Making passwords passé
Everyday cybersecurity headlines highlight the intrinsic failings of passwords. Large-scale phishing attacks and massive data breaches are almost invariably password related.
Apple wants to fix this by moving to passkeys. Simply put, passkeys provide a passwordless sign-in for websites and apps. For users, passkeys scream convenience. On an Apple device, a quick Face ID sign-on, for example, is all that’s needed.
But convenience isn’t the impetus behind passkeys. It’s security.
Here’s how Apple describes the benefits of passkeys:
“Passkeys are a standard-based technology that, unlike passwords, are resistant to phishing, are always strong, and are designed so that there are no shared secrets. They simplify account registration for apps and websites, are easy to use, and work across all of your Apple devices, and even non-Apple devices….”
—About the security of passkeys, Apple
FIDO sets the standard
While Apple is a leading advocate of a passwordless future, other big tech companies such as Google and Microsoft, along with Apple, are behind a standard set by the Fast Identity Online Alliance (FIDO), which is comprised of over 250 companies. The goal is to create a common format for online authentication.
“The key thing is, we’re not sending any human-readable secrets over the network,” Andrew Shikiar, executive director and chief marketing officer of the FIDO Alliance, told the Wall Street Journal.
The newest FIDO standard promises to offer authentication for a website or an app regardless of the OS platform. And users won’t have to re-enroll every account.
Elements of a robust machine identity management model
Apple passkeys are built on the WebAuthentication (WebAuthn) standard, which uses public key cryptography. Public-key cryptography, or asymmetric cryptography, uses a pair of keys consisting of a public key (accessible by others) and a private key on the device (not accessible by anyone except the owner of the device).
Based on the Public Key Infrastructure (PKI), public key cryptography is used in machine identity management, as described by Venafi.
And there are foundational commonalities, says Pratik Savla, Senior Security Engineer at Venafi.
“Machines and Machine Identity Management are central to this setup as this approach involves binding a credential to a particular origin and hence makes a machine (device) very crucial for correct identification,” according to Savla.
“This model makes physical security of the device as well as the security of the underlying OS of prime importance. The OS vendors will more or less become the sole identity providers in this setup,” Savla said.
But this doesn’t mean the passwordless future is flawless.
“This in turn would make passwordless keys an attractive target of attackers,” according to Savla. “Additionally, it creates a single of point of failure,” he added.
Venafi and Axiad partner on passwordless authentication
To make a passwordless future more secure, in March, Axiad, a provider of cloud-based passwordless authentication for users and machines and a member of the FIDO alliance, announced a technology partnership with Venafi to help customers manage credentialing needs.
Axiad Cloud provides enterprise PKI integrated with Venafi for automated machine identity management.
“As digital transformation accelerates and traditional security perimeters disappear, identity is no longer just about users,” Axiad said in the press release.
The number of machines on enterprise networks, including mobile devices, workstations, applications and IoT devices is continuing to grow, with machines outnumbering people by more than three to one, Axiad said.
“Each machine requires a unique credential, or digital certificate, to authenticate and establish trust…The failure to adequately track, maintain and update all of the digital certificates across a network exposes organizations to a much higher risk of attack. It can also result in costly business stoppages if these certificates expire,” Axiad said.