Word Notes 5.23.23
Ep 149 | 5.23.23

passkey (noun)

Transcript

Rick Howard: The word is: passkey

Rick Howard: Spelled: Pass as in to go by, and key as in a unique token designed to open a specific barrier.

Rick Howard: Definition: A passwordless authentication protocol based on the FIDO2 standard.

Rick Howard: Example sentence: Passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user's devices.

Rick Howard: Origin and context: The late great MIT computer science professor, Doctor Fernando Corbato, created the first digital password system in 1961. He needed a way to allow multiple users to access a shared computer and to restrict the amount of time each student can use in a single setting. He created a system where each user had their own unique password to access their resources on the mainframe. Almost immediately, one of his grad students worked out how to steal all the passwords on the system to gain more computer time. Amazingly, 60 years later, the password is still the predominant method used to identify people on the internet, despite the obvious limitations to the technology and the continuous list of examples from the very beginning of bad guys exploiting the architecture.

Rick Howard: In recent years, there has been a growing movement to replace passwords with something more secure, spearheaded by The FIDO Alliance. FIDO stands for Fast Identity Online and is a non-profit that consists of over 250 vendors who have a vested interest in getting this right, like Google, Microsoft, Apple, and many others. In 2021, the Alliance publish the FIDO2 standard, which defines a set of protocols for passwordless authentication. Passkeys are based on the FIDO2 standard and use public key encryption to be more secure than passwords, but also easier to use by the general public. That means that the user creates a key pair, a public key to be stored by a vendor somewhere, and a private key stored on a device like a mobile phone or a laptop.

Rick Howard: On Apple Systems, the pass key is stored in the encrypted iCloud KeyChain. On Microsoft Systems, it's stored in the credential manager, when users need to log into their Google account, let's say instead of a human trying to remember the password, the FIDO2 standard allows the vendor to check the user's public key against the private key stored on the device. With that set up, passkeys are more secure than the USERID, password pairs, email verification, and SMS verification systems because there are no tokens that a bad guy can steal from the victim through various phishing techniques, they are more easy to use than the cumbersome authenticator soft token and push authentication methods currently in use today. In that regard, paske are probably a better option for run-of-the-mill daily internet transactions. But if your needs are highly sensitive, UTF tokens, Universal Second Factor tokens like Yubikeys are still the most secure

Rick Howard: Nerd Reference: On the "All Things Secured" YouTube channel in 2023, Josh Summers outlined his understanding of how to use passkeys to log in to his Google accounts.

Josh Summers: Passkeys are only available for personal Google accounts, not paid workspace accounts. But the value of the passkey for the average internet user is that passkeys make it much harder for you to grant access to your account to bad actors. I mean, it's possible to scam someone into sharing their username and password, but I can't share my passkey, and since it only works with the website or app that created it. I, as the user no longer have to worry about whether I'm visiting a genuine website or a phishing site.

Rick Howard: We're privileged that N2K and podcasts, like Word Notes, are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies, N2K's Strategic Workforce Intelligence optimizes the value of your biggest investment, people. We make you smarter about your team while making your team smarter. Learn more at N2K.com. Word notes is written by Tim Nodar, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Pelzman. Thanks for listening.