top of page
Search

Use Passkeys With Secret Chest

Passkeys are essentially the answer to the next generation of passwords. They provide a more secure and convenient way to log in to websites and apps than the traditional username and password combination. Instead of typing in a password every time a site is accessed, users unlock a phone or laptop with a fingerprint or face ID.


Users are prompted to create a passkey the first time they visit a site that supports passkeys. Or there's a flow where when logging in, the site asks to create a passkey in addition to the login (that's the more common way passkeys manifest themselves in the wild). This usually involves using a device's built-in biometric authentication, which we call TouchID or FaceID in the Apple universe. The passkey is then created and securely stored on the device, not on the website or app itself. This makes it much harder for hackers to steal the login credentials, even if they manage to breach the website. Once created, to log in to the website or app again, the user is then prompted to use the device's biometric authentication. If it's a phone, that might be as simple as unlocking it. If it's a computer, the user might need to have your phone nearby and confirm the login on your phone.


Passkeys are then much more secure than passwords because they are not stored on the websites or apps themselves. Users also don't have to remember or type in complex passwords anymore. Passkeys are also resistant to phishing attacks, as they cannot be tricked into revealing login credentials by sites masquerading to the be one a user is intending to log into. .


Passkeys are great, but they are still a relatively new technology. This means that not all websites and apps support them yet. They also require a device that supports biometrics. Most sites also have a username and password as well as a passkey. For example, one of the better implementations of passkeys is the one Google developed. There's still a username and password combination for Google, as well as potentially a number of passkeys. There are also a number of organizations who haven't approved their use. Until recently iCloud Keychain wasn't available for Managed Apple IDs (MAIDs), and so corporate Apple environments couldn't use them. Now that they can, there are a number of behaviros that still need to be worked out. For example, when using a passkey on a Macbook in clamshell mode, the fingerprint check is not required, so the device logs into sites without prompting the user.


Secret Chest supports passkeys. We also help to ameliorate issues in corporate and high security environments by requiring a second factor for use on sites that leverage passkeys. To make sure the Secret Chest extension is loaded to support passkey use, open System Settings and search for passkeys. Click or tap on the entry for Passwords.



At the passwords System Settings pane, click or tap on Password Options.


At the Password Options screen, verify that SecretChest is enabled in the "Use passwords and passkeys from" field. Now go to login on a website that supports passkeys. For example, ebay.com.

Every site currently has a bit of a different flow. For example, Best Buy will have users log in and then go to manage their accounts to create a passkey. Others may prompt users proactively instead. If they don't, that's basically just tech debt, as no developer probably wants user secrets that are reversible in their database. Once the passkey flow is complete, log out and then back into the site and the passkey prompt should automagically enumerate which autofill has the passkey, if any.


Note: Because Keychain cannot be disabled, it's possible to have a passkey for a given site in both Secret Chest and Keychain. It's also possible to have a username and password combination for each. The duplicates can be deleted, but most wouldn't think to do so. Also, keep in mind that passkeys are shareable. So it's possible to store a passkey in Secret Chest and then share it fully or in a multi-peer context. If a passkey is available then it will be used before a username and password dialog is presented, when possible.


For a list of sites that support passkeys, see https://passkeys.directory. To read more on them, see https://www.passkeys.io. Or for developers looking to add support to sites and apps, check out https://developer.apple.com/passkeys/.


it's worth mentioning that Secret Chest doesn't yet allow login to our app or site with a passkey. If we are the passkey store, then it seems odd that we would. We are currently working on ways to improve that experience. It's easy, but we haven't found a system we consider cryptographically sound, like other WebAuthn flows above and beyond the subset that passkeys use. For what it's worth, passkeys are a part of the WebAuthn spec, short for Web Authentication. That was initially developed to allow for the authenticator to be a physical security key (like a YubiKey), but has been updated to allow for a device's built-in biometric authentication (fingerprint or face ID), or even a software authenticator on a phone. The full WebAuthn spec offers a broader set of APIs, that enables various types of authenticators, while the subset of WebAuthn options for passkeys are specifically focused on using built-in biometrics on personal devices.


17 views0 comments

Recent Posts

See All

Comments


bottom of page