6. #RSAC
A passkey is…
6
Multi-device FIDO credential
An authentication credential that is:
• Based on public key cryptography, like
any other FIDO Credential.
• Backed up, and able to be replicated
across devices*.
• Designed to help scale FIDO adoption,
particularly in the consumer space.
15. #RSAC
Device Public Key
15
per relying party, device bound key
in addition to the “passkey”
https://login.example.com
eliza@example.com
login.example.com
16. #RSAC
Wrapping Up
16
familiar UX
DPK provides
context for higher
security
use cases
drop in
replacement for
password, with
enhanced security
characteristics
cross-platform,
cross-ecosystem,
addresses account
recovery
All FIDO credentials have the property of being “human consumable PKI-based credentials”, meaning that only public keys are registered at servers. They also have other common characteristics associated with FIDO such as being non-trackable by registered sites, and phishing resistant when used for login.
Able to be replicated across devices –* indicates that initially it looks like it will be eco-system based replication (Apple -> Apple, etc), but that need not always be the case in future. We are on a journey, and just like 3rd party password managers now have tight integration with browser instrumentation, so could “passkey managers” in the future.
Passkeys, when combined with “hybrid” CTAP transport between browsers and phones, will address major adoption issues with consumer-scale FIDO:
Not everyone has a traditional hardware security key– with passkeys will come “mobile phone as an authenticator”, allowing mass adoption.
Account recovery is addressed via obtaining a new device and recovering your cloud fabric “passkey provider” account (i.e. think your Apple/Google/Microsoft account).
All FIDO credentials have the property of being “human consumable PKI-based credentials”, meaning that only public keys are registered at servers. They also have other common characteristics associated with FIDO such as being non-trackable by registered sites, and phishing resistant when used for login.
Able to be replicated across devices –* indicates that initially it looks like it will be eco-system based replication (Apple -> Apple, etc), but that need not always be the case in future. We are on a journey, and just like 3rd party password managers now have tight integration with browser instrumentation, so could “passkey managers” in the future.
Passkeys, when combined with “hybrid” CTAP transport between browsers and phones, will address major adoption issues with consumer-scale FIDO:
Not everyone has a traditional hardware security key– with passkeys will come “mobile phone as an authenticator”, allowing mass adoption.
Account recovery is addressed via obtaining a new device and recovering your cloud fabric “passkey provider” account (i.e. think your Apple/Google/Microsoft account).