The Fast Identity Online (FIDO) alliance is an industry association spearheading efforts to reduce and eventually eliminate password use. To this end, FIDO promulgates standards and creates protocols intended to strengthen authentication and device attestation techniques. Public key cryptography plays a central role, along with smartphones, in creating its preferred form of authentication: Passkeys.

A passkey is essentially a two-factor authenticator created by a person’s smartphone device when first registering with a remote server. Using the embedded cryptographic engine within the smartphone, the device creates a cryptographic key pair consisting of a private and a public key. The smartphone holds the private key while the remote server stores the public key. Thereafter, the smartphone authenticates itself as the legitimate user by producing the private key associated with the public key held by the server as a part of a challenge-response protocol.

The two-factor authentication distinction arises from the fact that the private key is only available when the smartphone is unlocked. To unlock a smartphone, the user most frequently must use a biometric identifier, such as facial recognition or a fingerprint, or input a personal identification number (PIN). Thus, authentication occurs at both the device and the server levels.

Passkeys offer many advantages. First, they are non-phishable credentials, which means they cannot be stolen via email, social engineering or other schemes. Second, passkeys are based on cryptography, making them stronger than passwords and, as previously described, multifactorial. Authentication only occurs when the private and public keys match and the private key is only available when the phone is unlocked by a PIN or biometric feature. Third, passkeys are unique between each user account and each remote server. If, for example, a user registers with 10 different websites, there will be 10 unique passkey pairs operative. This feature overcomes another weakness associated with password use: Users tend to employ the same passwords across multiple websites. Should cybercriminals guess or steal that one password, they can access all those sites.

Google, Android, Apple and others are facilitating passkey use across multiple user devices by allowing individuals to synchronize their passkeys via the cloud. Thus, if a user establishes a passkey on an iPhone, for example, it can be synchronized via iCloud keychain with the user’s iPad and MacBook so all devices can be used interchangeably to log into sites. Notably, should a device be lost, the replacement device can access and download all the passkeys backed up on the cloud. 

Yet another user-friendly feature allows users to retrieve and use passkeys when logged in on someone else’s computer. Websites can display a quick response (QR) code, which users can scan with their smartphone to retrieve their passkey for that site and allow the user to authenticate from the other computer.

Passkeys clearly represent a major step forward in enhancing IT security, especially when compared to the use of passwords alone or even the use of passwords plus a one-time-password (OTP) sent via SMS/email. However, one passkey feature currently in development may diminish passkey stature in this regard. Called “passkey sharing,” this innovation will enable a user on the iOS platform to share passkeys with someone else via AirDrop (or possibly by using Nearby Share on the Google and Android platforms). This capability will undermine a foundational principle of computer security: Accountability.

The National Institute of Standards and Technology (NIST) defines accountability as “the property that ensures that the actions of an entity may be traced uniquely to the entity.” Accountability begins with user authentication of identity via the passkey. Thereafter, the server operates on the premise that it is interacting with the user who owns the passkey. 

Accountability concerns underpin the rationale for unique IT system accounts for every system user. Years ago, all system administrators within an organization often shared one account with a single username and password. Experience proved this was not a good idea due to the critical system tasks administrators perform and the wide-ranging access they enjoy. Without unique accounts, it’s impossible to identify which individual made which system change or accessed what file. This capability is necessary when attempting to trace poor job performance or malfeasance by an insider threat or former employee. 

While accountability is not always the primary concern, its absence diminishes the attributes that elevate and distinguish passkeys (multifactor authenticators, non-phishable and secure). Shareability means the legitimate user can share their passkey for a site (let’s say a banking site) with another person who is in proximity. However, this other person can similarly share the passkey with another person and so on. The legitimate user of the passkey has no control over the passkey once it has been shared with the other person. This can create a host of problems where the legitimate user can now claim that they are not accountable for transactions performed after a passkey-based authentication to their account. 

Certain types of online services may either welcome or just tolerate account sharing. Other types of online services may not want to promote account sharing. With the traditional password + OTP model, account sharing is possible but somewhat controlled due to the use of the OTP. However, with passkeys, once shared with another person, the passkeys can then be used without the legitimate user’s permission. 

Furthermore, passkey sharing may also open a new type of phishing attack that can be launched against unwary users. Imagine a neighbor who is “helping” an older person perform a transaction using online banking. The neighbor may ask the older person to share their passkey to allow the neighbor to perform the required transaction. However, from then on, the neighbor can use the shared passkey to continue to make unauthorized transactions from the older person’s account. 

Shareability may be welcomed by some but create issues for others. Notably, the FIDO Alliance standard for passkeys currently does not allow the relying party to opt-in/out of passkey sharing. This omission will be problematic for certain business models that purposefully seek to limit access to the legitimate user and no one else. 

Without the option to balance the needs of different relying parties versus the needs of end users, accountability concerns will haunt passkeys and perhaps diminish their use–a prospect contrary to a stated objective of the FIDO Alliance. Smartphone owners can choose to share their passkeys with others. Organizations should be given the option to allow or not allow shared passkeys on their sites. Through amending its standard, the FIDO Alliance can create a world where accountability and passkeys safely coexist.