Root Causes 230: What Is Apple Passkey?

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  We want to talk about a recent announcement in the news. You can actually find this in a bunch of places. What I’m looking at is an article from Wired Magazine on June 7 called “Apple Just Killed the Password for Real This Time” And the gist of this announcement that came from Apple is that they are going to - - I think it’s optionally - - remove use of traditional passwords for supporting websites with what the call a passkey.

• 

  Jason Soroko

  Passkey. And, of course, related to this podcast, we are talking about a cryptographic key pair. That is used for authentication rather than a user name and password. Hallelujah. It’s good news.

• 

  Tim Callan

  I think it’s a big hint that the word “key” is right there in the name of it. This works exactly the way we would expect, Jay. We’ve got a public/private key, and, the connection is between your own device which has the private key on it and the site that you’re going to, which accepts your public key. Is that correct?

• 

  Jason Soroko

  That is correct. We are talking about something that is standards-based. It’s part of WebAuthn, which is a part of FIDO, a very important part of FIDO, and you probably saw the industry announcements before Apple’s specific announcement of their implementation that came from companies like Microsoft and Apple and a few others.

  What’s important about that, what’s really important about that is the adoption of the standard, to be first class citizen within the operating systems of these big companies, is a good thing because it’s a first step toward real mass adoption of passwordless rather than this world we have been living in which is a real mix of things including various kinds of MFA and stuff like that, along with, of course, a password, which is always at the core. What we should do also is in future podcasts get really into depth about what it is. I think for now I want to talk about the industry implication and the implication to the consumer cause that’s what we’re really talking about here. A lot of times, you and I, Tim, we’re talking about enterprise-level authentication, and I think what is really different here is getting passwordless mass adopted by the public, the average user, people who are just going to websites and doing their thing.This is what’s important.

• 

  Tim Callan

  So, I have an Apple device, and I attach to a compatible site because for starters, it’s got to be, obviously be a site that is also tied into this. I go to my major bank, and they’re supporting passkey from operating systems that support it, and now, what happens? Somehow I have to associate this device with my account. Then next time I come in the device just uses the public/private key authentication; they know it’s my device, that’s the thing I have; the thing I know is me ‘cause I logged in to my device; I used the PIN and therefore, now we’re able to use the PKI and put me into my account. Is that the true experience?

• 

  Jason Soroko

  Absolutely. Let’s break it into who the players are, and you’ve covered the ball. I just want to name them. There is, of course, Apple, which is the heart of what this story we’re covering is and what they’ve decided to do is to adopt that standard and, of course passkeys is the branded name they’ve got for it. That’s great ‘cause it’s essentially WebAuthn and it fulfills their promise to join FIDO into their world, in a first class way. Which is no small thing, because you know how Apple is. A lot of times, they will just go off and do their own thing, but in this case - -

• 

  Tim Callan

  And they like control at Apple.

• 

  Jason Soroko

  Absolutely. So, usually everything coming out of there is very well defined, well thought out, and so for Apple to have adopted it is a big stamp of approval to FIDO and that group. That’s obviously a main player, and they’re implementing this at the operating system level. That’s really important because if it’s not at the operating system level, the standard really is difficult to make work. You also have, and this is the important part, Tim, that I don’t think gets enough stories, or it’s certainly not in the front of the first paragraph when you’re reading stories about this. The people who are writing the web apps have to, and you just mentioned this, you have to build it in. You have to support it as you have to anticipate you’re going to be having users who have this capability in the operating system. That’s great because now you have a big audience of Apple users, Microsoft users, and others.

• 

  Tim Callan

  This is an important point, Jay. I want to clarify this. Because this is a standard for the purposes of the site operator, I just write once, and I get everybody who supports that. So, for instance, I will get Apple and Microsoft all in one fell sloop, is that correct?

• 

  Jason Soroko

  That is correct.

• 

  Tim Callan

  So, it’s not like there is a different API for Apple than there is for Microsoft. Which is important. It’s going help adoption. It’s better that way.

• 

  Jason Soroko

  Well, I definitely don’t want to give any kind of misinformation about how it will all exactly pan out. You never know how some industry executive might make the decision to make something different, but at the heart of it, we are talking about FIDO credentials and WebAuthn, so therefore, the real true backend implementation that you are dealing with as a web developer is going to be standardized. You’re right in saying that. What might be different is how the players – Apple, Microsoft and others – might want to brand the experience. That’s why you’re seeing a different naming of that with Apple than say a Microsoft, and so to me, it’s a little bit similar in the way that how you go to websites today and you see Federation symbols. Which is, you’re already provisioned to Google. You’re already provisioned to Apple. Log in with Facebook. And so, I think you may end up seeing an experience like that as the user. Just realize that in the backend it’s probably very, very similar or exactly the same, and to the web developer, you’re probably end up noting alright, well there’s a different, this is a different Federated credential or system that is coming in to me, but I can handle it in a similar way because it is a cryptographic key pair.

• 

  Tim Callan

  If that’s all the same for me. As a developer, whatever interface you’re deciding show your user on your device is between you and the user. In the backend, I’m just accepting. I’m just accepting and giving calls. Just to make sure that we’re not leaving anything unsaid, the user experience will be – I will navigate to the site, and once my local credential is associated with my account, then I’ll just go in there. There won’t be a login. I’ll just go into my account. Is that correct?

• 

  Jason Soroko

  That’s it. Therefore part of what the user is going to have to do, probably, is basically creating their WebAuthn credential. In other words, there’s going to be some kind of an account and obviously with Apple, it’s going to be an Apple-based account. And so, you will register for this. You will essentially be sent a public key after your key pair is created on their side and then your machine is essentially registered into that system, and that essentially gives her device an identity, and you can start authenticating, which is great. Now, Tim, this gets into a whole other part of it, which is right now we’re talking about the user experience, and a lot of people will say, well, what will this look like. What will this be? And you and I, Tim, have talked a lot about how PIN replacements and PIN equivalents.

  Therefore, you’re not entering a password, but how are you saying, it’s me? And, of course, if somebody physically gets a hold of your machine, your device, how is that being protected, and I think this is going to be the real emergence. Not that it hasn’t emerged already, people are very used to using it. But I want people to make sure that they are being very clear about what’s happening here. What used to be, in the most simplistic sense, like a PIN; in other words, there’s some credential like a certificate, let’s say, in a certificate-based authentication where sometimes if you wanted to authenticate with that certificate, you might be challenged to enter a PIN code, and that obviously is not sexy, and it looks a bit like a password. One thing that’s available, especially on a lot of modern devices, is some form of biometric, and quite often, that’s now a measurement of your face. Don’t think about that as anything other than, alright, there is a key pair, which is the credential that is doing the logging in, and you are in possession of the key material that’s necessary on your device to be able to do this authentication, and you registered within the system. Go ahead, Tim.

• 

  Tim Callan

  To be clear, you’re talking about additionally. So when I first unlock my device, I am performing a PIN or a PIN equivalent. I’m doing a PIN or a biometric, fingerprint, face or PIN. Your point though is, it may be before I can access my bank account that I will be expected again for an additional time, on my unlocked phone, to show it my face or give it my fingerprint or put in my PIN to confirm that somebody hasn’t grabbed my unlocked phone in the two minutes that I have it set before it locked and gone into my bank account. Is that correct?

• 

  Jason Soroko

  Yes Tim, because if you think about it like this. If you didn’t do that, then if you didn’t have that extra challenge, then essentially is whoever it is that is in possession of my device can just simply authenticate.

• 

  Tim Callan

  Until it locks. And depending on how long I set the time until it locks, if I set it for 5 minutes until I lock, and then I accidently leave it on the table when I go up to grab my order at the coffee shop, that gives a crafty individual 4 minutes and 30 seconds to put it in their pocket, walk out of the coffee place, look for bank apps, go in there and take my money. Yep, I got you.

• 

  Jason Soroko

  Exactly. Right on. Therefore, think about most of these devices now, with cameras, it’s just a really great biometric age in order for it to be PIN replacement to attest to the fact that yes, not only is this my device that’s logging in, but there’s an extra challenge to try to make sure that, yes, it is in fact me, the human being, who is possessing this device who wants to do the authentication. That extra step, which I think, Apple’s almost perfected or pretty much has perfected it, and other players have as well, with their devices. I think that’s an important part of this. Otherwise, heck, with those keys in possession, you just log in.

• 

  Tim Callan

  So, once again, curious. I don’t know if you know the answer to this, but is that optional? Is that something where the web developer can decide how far up and down to turn that security dial or is that just part of the experience, and that’s what I got to do for people who come to my site?

• 

  Jason Soroko

  I think what you’re going to find in the consumer world is that the web app developer want to be agnostic to it and might say, look, you require at least one of three different challenges. It could be a biometric, could be a PIN, could be something else. What you will end up seeing is because the web app developer cannot control the types of devices that are being used, they can probably set minimum standards, there must be some kind of challenge, but they can’t define the challenge and therefore, that will end up probably being left to the user, who obviously knows best about the type of device they’re using and perhaps, even what their preference is.

• 

  Tim Callan

  One would hope that this would be something where there is some freedom of choice, where I can say, look, I think I want to do this. I think I’m going to opt out of it and then probably default to on. I think you should, but maybe they wouldn’t.

  Then the other thing you would think is obviously they need to support devices. There are some legacy device support required. So, this wouldn’t be an all or nothing there would be people who came in that are banking on their old device that before that that I’m still going to let them log in the traditional way.

• 

  Jason Soroko

  More than likely, Tim. Absolutely more than likely. Don’t forget there probably will also have to be some kind of consideration for, I having difficulty with this authenticator, I lost my device.

• 

  Tim Callan

  I’ve got a big bandage on my thumb. There’s got to be like a Plan B. What happens, what if you burn your thumb? The other point that I just wanted to observe here is you’d mentioned this a few times that this is a consumer facing play. It’s interesting in this way or it’s noteworthy and it’s a little bit of a milestone, B to C, PKI is notoriously difficult because you have a large number of these people. You don’t really control them. You can’t force them to authenticate a certain way ‘cause if you do, they’ll have this bad habit of going to your competitor and so, the whole thing, B2C, and in general enforcing high degrees of B2C security is hard and B2C PKI is insanely hard and so if we’re seeing this as a major step forward in B2C authentication, that’s very interesting and very important.

• 

  Jason Soroko

  Tim, and I think it’s best contrasted with the way that PKI works in the enterprise in terms of authentication. PKI works exceptionally well in the enterprise because of the control. Because of the central nature of the trust.

• 

  Tim Callan

  It’s so easy. You say, log in this way or you’re fired. It’s the easiest thing in the world. But you can’t do that with customers.

• 

  Jason Soroko

  That’s it. FIDO in this particular implementation, it’s really good in the sense that it’s a self-provisioning mechanism, it's an opt-in, it’s something you register with, it’s something that even the people who are building the web apps, they can join in when they’re ready and provide flexibility to their users, and yet, at the same time, not have to force a username and password, the weakest form of authentication there is on their user. There’s now a really good choice when you don’t control every aspect of the user’s life the way that an enterprise does.