We’ve recently added PassKey support to DuoCMS 8. As this is a relatively new technology we thought we’d take the time to explain what they are and what problems they solve.
One of the biggest problems of the modern web is the humble password.
They’re difficult to remember, so we tend to use the same or similar ones for many of our accounts
We tend to use easy to remember, and often easy to guess passwords
Websites often don’t store them securely so they’re often leaked
These leaked password then get sold to hackers who know some of you will have used them elsewhere, leading to further hacks.
Currently the best practices around passwords are to use a different, cryptographically secure passwords for each site you sign up for. The only way to do this practically is to use a password manager, but this is often complicated to setup and doesn’t always work well if you can’t easily access it (eg using someone else’s computer).
To help iron over the fact that passwords are inherently insecure, 2 Factor Authentication is now often seen as a necessity. There are three fundamental forms of authentication those are
Something You Are
Something You Have
Something You Know
So when you go to the cash machine, that is 2 factor, because you have2 a card and know3 a pin. When you login to a website there needs to be a second factor. So its not uncommon for the website to text you a code. So in addition to knowing3 the password, you have to have2 a phone, This is fine until you don’t receive the text message for 5 minutes because your signal is bad, or their server is busy.
For the real tech geeks we also have Google and Microsoft’s authentication apps. These generate a one time code every minute. This is asked for during logins. Both the website and app share a cryptographically secure seed which are used to generate a short code based on the current time. Again this is something you have. However the setup process involves downloading an app, scanning a QR code and typing a code into an input. Then having to type codes in with every login. Not earth shatteringly difficult, but complex, and not really very user friendly.
PassKeys solve several problems
No passwords or secrets are stored on the server - so hackers have nothing they can use
You don’t have a password and no secret information gets sent to the server
They are 2 factor by default because they’re linked to your devices and require local authentication to access them
The actual practice of logging in with a passkey varies between devices. But the fundamentals are pretty much the same. What is ultimately happing is the website asks your device if you are the same person who signed up for the online account. If it says you are, it lets you in.
Its up to your device how it determines your identity, it may use a fingerprint scanner, camera or even a local account password. But the important thing to note is it never sends any of this information to the website is just uses it to confirm its you. Then it tells the website.
The above description doesn’t sound awfully secure. But the key to this is how the account is first setup.
When setting up an account (or adding a passkey to an existing account), your device will generate a pair of keys. These are public and private keys. This method of cryptography is used extensively within the internet so is in itself not a new technology. The private key is kept on your device, or possibly shared between your devices, but I’ll get to that in a minute. Your device secures this private key using your face, fingerprint or local password. The public keys aren’t really keys at all. They’re more like a blueprint for a padlock. These public keys tell the server how to lock something up, but not how to unlock it.
So the login goes something like this
You click the login button
Your web browser asks your device to authenticate
Your device asks for face, fingerprint or local password to unlock your keys for this specific website
It then sends id of your key to the server
The server looks up your previously saved public key, creates a onetime secret and encodes it with your key, then sends the result to your computer
Your computer uses your secret private key to decrypt the servers secret and sends it back
Because you’re the only person in the universe with access to this private key, who can decrypt the secret the server knows its you, and logs you in.
The videos below shows the login into DuoCMS8 admin system.
I simply click on the key icon, then use Fade ID on the phone, or press touch id button on my laptop. Both my laptop, desktop computer and phone all share the same pass key as I use iCloud keychain to sync the PassKeys between devices.
Login on Desktop Chrome on Mac OS
Login on iPhone
At the moment the level of implementation on different platforms vary. For people embedded in Apples eco-system, using iPhones and mac’s the future is already here. Safari on Mac has had passkey support for a while, but Chrome only started supporting iCloud keychain in October. Until then you could only save PassKeys locally on a single device. Now you can pretty much have a seamless experience.
Windows has also launched passkey support, but only on the latest version of windows, the snappily titled “Windows 11 23H2”. Microsoft Edge on earlier versions of windows and on Mac only have local passkey support at the moment.
As with any technology needing support from the operating systems and co-operation between the major players, it’ll take a while to settle. However as its more secure, its certainly a good time to start offering this as an option. As the usage grows we can start looking to phase out passwords all together.
View a full list of supported systems here.
DuoCMS8 version 8.1.5 and above now has support for PassKeys, enabling any website editor the ability to setup and manage their own PassKeys to login without passwords.
We also have the ability the embed this new option into products we develop for our clients. Perhaps 2024 will be the year PassKeys become the mainstream way to login.
This site uses cookies that enable us to make improvements, provide relevant content, and for analytics purposes. For more details, see our Cookie Policy. By clicking Accept, you consent to our use of cookies by us and third party code embedded within this site. To change your consent, click the "Update Cookie Consent" link at the bottom of the webpage at any time.