Passkey Authentication

Passkeys are a replacement for passwords, making the login experience easier and more secure. Passkey authentication eliminates numerous attacks that use stolen passwords. It also protects users against phishing as each passkey is linked to a specific website or application.

The passkeys standard is a type of passwordless authentication, promoted by the World Wide Web Consortium and the FIDO Alliance.

Passkey Authentication in edu-ID

Passkey support in edu-ID is currently under development. Please contact us if an individual or an organization would like to use it on the production system.

Device support

Passkeys exist in many different types. In edu-ID, all passkeys supported by the user's platform can be used. The passkey support on the platform depends on the browser, the operating system and, if applicable, the cell phone or the USB security key.

In general Passkeys can potentially be generated, stored and managed by the following devices

• Mobile phones with built-in passkey support
• FIDO2 security keys
• Desktop computers and notebooks
• Password managers

A good overview of the supported devices can be found here: https://passkeys.dev/device-support/

Security

Multi factor equivalence

The edu-ID passkey implementation is configured to always have the authentication quality of a 2-step login (2-factor authentication). A passkey authentication in edu-ID requires user verification, whereas simple user presence is insufficient.

Examples:

• Mobile phone login: the passkey authentication requires the unlocked mobile phone (possession) and the unlocking of the passkey with fingerprint (inherence), face recognition (inherence) or pin code (knowledge).
• USB sequrity key login: the passkey authentication requires the USB security key (possession) and the unlocking of the passkey with fingerprint reader on the stick (inherence) or pin code entry on the computer (knowledge).

Passkey synchronization

edu-ID supports cross device authentication, the synchronization of passkeys between devices. The providers of synchronization solutions claim to end-to-end encrypt the passkeys transmitted from one device to another, and not to be able to read them out.

Refer to the statements of providers for more details:

• Apple: iCloud Keychain Security
• Google: Security of Passkeys in the Google Password Manager
• Microsoft: (sync not yet supported)

References

General:

• https://fidoalliance.org/passkeys/
• 5.5.22: Apple, Google, and Microsoft commit to expanded support for FIDO standard to accelerate availability of passwordless sign‑ins

Related to Passkeys in SWITCH edu-ID:

• 25.10.23: Nie wieder Passwörter - mit Passkeys in die Zukunft (Podcast, DE)
• 17.10.23: Mit Passkeys in eine passwortlose Zukunft (Inside IT article, DE)
• 13.9.23: SWITCH edu-ID: Into a future without passwords (SWITCH Story FR/EN/DE)