Passkey Authentication
Passkeys are a replacement for passwords, making the login experience easier and more secure. Passkey authentication eliminates numerous attacks that use stolen passwords. It also protects users against phishing as each passkey is linked to a specific website or application.
The passkey standard is a type of passwordless authentication, promoted by the World Wide Web Consortium and the FIDO Alliance.
Passkey Authentication in edu-ID
As of January 29th 2024, Passkey authentication can used and configured by every edu-ID user. Passkey is a relatively new technology, and many potential users are not yet familiar with it. To optimize user statisfaction and reduce helpdesk requests it is necessary to offer training material and best practice quidelines to users. It is suggested to accompany the introduction of Passkeys at a university with an information campaign. The edu-ID team is happy to support universities with tips and support material .
Prerequisites
Any user with an edu-ID account can enable passkey authentication. Every up-to date computer or mobile phone with the exception of the Linux platform is ready for passkeys (see device support below).
Account recovery
If a passkey is lost, it has to be ensured that a user can regain access to her account. Edu-ID make sure that the following recovery methods are configured:
- 2-step login with TOTP (authenticator app) or SMS must be enabled
- Implicitly, this also means that the user received a set of recovery codes
- In addition, a verified mobile number is required
Device support
Passkeys exist in many different types. In edu-ID, all passkeys supported by the user's platform can be used. The passkey support on the platform depends on the browser, the operating system and, if applicable, the cell phone or the USB security key.
In general Passkeys can potentially be generated, stored and managed by the following devices
- Mobile phones with built-in passkey support
- FIDO2 security keys
- Desktop computers and notebooks
- Password managers
A good overview of the supported devices can be found here: https://passkeys.dev/device-support/
Security
Multi factor equivalence
The edu-ID passkey implementation is configured to always have the authentication quality of a 2-step login (2-factor authentication). A passkey authentication in edu-ID requires user verification, whereas simple user presence is insufficient.
Examples:
- Mobile phone login: the passkey authentication requires the unlocked mobile phone (possession) and the unlocking of the passkey with fingerprint (inherence), face recognition (inherence) or pin code (knowledge).
- USB sequrity key login: the passkey authentication requires the USB security key (possession) and the unlocking of the passkey with fingerprint reader on the stick (inherence) or pin code entry on the computer (knowledge).
Passkey synchronization
edu-ID supports cross device authentication, the synchronization of passkeys between devices. The providers of synchronization solutions claim to end-to-end encrypt the passkeys transmitted from one device to another, and not to be able to read them out.
Refer to the statements of providers for more details:
- Apple: iCloud Keychain Security
- Google: Security of Passkeys in the Google Password Manager
- Microsoft: (sync not yet supported)
Details
Service Configuration
In general, no particular service configuration is required to allow the usage of passkeys. There's a caveat, however, in SAML if a service specifies an overly restrictive authentication context that enforces password authentication.
Recommendation for services: Do not specify an authentication context in services and remove a RequestedAuthnContext clause from the SP configuration.
Future Extensions
Autofill / Conditional UI
With the current implementation of the login process, a user first has to enter the username (email address) and then provide the passkey. Webauthn Autofill / Conditional UI allows to identifiy the user if the user has previously registered a passkey for edu-ID. In such a case, the user does not have to enter a username and can directly confirm the passkey authentication.
Autofill / Conditional UI support for edu-ID is currently under development.
References
General:
- https://fidoalliance.org/passkeys/
- 5.5.22: Apple, Google, and Microsoft commit to expanded support for FIDO standard to accelerate availability of passwordless sign‑ins
Related to Passkeys in SWITCH edu-ID:
- 25.10.23: Nie wieder Passwörter - mit Passkeys in die Zukunft (Podcast, DE)
- 17.10.23: Mit Passkeys in eine passwortlose Zukunft (Inside IT article, DE)
- 13.9.23: SWITCH edu-ID: Into a future without passwords (SWITCH Story FR/EN/DE)