Passkeys are designed to replace the system of usernames and passwords and better secure online accounts. Parties like Apple and Google are exploiting this new technology to "lock" people into their ecosystem. "This closed approach reduces the value of Passkeys to everyone, reducing the likelihood that they will be widely accepted. That is precisely crucial if they are ever to replace passwords." So writes Son Nguyen, Product Manager at Proton and founder and CEO of SimpleLogin.
Passkeys are a relatively new security method for logging into applications and Web sites. They are based on the security standard WebAuthn, which stands for Web Authentication. This allows providers of social media, payment services or online services to build strong authentication into their services by using customers' registered devices, such as a smartphone or laptop.
Passkeys work according to the principles of asymmetric cryptography. That means there are two keys: a public key and a private key. Only using this pair of keys is it possible to log in to an online service. The public key is stored with an app or website. To log in here, you must prove that you possess the private key that accompanies the public key. This is stored on your cell phone, tablet or computer.
Passkeys work as follows. First, you need to create a Passkey for the account where you want to apply it, such as your Facebook profile. Facebook generates the public key through its website or app. The private key is stored on your device and includes a PIN, fingerprint, facial profile, unlock pattern or password. To log in, your device submits a request. Facebook checks to see if your account's private key matches the public key known to the platform. If it does, your request to log in is approved.
In our background article "FIDO: can you log in securely without a password?" we discuss this security method in detail.
Passkeys were conceived to replace passwords and allow Internet users to sign in to websites and apps "faster, easier and more securely. The availability of Passkeys has not resulted in these ideals being realized, according to Son Nguyen.
He cites Apple and Google as examples. Nguyen accuses the companies of using Passkeys to lock users into their "walled gardens. "This closed approach reduces the value of Passkeys for everyone, which reduces the likelihood that they will be widely accepted," the Product Manager at VPN provider Proton said.
Apple was the first major tech company to support Passkeys in 2022. "However, Apple has mainly focused on optimizing Passkeys to work only with its own products rather than making it an interoperable, easy-to-use feature," Nguyen stated. For example, if you create a Passkey on an iPhone, it syncs with all your Apple products. However, it is "incredibly difficult" to use this Passkey on a Windows or Android device because there is no automatic synchronization. "This has unfortunately set a precedent that has followed every major rollout of Passkeys," Nguyen said.
With Google, unfortunately, it is no different. If you use Chrome on a Mac computer, the Web browser uses the Apple Keychain feature to store and manage passwords. That means you can't sync passwords with your Chrome profile on other devices. "And if you find Chrome a fine Web browser but prefer to use a third-party password manager to store Passkeys, Google will force you to opt out of Google Password Manager via a lengthy process," Nguyen wrote.
He goes on to say, "Both Apple and Google prevent users from being able to export their passwords. That means you have to create them all over again if you want to switch to another password manager. Both companies also use closed-source Passkey implementations, making it harder for independent experts to verify their security."
Nguyen's conclusion is that Apple and Google are forcing customers to continue using their ecosystem if they work with Passkeys. This effectively amounts to the tech companies further reinforcing vendor lock-in. "This severely limits their potential and sacrifices their utility just so Big Tech can add a moat to its walled garden."
"At Proton, we believe that online privacy and security should be accessible to everyone. If we want a better Internet for all, everyone should be able to take advantage of the latest developments in security," Nguyen ends his blog.