sec
auth
May 1, 2024

Passkey: Beyond Email and Passwords

For too long, the email-password duo has been our digital keychain. But there's a catch: email is a hacker's paradise.

For too long, the email-password duo has been our digital keychain. But there's a catch: email is a hacker's paradise. A crafty fake login page, and bam! Your password's gone. Considering we interact with our emails countless times daily, the odds of slipping up are not in our favor.

Passwordless era

In the last couple of years, you've likely encountered a surge in passwordless sign-in. Be it a magic link or a one-time code zapped to your inbox, these alternatives promise a no-password nirvana. And sure, waving goodbye to your password manager sounds great until you're waiting on that email to log in. As someone who leans on 1Password for a swift entry, this waiting game feels like a step back.

Email: The Achilles' Heel

Let's face it, emails are a mixed bag:

  • 80% is clutter, spam and notification.
  • 10% revolves around account activations or passwordless endeavors.
  • A mere 10% contains genuine, human-to-human communication.

But how secure is your inbox? Even with MFA (Multi-Factor Authentication), are you sure to be the only one that read your emails? Today's mailboxes, especially in businesses, are intertwined with a plethora of cloud services and apps like CRM or Calendar that have direct access to your mailbox to read and send email with.

Phishing and social engineering are rampant, with a staggering 3 billion phishing emails dispatched daily. As per the “Swiss Cyber Institute” there is 1.5 million new phishing websites created every month! Those websites are all fake authentication portal to either major cloud services such as Microsoft, Google, Salesforce or specific enterprise authentication page specially crafted for the campaign.

It's the elephant in the room we can't ignore. Once someone infiltrates your email, the dominoes fall swiftly:

  • Authenticate to any passwordless web portal that sent OTP to your email
  • Ask for password reset for all applications that I can easily discover by reading your emails
  • Disabling the MFA with email confirmation

Is MFA the Magic Bullet?

MFA's introduction was a game-changer, making account breaches a tougher nut to crack. Yet, it's not foolproof. Tactics like sim swapping and relentless push notification spam have found their way around it. And if malware has compromised your device, consider it game over.

MFA comes in various flavors, from U2F codes to mobile app confirmations and or hardware utility like Yubikeys. While security is robust, the user experience often leaves much to be desired, making it a chore for many to set up and use.

Passkey to the rescue

Passkeys are reshaping web authentication, harnessing WebAuthn/FIDO2 credentials to offer a streamlined, secure login method. By leveraging the Web Authentication API, browsers can now utilize a secure element to manage passkeys.

Passkeys: A New Form of 2FA?

Traditionally, 2FA involves "something you know" (like a password) and "something you have" (a token or code). Passkeys aim to consolidate these steps with a cryptographic key, blending "something you have" with "something you do" (biometric verification). However, this fusion has sparked debate over whether it truly counts as two-factor authentication since it merges the authentication process into a single step.

Despite the controversy, industry leaders like Auth0 are backing passkeys for their security leap, suggesting that 2FA could be skipped if sign-in is done with passkey.

Security Utopia? Not So Fast

Adopting passkey authentication might seem like you've hit cybersecurity gold, shielding your users from keyloggers and password manager breaches (hello 👋 LastPass). But what about account recovery? If access to that email is still possible, you're back to square one.

Imagine exploiting a vulnerability in a popular app like a CRM that is connected to your mailbox. Hijacking accounts would then be alarmingly simple. This highlights why email shouldn't be the go-to for account recovery, despite its ubiquity in user communication.

The Role of 2FA Recovery Codes

To circumvent this, platforms implementing 2FA now offer backup codes for account recovery, sidestepping the need to rely solely on email. It's crucial to let users set up multiple second factors, ensuring they're never locked out of their accounts.

While email remains a standard communication tool, its reliability as a security factor is questionable. This is the gap that Ory authentication aims to bridge.

Where most authentication provider rely only on password reset using email confirmation link, Ory provide a way to enforce the account reset via providing first the recovery code.

I'll delve more about Ory authentication into in an upcoming post. Stay tuned, and let's navigate the evolving landscape of digital security together.

SOURCES

avatar

Written by

Pierre Tomasina

Pierre is DevSecOps Consultant with 15 years in the industry, specializing in Software Development, Cloud and Cybersecurity. Experienced in developing SaaS platforms, he is proficient in programming languages including Go, Rust, TypeScript, Python, and Java, and is passionate about open-source technologies. His expertise also extends to IT strategy and security in regulated environments.

Others articles

NEWSLETTER

Stay Ahead with Our Monthly Insights

Join our exclusive mailing list to receive the latest in cloud best practices, security exploit analysis, and insightful blog posts. Tailored for those who value staying ahead in the ever-evolving world of IT and security, our newsletter is a once-a-month treasure trove of knowledge, directly to your inbox.

No SPAM, just pure value.

Copyright © 2024 Plab. All rights reserved.