Criticism that password-free authentication technology 'Passkey' has a worse experience than passwords

'Passkey,' a specification formulated by the FIDO Alliance, is a technology that uses ' FIDO 2.0, ' which uses biometric information instead of passwords for authentication, based on the ' Webauthn ' standard to manage and operate credential authentication information on a device-by-device basis. William Brown, also known as Firstyear, an engineer involved in the Webauthn standard, explains the problems with Passkey in his blog.

Firstyear's blog-a-log
https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/

Believing that Webauthn had great potential as an alternative authentication technology to passwords, Brown moved from Australia to the United States in 2019 and began developing webauthn-rs, a Rust implementation of Webauthn, with a friend. In the process, Brown discovered problems with the Webauthn standard and proposed improvements to the Webauthn working group.

At the time, Webauthn was attracting great expectations as an alternative authentication technology to passwords, and three use cases were envisioned: two-factor authentication, passwordless, and usernameless.

Password-free login method 'WebAuthn' becomes web standard - GIGAZINE

However, problems emerged during the subsequent specification development process. One example is that Chrome dominates the web browser market and has a great influence on specification development. Specifically, Chrome could veto any part of the specification it did not like. In fact, the web authentication API called Authenticator Selection Extension was removed from the Webauthn specification because Chrome did not support it.

In addition, important discussions on the formulation of specifications were held at offline meetings in the U.S., which made it difficult for participants outside the U.S. to have their opinions reflected. In particular, since the end of 2019, when the development took place, the COVID-19 pandemic has been a global pandemic, making it almost impossible for overseas engineers to travel to the U.S. for several years.

Meanwhile, in 2022, Apple announced 'Passkey.'

What is Apple's 'Passkeys' that makes passwords obsolete? - GIGAZINE

Initially, Passkey was used as a term to refer to passwordless authentication for Webauthn, and Apple's implementation also allowed usernameless authentication by linking it to an Apple account. 'Apple's announcement was sophisticated, and Passkey was well received by many people,' Brown said. However, Apple did not provide a clear definition of 'Passkey.'

Meanwhile, at the FIDO conference, a leading developer said that Passkeys is a Resident Key (Discoverable Credential) for Webauthn. Resident Key is a method that enables usernameless authentication by storing authentication information in a security key. However, many security keys have very small storage capacity and can only store a maximum of about 25 Resident Keys, which is not enough for users with more than 25 accounts.

In addition, in Chrome and Safari, when a user tries to use a security key, they have to scan a QR code on their smartphone to authenticate and go through complicated menu operations, which takes more than 60 seconds to authenticate, which is not a good user experience, Brown points out.

In addition, on Android, if a website sends the option to require a passkey, the security key is disabled, meaning that identity providers can choose which devices to register regardless of the user's wishes. The developer sample code only shows the option to 'Save password as passkey in Google Password Manager.'

In the GitHub thread , users reported issues such as 'Resident Key slots are full and security keys cannot be registered,' 'An Android bug prevents passkey creation,' 'Firmware reset is required,' and 'Keys are saved on the client but not on the server, resulting in duplicate accounts.' Brown said, 'The sense of helplessness from users is clear. This is happening even to tech-savvy early adopters. These issues could be a barrier for general users to move from passwords to passkeys.'

Brown also reported that he had lost his passkey stored in Apple's iCloud Keychain three times, and pointed out that other users have reported similar issues. To solve these problems, developers are trying to develop more complex JavaScript APIs, but this does not solve the underlying problem.

Brown predicts that Passkey will fail when it reaches the hands of ordinary consumers because the user experience has been sacrificed in favor of corporate profits. Brown himself said that password managers can provide a better experience than Passkey, and as someone who had high hopes for Passkey, it was very painful for him to reach this conclusion.