The Authenticate conference, an annual event organized by the FIDO Alliance, is the industry’s premier gathering dedicated to all facets of authentication, including the highly secure FIDO (Fast Identity Online) sign-ins. The FIDO Alliance, an open industry standards association, aims to reduce global dependence on passwords.
This year’s Authenticate 2024 conference featured over 75 sessions across three days, covering topics related to passkeys for consumers, enterprises, governments, user experiences, and more. FIDO estimates that 15 billion accounts are now able to utilize passkeys for sign-in, despite the technology being just two years old.¹ During the conference, the FIDO Alliance unveiled passkeycentral.org, a new resource designed to facilitate and expedite the adoption of passkeys through comprehensive guidance, documentation, videos, and additional support materials.
Synced vs Device-Bound Session Credentials
In today’s world, where traditional passwords have become increasingly susceptible to attackers, the concept of sync versus device-bound passkeys has intrigued many. First, let’s define each one to illustrate their significance, differences, and applications.
A passkey is a cryptographic key used for authentication. Unlike traditional passwords, passkeys are resistant to phishing, significantly enhancing security. A passkey allows users to sign into websites or apps in the same manner they unlock their devices, using biometrics, facial recognition, or a PIN. Major global companies like Amazon, Google, and CVS Health now enable users to log in with passkeys instead of passwords.²
A synced passkey can be used across multiple devices through various password managers such as Google Password Manager and Apple Passkeys. This capability allows users to authenticate on new devices without needing to register unique credentials each time. Synced passkeys offer convenience across multiple devices and can be restored from a cloud account if a user loses one of their devices. While this offers a great user experience, synced passkeys are less secure compared to device-bound passkeys.
Device-bound session credentials (DBSC) passkeys generate a pair of public and private keys stored securely on the device, providing stronger protection against impersonators attempting to hack a browser session. Since the private key remains on the device, servers will periodically verify its presence using the public key created at the beginning of the session. This allows, for example, a website to validate whether a cookie is being used from a different browser or IP address. Google Chrome and the Microsoft Authenticator App employ device-bound passkeys to enhance security. A disadvantage of device-bound passkeys is that if you lose or replace your device, a new passkey must be created.
In conclusion, both synced and device-bound passkeys offer higher security than traditional passwords, which are less secure, harder to remember, take longer to use for sign-ins, and are more vulnerable to hacking. We will increasingly see the adoption of synced and/or device-bound passkeys in our daily lives, safeguarding our personal information.
Sources:
- FIDO. (2024, October 30). Introduction to Passkeys. Retrieved from Fido Alliance: https://www.passkeycentral.org/introduction-to-passkeys/
- Staff, B. F. (2024, October 30). Authenticate 2024: Day 1 Recap. Retrieved from Authenticate 2024: https://authenticatecon.com/authenticate-2024-day-1-recap/
