Are Passkeys MFA?

Or does it even matter?

No. Multi-device passkeys, or simply passkeys as I will continue to refer to them, are not multi-factor.

But the bigger question that we need to address, does it even matter? Maybe passkeys are just enough?

This article will address exactly those questions, and more. But first a message from our sponsor: Security Keys.

Security Keys. They are truly EM-EF-AY! — Paid by Yubico, Hideez and the rest of the gang. (P.S. This was a joke. But serious buy yourself a security key)

Are passkeys MFA?

NO.

This might stir some controversy, but it’s the truth. Take this example:

• A random string, that we call password, that is stored in the password manager is a single, knowledge factor.
• A random string, that we call a private key, that is stored in the password/passkey manager is still a single knowledge factor, even if it can do more.

So multi-device passkeys are a single factor, that is stored in the cloud storage, that we are calling sync fabric, or keychain, or a password/passkey manager.

But what passkeys have that passwords lack is phishing resistance, which is more important than you think.

The factors

NIST defines authentication factors as such:

The three types of authentication factors are something you know, something you have, and something you are. — https://pages.nist.gov/800-63-4/sp800-63b.html

Historically, web authentication relied on two main factors: something you know (a password) and something you have (a phone). The problem is that, from a security standpoint, both are still vulnerable to phishing.

When a website wants you to login with at least two factors, you will be asked to type your password (knowledge factor), and another mini password, PIN, that was delivered to you via SMS, that we call OTP (One Time PIN) sometimes (possession factor). What makes SMS OTP a different factor is that because it came through a mobile network, and to your device, meaning that it proves that you have a mobile device with the specified phone number, which proves that you have the device, hence proof of possession.

However at the end of the day, you just enter two strings, regardless if it’s a real “bank.com”, or “attacker.com”. This means the authentication is vulnerable to a man-in-the-middle attack where the attacker captures the information and accesses your account in real-time.

Which brings me to my second point.

Phishing resistant — new security default

Think of passkeys like we now think of TLS. TLS used to be costly and complex, but today it’s standard and easy to implement. A decade ago, less than 40% of web traffic was protected by TLS. Passkeys are at a similar point now. The path forward might have some challenges, but in time, they will become as widespread and default for authentication, same as TLS is for secure websites.

Same as TLS, multi-device passkeys provide base level of security, but they are not a silver bullet, and same as TLS, need careful consideration when deploying them.

Phishing resistance is a tricky subject when discussing security policies. Compliance is messy, and CISOs have their own understanding of what’s needed for their organisations. There’s no simple answer to whether something is “good enough” without context.

Ok, so do I need to step up, or not?

Recently there was a little discussion about Amazon’s policy to require both passkeys and OTP. There is certainly a debate to have regarding when do you actually need step up with passkeys.

Passkeys shift the focus of attacks from broad, large-scale online breaches to more targeted, in-person attacks. This makes the cost of successfully attacking someone using passkeys significantly higher. The real issue then is whether the effort and resources needed for such a targeted attack are worth it for the attacker.

Amazon likely does not need a complex, multi-step authentication process that combines passkey and OTPs. The value the attacker would gain from accessing someones Amazon account wouldn’t justify the effort required.

However for services like Zelle, MFA is essential for both regulatory, and security reasons. The potential reward for an attacker is much higher, so they’d be more willing to invest significant resources to breach that account, hence the need for true MFA.

In conclusion

Passkeys are not MFA, but a strong single factor that is probably sufficient for the majority of the consumer cases.

Passkeys shift the focus of attacks from broad, large-scale online breaches to more targeted, in-person attacks. However sync-fabrics have issues of their own, such as phishing attacks against the keychains. This is a lot bigger topic, and we will discuss that in an upcoming article.

Passkeys are not perfect, and as I wrote in my recent article, they have a long way to go to address enterprise issues. However, at the same time they are objectively better than passwords in almost every way.

Hope this article was able to clarify some details.

P.S. This article lacks several important details, particularly in the area of threat management. Additionally, it does not address the transition to password managers and the impact that shift has on security. All that and more is coming soon in the “Passkeys for decision makers” article, which will talk in detail on security, and compliance aspects.

Subscribe to my blog, and follow me on LinkedIn so you don’t miss out.