Improving Security: The Website Now Supports Passkeys
Now that most operating systems and browsers support PassKeys it’s time to start getting rid of passwords!
When I watched Apple’s WWDC they made a big deal about privacy and security, as they always do, and they finally introduced a feature to iCloud Keychains that I have wanted for a long time. PassKeys.
You might be wondering what the heck a passkey is. It is a newish way of logging into websites and apps that does not require a password. That might sound a bit nuts but it’s actually more secure. rather than have me explain it and mess it up, here’s a quote from Apple’s website about them.
Passkeys are built on the WebAuthentication (or “WebAuthn”) standard, which uses public key cryptography. During the account registration process, the operating system will create a unique cryptographic key pair to associate with an account for that app or website. These keys are generated by the device, securely and uniquely, for every account.
https://support.apple.com/en-gb/HT213305
One of these keys is public and is stored on the server. This public key is not a secret. The other key is private and is what is needed to actually sign in. The server never learns what the private key is. On Apple devices that support Touch ID or Face ID, these authentication methods can be used to authorise use of the passkey, which then authenticates the user on the app or website. No shared secret is transmitted and the server does not need to protect the public key. This makes passkeys very strong, easy-to-use credentials that are highly phishing-resistant. And platform vendors have worked together within the FIDO Alliance to make sure passkey implementations are compatible cross-platform and can work on as many devices as possible.
The fact that this is all based on the WebAuthn standard means that it will work across operating systems and different web browsers making authentication more secure for everyone so long as the website or app provides support.
So with additional security in mind, I’ve now added passkey support to the website and shall be adding it to any websites that I build going forward. As I use WordPress this process is straightforward as all I need to do is install the wp-webauthn plugin from the WordPress Plugins directory and make sure that I have the gmp and mbstring PHP extensions installed on my server and that’s it.
If you’d like to add passkey support to your account all you need to do is head to your profile and register a new authenticator at the bottom of your profile page. You will have the choice of using a USB Key, such as the Yubikey, or you can scan a QR code on your phone and it’ll work with your phone’s password manager. And that’s it you just need to log in with your username and you’ll be asked to verify your you by providing a fingerprint, face scan (E.G. FaceID, Windows Hello) or using your USB device.
I’ve found that now that I have this setup It’s actually quicker and more secure than the 2FA solutions I’ve tried on the website (and I could never get any of them to work correctly without locking me out 3 times a day).
So there you go. The Website is now a bit more secure for those of you that don’t want to have to deal with passwords all the time. What do you think of PassKeys? Do you think they are the future of authentication? What do you think will come next? Do you think I’ve made a mistake? Let me know in the comments below.
