Episode 029: 07‐11‐2024 Deploying passkeys for high‐security use cases - GluuFederation/identerati-office-hours GitHub Wiki

Title: Deploying passkeys for high‐security use cases

Linkedin Event

Description

"Synced passkeys" offer a convenient way to authenticate across devices – similar to how consumers have learned to authenticate with passwords. For organizations with high security needs, however, the duplication of keys and lack of control when introducing new devices poses a compliance challenge. Additionally, the lack of granularity when suspending or revoking multi-device credentials adds complexity to practical implementations.

The good news is that there are strategies for overcoming these challenges, making it possible for banks, fintechs, mobile network operators, and other industries with high security needs to leverage the benefits of passkeys as part of their passwordless journey."

Homework

Takeaways

  • Are passkeys 2FA? How much time you got?

  • Apple in particular didn't want to tie passkeys to a device. Obviously, Apple wants you to get lots of devices, and to sync your passkeys to any of them. So for consumer use cases, "Synced Passkeys" are preferable. Apple, Google and Microsoft are already "Passkey Providers". However, other Passkey Providers are arising, for example, companies that offer password management. Obviously, protecting your account at the Password Provider is critical to prevent catastrophic escalation.

  • For high security use cases, you may actual need device bound keys--whether that's tied to a mobile device or a physical key. The provenance of the authentication is called into question when you use Synced Passkeys.

  • USB / NFC keys offer use on multiple devices without losing the device ownership factor... basically sneaker-net.

Livestream Audio Archive

Will be Here