Passkeys

Passkeys provide advanced flexibility and security for verifying customer credentials without using passwords!

Based on the WebAuthn specification, a Passkey is a discoverable public key cryptographic credential that provides a flexible passwordless experience across multiple devices.

Hi, I’m Peter Fernandez, and as a CIAM expert, I want to share my experience building Passkey authentication into modern applications.

What do Passkeys do?

By leveraging public key cryptography in conjunction with platform-trusted device technology — such as the TPM or Secure Enclave — backed by biometric fingerprint or facial recognition, Passkey workflow provides proof that you are in possession of your device. This satisfies the main aspects of zero-trust user MFA in one go: something you are and something you own.

Passkeys and Their Role in Customer Identity & Access Management

Click to read the blog post

Video courtesy of Google

How do Passkeys work?

By using public key cryptography instead of a password the WebAuthn specification provides for first-factor authentication of a user that incorporates MFA at the same time. Passkeys take this a stage further, by providing cryptographic credentials that are easily discoverable across devices.

Personal Devices…

On a personal device — such as a personal phone, tablet, or laptop — the Passkey generated for a particular site can be saved to the distributed keychain associated with the provider. For an Apple device, for example, this typically means that the generated Passkey is saved to the iCloud account associated with the Apple ID credentials with which the device is configured.

…Public Devices…

However, there are cases where you may need to use a public device that’s not configured with your provider-specific credentials (e.g. your Apple ID, Google ID, etc). In such cases, the Passkey protocol supports sign-in using what’s often referred to as the “nearby device” workflow. In this scenario, a QR code can be scanned by a camera-equipped (personal) device in order to utilize the Passkey it contains.

…Multiple Platforms

With many providers (i.e. Apple for example), the QR code mechanism also extends to processing Passkeys on devices running different operating systems. Different platforms — regardless of whether they’re personal or public in nature — can use cross-platform workflows resulting in Passkeys that can even be stored in a platform-distributed keychain.

Discoverable

Passkeys are primarily discoverable FIDO credentials. Discoverable credentials are a mechanism provided by the WebAuthn specification that allows for seamless authentication without the user having to provide either a username or password, irrespective of the device being used.

Device Bound

Passkeys can also be device-bound. Device-bound passkeys — also known as single-device passkeys — are FIDO authentication credentials unique to the device they’re created on. A device-bound passkey is typically stored on a physical security key or device, rather than being discoverable (via the cloud).

Buy vs DIY

You could build an in-house custom solution yourself…it’s certainly an option. Particularly if you have a team with the time, capacity, knowledge, and expertise to develop SSO; deploy and maintain Attack Protection; leverage OIDC and/or SAML for Authentication, Social and/or (Enterprise) Federation; implement Passwordless, Passkeys and/or MFA, and/or optionally OAuth 2.0 for API Authorization.

The alternative is to integrate with a SaaS solution provided by one of the popular vendors, and the cost of subscribing to one of these typically depends on the features you use and the number of active consumer identities you have.

Build, Buy or DIY your CIAM Solution?

Click to read the blog post

With vendor-based CIAM the cost is typically associated with the platform hosting the backend service(s) that deliver Authentication, Authorization, Management and Protection from attack. With consumer-oriented software, much of this infrastructure is already in place: cloud-based “compute”, database, network resources, etc. could be a necessity for your solution, and delivering these at scale may be something you also need to do.

Deploying a standards-based open-source DIY solution within your existing infrastructure might provide a more cost-effective approach — delivering secure and robust CIAM without the need to build everything yourself and with the added benefit of more flexibility and control.

Got questions?
Feel free to reach out!