Parsing the Apple, Microsoft and Google passkey announcement
Just before World Password Day on Cinco de Mayo (I’ll admit there were two reasons to celebrate on that day), Apple, Google, and Microsoft jointly announced their intention extend their support for the FIDO passwordless standard. This was a meaningful announcement because (1) it’s not often these 3 big power players get together and agree on anything, and (2) there is a clear precedent to what was announced such that real products may be available soon that demonstrate the promise of the standard for the average consumer.
What you will learn
- How the passkey announcement impacts consumer and enterprise workforce authentication
- What are synced and device-bound passkeys
- Passkey limitations for workforce authentication
- How Octopus extends passkey usages for enterprise-wide use case coverage
What’s the significance of this announcement?
Let me start by explaining the referred to precedent first. As backdrop, the announcement was an extension of support for the FIDO passwordless standard that all the players already supported. Those who follow the space would know that Apple was the last of these big 3 vendors to join the FIDO initiative in Feb of 2020, but it’s been impressive how fast it’s made up ground since then. In fact, its announcement of a “passkey” feature last year at its WWDC was arguably a more innovative step than we’d seen from Google and Microsoft when it comes to end-to-end seamless interoperability. To make a complicated story simple, the passkey turns a smartphone itself into something akin to a FIDO security key and uses the iCloud device chaining concept to create portability of the FIDO private key that is stored securely in an Apple device. Many enterprise passwordless authenticators already hold FIDO private keys, but the announcement extends this to imply that the passkeys are managed by the device platforms themselves, that they are universal across the vendor’s platforms and portable across multiple devices.
The significance of this announcement is that Google and Microsoft, both owners of cloud services, native and cloud apps and platforms/devices, are also now working with Apple on this concept to enable more seamless experiences for consumers.
For those of us that know the FIDO architecture intimately well, details remain rather hazy on how the private keys can work across platforms from the different vendors given the need for a corresponding matched public key, but we’ll assume for now that this is what makes this announcement special, as opposed to a typical lock-in into one ecosystem.
Read about the “Security Benefits of Passwordless”
Download Whitepaper
What is passkey?
Initially, passkey was essentially a software version of a FIDO2 security key, but with slightly watered-down security requirements. I say watered down because FIDO2 security keys like those from Yubico and Feitian typically bind the private key to a specific hardware device and carry with them attestation of authenticity. For the sake of usability and ease of portability, passkeys relaxed this strict requirement, and as hardcore security architects know, this introduces the possibility of interception and malicious use of that key upon portability. Nonetheless, the probability of this happening is lower than with passwords (more so due to the human component as opposed to the technical one), and likely worth the net benefit tradeoff overall of less password use. Net-net, the announcement is a step in the right direction toward a ubiquitous passwordless future.
Then, in 2023, the FIDO Alliance extended the passkey brand to refer to any type of FIDO credential and created subcategories of passkey for their functionality. Two categories have now been established to distinguish the characteristics of synced passkey and device-bound passkey:
Device-bound passkey
Previously referred to as FIDO security key or generically as FIDO2 are referred to as device-bound passkey now, a type of passkey bound into a hardware device (e.g., TPM, secure enclave) that can’t be exported. Device-bound passkey characteristics include:
- Found on hardware security keys, smartphones, laptops
- No backup of the private key credential.
- Users must register additional credentials for backup if primary authentication device fails or is missing
- Generally regarded as the most secure type of passkey
Synced passkey
A category of passkey that can be backed up and synchronized by a credential fabric provider, such as Apple, Google, and Microsoft. Synced passkey can be shared between users’ devices and between people in the same way that passwords can be shared.
A credential provider might be a platform/OS vendor or third party with a business model similar to a password manager. Characteristics of synced passkey include:
- Software private key credentials are recoverable
- Passkey security in the fabric is the provider’s responsibility, but the user is responsible for usage security
- Generally regarded as the weakest form of passkey through FIDO recommends using synced passkeys anyway because the same weaknesses exist as with passwords, and passkeys are stronger
Synced passkey will benefit consumers more than enterprises
Apple’s announcement clearly positions the enhanced support and joint collaboration squarely for consumers, and this was my first reaction as well even before reading the actual release. Knowing the complexity and requirements that we have seen with our customers in the enterprise, and being a FIDO2-compliant platform ourselves, the lack of detail in the original articles I read for how certain big problems seen in the enterprise would be addressed led me to be skeptical of its impact in an enterprise setting.
Once I read the actual Apple press release, it was refreshing to see that these behemoths are not overselling the promise of this announcement by being absolutely clear it is for consumer access to apps and cloud services. Because these vendors own the predominant mobile platforms and key browsers with which we connect to the web, it is possible for them to make a severe dent in the societal password problem using these elements. So much for World Password Day being a celebration of passwords.
Why workforce authentication benefits limited?
So without further ado, let me get to the point of this blog, what do passkeys and the joint collaboration announced last week mean for the enterprise, specifically for employee or workforce authentication? Unfortunately, not much, other than the fact that it’s a long-term net positive because as consumers the more we all get used to frictionless access to our consumer apps and services, the more we’ll expect it from our enterprise IT organizations and accept new solutions from them. And secondly, it’s great validation for the FIDO standard and the work the FIDO Alliance is doing as the unanimous winner as THE standards body for passwordless everywhere, across B2C and B2B.
The reasons we feel passkeys by themselves will not change enterprise authentication, and still make Secret Double Octopus the leading choice for workforce passwordless authentication are the following:
Workforce use case coverage gaps
Passkeys of all types are great because they are phishing-resistant and simplify worker login workflows. But as the protocol name WebAuthn implies, FIDO only works for web apps. However, Enterprises are much more than web apps that can’t be easily made ready for FIDO.
By adding other IAM technologies, like Windows Hello for Business (WHfB) with Entra ID to your identity infrastructure, FIDO can be extended to Windows machine login, SSO, and a few more Microsoft things (see diagram below). Unfortunately, for most enterprises, that isn’t enough for their whole enterprise.
In many cases, use case coverage gaps involve the company’s most sensitive enterprise data, often stored on-prem and often the ultimate targets of attackers. As a result, users have to know and use their directory passwords to access unsupported apps and services, leaving the password and associated phishing risk in place.
Complicated user experience
FIDO use case gaps create a solution based on “sometimes passwordless” rather than achieving the goal of a passwordless enterprise where users never know or type passwords. Workers still get frustrated with multiple login workflows and less frequently used passwords create more risk because they’re easier to forget and have to be simple to remember or written down. Users and IT still have to manage password resets that often involve Help Desk calls.
Fallback to passwords
The third area of FIDO for workforce challenges surrounds businesses’ need for work continuity. It is inevitable that a worker will leave behind their authenticator, lose it completely, or break it.
At this point, businesses must have a fallback mechanism for these situations so production can continue. FIDO provides the mechanism for a second, third, or nth FIDO authenticator to be added to the RP, which creates additional expense and complexity. For most businesses, the fallback is to leave passwords login as an option for login. In these scenarios, the security risk persists.
How does the Octopus platform extend FIDO across the enterprise?
Like other passwordless MFA solutions that aim to stop phishing, the Octopus Platform supports FIDO2 to secure web application access. But unlike other passwordless methods, we also extend the benefits of passwordless MFA – and the FIDO approach – enterprise-wide.
That includes delivering FIDO login for Macs and Linux servers, VPNs (generally using Radius protocols), and LDAP-based systems on-premises. The Octopus platform covers the full range of enterprise use cases, including using FIDO authentication for on-prem and legacy password-based apps without redesign (see diagram above).
The Octopus Authentication Platform is built around a patented technology called Invisible Secret Rotation. The platform replaces the user’s directory password entry with a machine-generated token that the Octopus manages and rotates. The user never knows that the token exists or when it gets rotated.
Instead, users authenticate to Octopus using strong methods like FIDO2, passkey, smartcards, and phishing-resistant mobile push through the Octopus Desktop-to-App pinning technology. Once the user has passed the high-assurance authentication, Octopus orchestrates access to user desktops, SSO, remote services, and password-based apps without passwords.
This ephemeral token approach makes Octopus compatible with existing enterprise applications and directory infrastructure without redesign. This compatibility saves businesses time and expenses in achieving their zero-trust identity posture goals.
Key takeaways
- Synced passkeys will benefit consumers but have limited use in workforce authentication
- Device-bound passkey have the high assurance capabilities that best-fit workforce authentication requirements.
- Octopus extends passkey usability enterprise-wide for complex enterprise infrastructure that includes on-prem and legacy apps and services
Summary
In summary, workforce passwordless authentication must work easily and intuitively, and to achieve that, it takes ingenious engineering and man-years of work for interoperability. The enterprise passwordless market is like many others that have thrived, one where major platform vendors provide solutions tailored for their infrastructure. It is the third parties that also come in for innovation to establish feature parity across heterogeneous environments.
The announcement from last week already represents major progress if the Big 3 are collaborating in making their platforms interoperable across the world wide web for consumers. Unfortunately, enterprise environments have many more levels of complexity that must be dealt with before the passkey initiative from the Big 3 can be seen as a transformational solution for workforces.
At SDO, we see the announcement as an important development and validation in the step toward a world without passwords, but we think it also reaffirms our opportunity to be the right solution for the enterprise market as workforces increasingly go passwordless.