Proton, a company known for its secure email system, has introduced passkey support for its password manager. They criticized "Big Tech" for keeping users' passkeys restricted within closed systems.
Passkeys were created by the FIDO Alliance and the World Wide Web Consortium as a way to replace passwords and offer quicker, simpler, and more secure logins across various devices. However, according to Son Nguyen, the founder of SimpleLogin and developer of Proton Pass, the implementation of passkeys has not met the high expectations set for them. Nguyen shared these thoughts in a blog post on Monday.
The speaker criticized Apple and Google for focusing on using passkeys to keep users within their own platforms rather than making them widely available for everyone's security. This limited approach reduces the effectiveness of passkeys and hinders their potential to become the new standard for authentication.
Roger Grimes, a defense advocate at KnowBe4, a company that offers security training in Clearwater, Florida, agreed with Nguyen. He stated that the FIDO passkey standard, as well as how major companies like Microsoft, Google, and Apple use it, creates closed ecosystems.
The issue has been acknowledged by FIDO and they are in the process of developing a new version of passkeys that will eliminate this restriction.
He mentioned that Proton is not the only company trying to solve the issue of platform lock with passkeys. An example is the 1Password password manager, which lets you use passkeys on different platforms.
The FIDO Alliance expressed a different opinion than Proton by stating that passkeys were not intended to be exclusive to large technology companies. Executive Director and CEO Andrew Shikiar emphasized this point.
The speaker mentioned that they have always wanted to create a platform that is open to other companies, which is why they have partnerships with credential managers like 1Password and Dashlane through the FIDO Alliance.
He mentioned that there are no restrictions on which vendor you can use. All of these companies are collaborating in the FIDO Alliance to develop a new protocol that will enable users to transfer credentials between different platforms. They are focused on making it possible for users to move passkeys from one cloud service to another.
James E. Lee, who is the chief operating officer of the Identity Theft Resource Center in San Diego, stated that passkeys are created to work with various platforms, applications, and operating systems. This nonprofit organization focuses on reducing the risk and lessening the effects of identity theft and crime.
He explained to TechNewsWorld that this is currently the situation we are observing. Not taking this approach would only prolong the implementation of a significantly more secure method.
Nguyen stated that many password managers quickly released passkeys in response to Big Tech's implementation, leading to a less than smooth user experience.
According to the writer, some password managers only allow passkeys to be used through their web extension, creating challenges for users trying to log in to the same app on their mobile device. The majority of password managers that do support passkeys require a paid subscription, leaving Google Password Manager and Apple Keychain as the only free passkey options until Proton Pass introduced them.
Anna Pobletts, who leads the passwordless team at 1Password, mentioned that although Big Tech companies were early adopters of passwordless solutions, their closed-off approach hinders the widespread use of passkeys by consumers.
She mentioned to TechNewsWorld that at 1Password, they have implemented a strategy that allows users to easily switch from traditional passwords to passwordless options. This gives users the freedom to choose how they handle their online identities on various platforms and devices, whether it be for work or personal use.
According to Darren Guccione, the CEO of Keeper Security, a company based in Chicago that specializes in password management and online storage, traditional password systems have weaknesses such as being vulnerable to brute-force attacks, phishing attempts, and human errors.
He explained to TechNewsWorld that passwordless authentication techniques that utilize biometrics, multi-factor authentication, and advanced technologies provide strong protection against security threats.
Unlike passwords that usually involve a mix of characters, numbers, and symbols, passkeys use public-key cryptography principles. They involve two keys: a private key kept safely on the user's device and a public key shared with the service provider.
In the background, passkeys use a system where a challenge is presented and a response is required for verification, he further
When a user tries to log into their account, the service provider sends a challenge to the user's device. The device then uses its private key to sign the challenge and sends the signed response back to the server for verification.
Passkeys offer a higher level of security compared to traditional passwords because they are generated and stored on the user's device, never being transmitted over the network. This makes them more resistant to phishing attacks.
Passkeys are only accessible on the device where they were originally created, unless they are saved in a secure password manager. By storing passkeys in a password manager, you can access them from any device and log in from any location, enabling you to use them on various browsers and operating systems.
Passkeys can help prevent common social engineering attacks such as phishing or credential stuffing by removing the incentive for hackers, which is typically credentials, according to Pobletts.
Moving forward, Guccione believes that passkeys have a positive future, although progress may be slow and steady. He mentioned that the support from major tech companies like Microsoft, Apple, Google, and Amazon is a good sign. Standardization efforts could help address compatibility issues and encourage more people to use passkeys.
"However," he continued, "it is important to recognize that passkeys are unlikely to replace passwords anytime soon, if at all."
He explained that out of the countless websites available, only a very small number actually provide passkey support. This low adoption rate is due to factors such as lack of support from the platforms they are built on, the need for changes to the website itself, and the necessity for users to manually configure the passkeys.
Nguyen emphasized the importance of passkeys being universally accepted in order to be an effective account security solution.
Passkeys become more effective as more websites and services adopt them, making it a convenient and secure solution for users. However, big tech companies have focused on using passkeys to benefit themselves rather than prioritizing universal security.