So with website password sign-ins, you have a password stored in your head (prone to concussions), in a password manager (prone to deletions or concussions), or on a piece of paper (oh please no). Hopefully your password is not 12345678. The website will have a copy of that password, hopefully well hashed (encrypted) and not in plain text. This way if the website is compromised, and data stolen, it will be difficult to decrypt the password. However, difficult does not mean impossible. Thus, with all the data breaches, it makes sense that we should want a more secure method of authentication.
2FA / MFA Multifactor authentication was designed to solve this issue. Using MS or Google authenticator (TOTP, Time based one time password) you are also challenged to prove your identity using a shared ‘secret’. But secrets can be stolen, and there are many methods to fool users into sharing their one time pass codes.
So some egg heads though, let us throw more technology at the problem. That always works, right? If Windows 10 is insecure, surely Windows 11 will not be…
Enter the passkey. Using public and private certificates the belief is that ‘this’ will solve all our authentication problems. The company website will only have our public certificate, which is useless on its own. And we have our private certificate.
Ok, so if I am a bad guy what am I to do? Obviously I need to focus all my mental might on getting the private certificate. The private certificate should be tied to the hardware in some magical mathematical fashion so that if someone has my public certificate it is useless without my phone or PC. But that doesn’t stop one from taking over the phone, etc… I am not smart enough to know all the safeguards in place to prevent this scenario. However, I am smart enough to know that if there is something begging to be cracked, someone will find a way to crack it. And since the most vulnerable creature on this planet is you and me holing a phone. We should NOT be allowed to hold the keys to the kingdom and we certainly should not be expected to keep them safe. What resources do we have. Books ‘for dummies’. Companies, the ones with the resources and know how, should be the ones managing the delicate art of security.
So what do passkeys do? They make bad actors retool, absolve companies of all wrongdoing (they only have a harmless public key), and put all the responsibility of security on grandpa and grandma.
And don’t even get me started on the insane idea of tying a login exclusively to a device. Lose the device, lose the login. Absolutely brilliant. That is the ultimate dream in security. Now no one can login in.
What is my solution? Probably less tech in the hands of all of us luddites would be a good start. Put responsibility back into the hands of experts.
A smart man, who once worked IT security for a bank, once told me that users who get hacked are responsible for their losses. Boo! Their sole purpose is to keep me ‘and’ my money together. A bank that lets me do stupid things is not doing a good job. If I withdraw a million in cash (my dream) put it in a paper bag and they let me walk out the door, well that is just irresponsible. Likewise a bank that blames its customers for not being IT specialists is just insane. If technology is inherently dangerous, don’t build it and tell us it is not dangerous. Make us go to a bank. Crazy, huh?
To summarize, if tech giants can’t protect themselves, what hope do the rest of us have? It also leads one to believe that ‘Technology is not all that’.