand. With my MacBook, a Yubikey for 2FA, using Chrome with Proton Pass installed, the operating system, peripherals, browser, and plugins—all have their own ways of storing passkeys. Some sync to the cloud, some are local only. Different websites’ passkeys are stored in different places, and sometimes multiple passkeys are stored in multiple locations. Although the system automatically detects them during login, managing all this can be dizzying. If a user throws up their hands in frustration and goes back to passwords, I can understand.

Even after more than two years since the three tech giants announced support for passkeys, not many people around me seem aware of them, and even fewer understand how they work. If this is the case in my circle, imagine the general public. We can't blame users for not using what they don’t understand. If something is popular just because it seems convenient without users understanding its safety, that's a problem. For passkeys to gradually replace passwords, service providers need to educate users on how passkeys offer both convenience and security.

Nobody disputes the importance of scientific research, but without public understanding, new technologies may go unused or be demonized. This is true for passkeys and even more so for blockchain technology. Making technology serve the needs of civil society is the core of my commitment to web3 education.

Endnote

We've covered a lot in our cybersecurity series, from 2FA and password managers to public and private keys, finally arriving at this week’s star: the passkey. For now, let's take a breather and digest all this information. There’s some more to come, but I’ll give you a break before diving into bonus topics. Also, stay tuned for a special announcement next week.


P.S. There's a charming 90s British film called Four Weddings and a Funeral. While the love story didn't resonate much with me, the routine of attending four weddings and a funeral felt oddly familiar. Reflecting on the past year, I realized I’ve attended one wedding and four funerals. The most recent loss was the owner of the small restaurant featured in our cover photo. I guess this is just another phase of life.

Loading...
highlight
Collect this post to permanently own it.
DHK dao logo
Subscribe to DHK dao and never miss a post.
#en