You might have heard of the recent buzz caused by Apple’s “passkeys”, Apple’s new implementation of the WebAuthn standard using biometrics, and how this is the beginning of the end for passwords. You might have read a few articles like this one from TechCrunch or this one from Wired telling you that Apple is finally killing off passwords. Even the Wall Street Journal is getting in on the action.
So, is this really the end for passwords?
ʕ·ᴥ·ʔ: I sure hope so!
No. No, it isn’t.
ʕ ಠ ᴥಠ ʔ: You’re as straight-to-the-point as ever, I see.
Even Apple’s passkeys themselves aren’t passwordless; they still need you to use your Apple ID password when you sign in on a new device or need to recover access when you’ve been locked out. Just read it; they provide a very short and concise article for normal people to read about Apple passkey security. They explicitly say that their passkeys still rely to some extent on passwords. That’s not really “killing the password”, now, is it?
ʕ⚆ᴥ⚆ʔ: Hmmm, I guess I can’t really argue with that…
But let’s move away from talking about Apple’s implementation of passkeys and go to the more general topic of biometric authentication. Even if you don’t believe that Apple passkeys are going to kill passwords, biometric authentication is still taking the world by storm. According to Cisco, now 81% of all smartphones have biometrics enabled. Even the cheapest smartphones, like the Samsung Galaxy A03, support some kind of biometric authentication method. And although Apple passkeys rely on passwords, they don’t need to rely on them. Apple could easily get rid of passwords in all forms if they wish.
ʕ·ᴥ·ʔ: Hm, so why don’t they?
Biometrics aren’t secret (duh), but how not-secret are they?
Let’s start with the obvious: biometrics aren’t secret. Currently, there are two mainstream biometric features used in authentication: facial recognition and fingerprint scanning. Neither your face nor your fingerprints are secret. Unless you’re wearing a mask and gloves all the time, your face and your fingerprints are everywhere: your face is on social media, security cameras, government ID’s you show to others; and your fingerprints are on every glass, table, phone, computer, ATM, door knob you touch, and probably in a few government databases too.
You might think that, while getting a picture of your face is easy, getting a print of your fingerprints isn’t so easy. I used to think that too, until hackers showed that people’s fingerprints can be cloned out of photos. So not only are your face and fingerprints not secret, but they’re also very easy to get. A high-definition photo of you is enough to know exactly how your face looks and how your fingerprints look.
Other, more niche, biometric features aren’t that hard to capture either. Your iris and retina can be cloned from photos just like your face and fingerprints. Your voice can now easily be deep-faked with a short recording of you talking. Even your unique vein patterns underneath your skin can be cloned out of – you guessed it – photos too!
ʕ • ᴥ • ʔ: The heck!
Something you are, a secret it is not. This means that using our biometric features as authentication factors is pathetic security against bad guys with even a little bit of determination.
ʕ • ᴥ • ,’ʔ
But before you go about panicking and disabling all your biometric authentication methods, modern biometric authentication doesn’t actually use information about your biometric features alone to authenticate you.
ʕ·ᴥ·ʔ: Oh, uh, of course. I definitely wasn’t panicking and planning to do that. Pffft!
What the heck’s a “liveness check”?
Modern biometric authentication methods employ what’s called a “liveness check” to make sure that whatever biometric feature is being checked is the real thing and not some clone or copy or spoof. What that means is: making sure the biometric feature being checked really is you, and not some photo or 3D printout.
For example, Apple’s Face ID, which uses facial recognition to authenticate you, does much more than just take a picture of your face. First, it creates a 3D model of your face using thousands of invisible infrared dots. Second, it makes sure that when you’re trying to authenticate, your eyes are looking at the phone, blinking, moving like a real human, etc. – making sure that you’re a real person with your face, not just some lifeless mask or 3D printout. Apple could probably improve this further by using an infrared camera to scan the blood vessels of your face and eyes, making sure that (1) the pattern of the blood vessels really is yours and not someone else’s, and (2) seeing if blood is actually coursing through those vessels like a real, live person.
That is a liveness check. It’s making sure that the biometric feature being checked really belongs to a real, live human, not some mask or printout or photo, etc.
In the fingerprint scanning realm, there are two mainstream technologies that perform liveness checks: capacitive sensors and ultrasonic sensors.
Apple’s Touch ID popularized capacitive sensors, which use tiny electric switches to scan your fingerprint. Since your body, including your fingers, naturally generate a tiny electrical charge, these switches turn on and off based on your fingerprint when you touch the sensor, creating a model of your fingerprint. It’s pretty cool, and it is this property of requiring a tiny electrical charge to be conducted through your fingerprint, like a real finger, that makes it a pretty good liveness check.
Samsung’s Ultrasonic Unlock introduced the first ultrasonic fingerprint sensors in smartphones, which works the same way pregnant mothers use ultrasound to see images of their babies in the womb: a high frequency sound is emitted onto your fingerprint, and some of that sound is reflected back onto the sensor. The reflection allows the sensor to create a 3D model of your fingerprint. Again, pretty cool, and this liveness check makes sure that the thing being put on the sensor really is in the shape of a real finger.
ʕ º ᴥ ºʔ: Wow! Hackers can’t possibly have been able to fool these things!
But of course they have.
ʕ·ᴥ·ʔ: Well, can’t blame a bear for hoping.
The iPhone 5S’ capacitive fingerprint sensor has been fooled by a simple printout of a fingerprint on paper using electrically conductive ink. The Samsung Galaxy S10’s ultrasonic fingerprint sensor has been fooled by a 3D printout of a finger. Meanwhile, Apple’s Face ID has been fooled by a high definition 3D-printed mask. And while fooling Apple’s Face ID with a 3D-printed mask seems like a pretty high bar, that was in 2017. It’s 2022 now, and Apple has made Face ID more convenient but less secure by allowing it to work while you’re wearing glasses and a face mask. Keep in mind that security researchers at Black Hat showed that Face ID will be perfectly happy to unlock for a face wearing glasses with tape covering up the eyes. This means that, today, fooling Apple’s Face ID is probably easier than needing to create a high definition 3D mask, but I’m not gonna’ buy an iPhone 12 or newer to test that out.
The secret storage problem
ʕ·ᴥ·ʔ: Even with all these shortcomings, biometrics are still better than passwords, right? I mean, they’re fast and easy to use; their liveness checks are tougher to crack than weak or reused passwords; and, most important of all, I can use the same biometrics wherever I want! Woo-hoo!
Are you use about that last part?
ʕ´•ᴥ•`ʔ: Huh? Of course I’m sure. If I use my paw print to unlock my phone, why can’t I use the same paw print to unlock my Gmail account?
Well, how will Gmail know when you’re trying to log in via your paw print that the bear sending them information about your paw print really is you? What’s stopping, say, me from cloning your paw print off this honey jar and sending Gmail the exact same data about your paw print so I can log in as you?
ʕ·ᴥ·ʔ: Oh, riiight. We talked about this earlier: modern biometric authentication doesn’t use information about my biometric features alone. Otherwise, anybody who has my paw print, including you, could easily pretend to be me.
That’s right. Your biometric feature, in this case your paw print, should only be used locally on a trusted device that implements liveness checks to make sure that you’re you, and not some impostor.
ʕ·ᴥ·ʔ: So I can’t use biometrics to log in remotely, like to a website like Gmail?
Actually, you can. You just have to send the remote service some other data that’s actually secret. And this is what Apple’s passkeys and the WebAuthn standard provide.
You might have read my article from last year that talks about zero-knowledge proofs. If you haven’t, all you really need to know is how asymmetric cryptography works. See, Apple’s passkeys are actually pairs of public and private encryption keys. When you register to use Apple passkeys with, say, Gmail on your iPhone, then your iPhone will create a public encryption key that gets sent to Gmail, and a private encryption key that stays only on your iPhone and never leaves your iPhone. Then, when you want to log in to your Gmail account on your iPhone, your iPhone will authenticate you to Gmail like this:
- First, your iPhone will try to see if you’re really you with a biometric authentication method like Face ID or Touch ID.
- If biometric authentication with all the liveness checks succeeds, your iPhone will then use the private key stored in itself to encrypt a message which will be sent to Gmail.
- Once Gmail receives the encrypted message, Gmail will try to use your public key to decrypt the message.
- If decryption succeeds, then Gmail will know that the login request really came from your iPhone, and Gmail trusts that your iPhone already did the work of verifying that you’re you via your biometrics.
With a system like this, you’ll be authenticating yourself to Gmail with a super-strong, super-secret private encryption key, but you’ll be using your biometrics to have your iPhone in turn use that private key. It’s kind of like having a really long and strong password that you don’t have to type out or remember. On top of that, even if Gmail were to get hacked, and your public key leaked in a data breach, it wouldn’t matter because your public key is, well, supposed to be public. As long as your private key is kept secret, your logins are secure.
ʕ º ᴥ ºʔ: Wow! That’s awesome! And by awesome, I mean convenient! Give it to me! Gimme’ them passkeys! Let’s kill passwords once and for all! Yeeaaah!
Yeah, that ain’t happening.
ʕ ಠ ᴥಠ ʔ: … And why not? I mean, I get that Apple’s current implementation of passkeys still use passwords as fallback, but why can’t we just stop using passwords altogether?
Well, it’s for the same reason that Apple passkeys still use passwords as fallback: what do you fallback on if not passwords?
Something you can forget, but can’t lose, and is free
The trouble with having a private encryption key that’s stored nowhere else but your phone is that, if (or more likely, when) you lose or damage your phone, you lose the key. Then how do you log in to your Gmail account?
ʕ·ᴥ·ʔ: Oh. Well, a password.
Right.
ʕ·ᴥ·ʔฅ: Then maybe I should get a second phone and register a passkey to my Gmail account in that, and use that second phone as my fallback.
And do that for every single website that you have accounts on, not just Gmail?
ʕ·ᴥ·ʔ: Hm, well, alright, that is kind of a pain.
It is, not to mention that you’d have to buy another phone just to not use it on a regular basis. And it’ll be ageing, eventually becoming obsolete.
ʕ·ᴥ·ʔ: How about a smaller, simpler, cheaper device, like a YubiKey? You did talk about how YubiKeys work in one of your earliest articles, and they work almost identically to Apple passkeys.
Now, that is a compelling idea: use your phone as your main authentication device; using all the biometrics, liveness checks, and asymmetric cryptography that WebAuthn provides; and then use a dedicated biometrics-enabled authentication device like the YubiKey Bio Series as a fallback in case you inevitable lose or damage your phone! If you’re willing to do this on both your phone and something like a YubiKey for every website that you have accounts on, it’s a great setup!
ฅ^•ᴥ•^ฅ: I’m a genius! Passwordless future, here I come!
That’ll be at least $80 for the YubiKey Bio.
ʕ´•ᴥ•`ʔ: Oh? That much, huh? For, uh, a fallback authentication device?
Yep.
ʕ·ᴥ·ʔ: I, uh, I’m just a simple bear with no money. I think I’ll stick with passwords as fallback, thanks.
And maybe that’s the real reason why passwords will never die.
…
…
…
ʕ·ᴥ·ʔ: I’m gonna’ go backup my password manager’s database now.
I’m back!
ʕ·ᴥ·ʔ: You’re alive!
I’ve been busy.
ʕ⚆ᴥ⚆ʔ: For almost a year?!
Hey, what can I say? I’m not just a simple bear with no money. Still, I don’t want to go on that long without posting something up here every now and then, so I’m thinking of adding a new category of posts to the website. These articles take me a long time to research, think through, and write out, so I’m thinking this new category of posts will be for shorter tips and how-to’s.
Since this latest article shows why passwords are still here to stay, I think the first post in this new category will be a short and creative guide to long and strong passwords. To subscribers of both my mailing list and RSS feed, you’ll be notified of these shorter posts as well. But don’t worry, there won’t be that many of these either.