Exploring PassKeys: Their Relevance in the Web3 Space
There’s been a buzz around PassKeys lately.
People want to know what PassKeys is. They want to understand its relevance to the web3 space, where users use blockchain tokens instead of centralised services.
PassKeys is, I heard, a new authentication standard — it’s not. I heard that it for the first time replaces password — certainly not the first. But both description is not far from the truth. In this article, we’ll demystify PassKeys, clarify misconceptions, and examine its potential implications for web3.
First, let’s cover the topic of why PassKeys is not a standard.
PassKeys is a set of technologies which are based on FIDO authentication standards and W3’s WebAuthn Level 3. Although it is not a name of a standard, it’s the name unanimously chosen by Microsoft, Google, and Apple to refer to a subset of FIDO/WebAuthn standards which involve a platform authenticator (i.e. themselves).
FIDO/WebAuthn covers a wide range of use-cases and is not written in a particularly user-friendly language. When Microsoft, Google, and Apple introduced their own PassKeys implementations, they unanimously chose to focus on the use-cases that depend on their platforms. FIDO itself, an industrial alliance encompassing all Internet trust anchors, embraced this commercial term and created a landing page for it. However, no standards body wants to build a standard solely based on use-cases that rely on tech giants managing and syncing the users’ keys. In a tongue-in-cheek manner, one could say that PassKeys is a “sub-standard” technology — a solution built on a subset of standards where these trust anchors are assumed as the authenticators— instead of the name of any real standard.
Second, let’s talk about how PassKeys is not the first technology capable of replacing passwords. According to a FIDO whitepaper, PassKeys will, for the first time, replace passwords as the dominant form of authentication on the Internet.
Even if PassKeys could replace passwords, its efforts would not represent the first attempt at such. Nevertheless, such a popular description is not too far from the truth.
Advanced users of Microsoft ID and Microsoft’s GitHub likely realised that they could turn off password-based authentication and rely only on a YubiKey, or FIDO-compatible security devices to log in. In that sense, the technology to replace password already exists.
If you are not the geek who would go through the trouble of upgrading the security of your Microsoft or GitHub account, you may have instead experienced password-less authentication as a customer of Fidelity Investments, or HSBC. Both institutions offer their customer password-less authentication through a hardware device as part of their standard offers.
However, all these examples depend on security hardware rather than just the user’s browser.
As I wrote in an article two years ago, the web industry has constantly made assiduous attempts to replace password-based authentication with public key infrastructure. This started from the early 2008 era <keygen> to SubtleCrypto as part of WebCrypto API by W3C — widely supported by all major browsers today but saw little use — to the 2020 attempt with Web Authentication API. Then, last year (i.e., in 2022), we got PassKeys.
All the aforesaid things use public key infrastructure and demand the user agents have a secure way to manage keys, instead of requiring hardware (like FIDO previously did). Further, encouraging the world at large to move away from passwords will be a monumental task. So much so that none of the initiatives to which I just referred were successful, and as such, you likely have never heard of any of them. I couldn’t give you examples of their successful use as I did with the aforementioned Github/HSBC examples. The only success use of these technologies is, to my knowledge, our own attestation tech used in the last DevCon Ticket attestation in Bogotá, Columbia.
But there is a bit of hope that this time, we will indeed be able to progress from passwords once and for all. At the time of release, PassKeys is the set of technology closest to achieving that objective… although the same could be said about every other attempt at the time of their respective releases.
Previous attempts to replace passwords had improved upon the attempts before them. For example, SubtleCrypto API removed the key extraction feature from <keygen> (which is generally considered an improvement — in the crypto world, removing a feature sometimes counts as such). Password-less technology has never been as refined as it is today, but that is not the major reason why this time, it might bear fruit.
The reason why password-less technology may work this time is because PassKeys technology gathered support from all the trust anchors — the web2 centralisation points — in Microsoft, Google, and Apple. Two things work in the favour of their agenda.
First: Microsoft, Google, and Apple are already trust anchors, they may as well solidify it.
In the 2010s, these web2 centralisation points fully transitioned from technology providers (i.e., web1) to web service platforms (i.e., web2). Now, in the 2020s, they transformed further to function as trust anchors. Most websites are now quite happy to recognise a user if Google has authenticated them, therefore, most websites will not have a problem recognising a user if Google manages their synchronization key (i.e., a key synchronised throughout all Google devices for the same user account). The same goes for Apple. This is what essentially PassKeys is.
People no longer consider Google an operating system provider like RedHat Linux. They regard Google as a provider of trust and a custodian of customer identity. It’s just a small leap forward to recognize them as trusted managers of the keys of its users, which will be the ultimate level of trust. It allows Google accounts to carry the authenticator for banks, which wasn’t possible before PassKeys. This is the last trust Google hasn’t gained in the web2 space.
Communities and standard groups used to be wary of Internet centres becoming trust anchors, fearing it may lead us to a ‘bad place’ where these companies control too much of our digital lives. However, we are already in such a ‘bad place,’ and this reality has been acknowledged by them defining the term “platform authenticators” and assuming their ubiquitous existence. Their implementation details are largely omitted in the standard text. Instead, the focus is now on the authentication framework, assuming the existence of such platform authenticators.
Second, it provided Microsoft, Google, and Apple with a new, stronger barrier to their positions
The other thing working in the trust anchors’ favour is, password-lessness as a technological progression is really what they need to prevent new tech companies to become trust anchors, so they will push hard for it.
According to Bill Gates himself, when he sat atop the throne of the world’s richest people, it wasn’t established giants like AOL or Intel that kept him awake at night. Instead, he proclaimed with a mix of arrogance and wariness that his real concern was “two guys in a garage in Silicon Valley.” These seemingly insignificant players had the potential to dethrone the wealthiest of the wealthy, just as Gates himself had done when he toppled the once invincible IBM.
Unfortunately, I doubt that this still holds true.
The new centres of the Internet will not only be the prevailing provider of technology, like Microsoft was after it conquered IBM. They will also serve as trust anchors to manage users’ authentication keys. If a prodigal child starts a business in their parents’ garage, and creates a new operating system that rivals iOS, Android, or Windows, they will find that there is enough space for operating system competition, but insufficient space for web trust anchors. And, since the two roles have merged a la PassKeys, he will not be able to achieve the same level of success as others did before them, even if the technology at their disposal is better than what came before them.
Now, what does any of this have to do with web3?
Ideally, web3 not only replaces trust anchors like Microsoft, Google, and Apple, but also replaces the services they provide with their tokens. For example, a user might have a token representing his smart car, which will function like its key in Apple Wallet, yet does not depend on Apple. It can be easily integrated into new services, like car rental markets. This is possible thanks to smart contracts and token scripting technologies. However, this is only useful if users can securely manage the keys for their tokens.
Now that there is a key management technology supported by web centres, normal users can seemingly now safeguard their keys, use their tokens, and enable web3.
But the devil lies in the details. PassKeys, as built on FIDO/WebAuthn Level 3, enforces anti-phishing checks. This means the key to the website must match the website for it to be used. Though this is not a problem for the web2 ecosystem, it presents a challenge regarding its use as key holding technology for web3 tokens. Web3 tokens are based on token keys, which may not be the same as the website. For example, if you have a smart car token, its keys may be linked to the car manufacturer Tesla (Tesla need not manage the key, but the key is identified to be used for the Tesla car tokens). If the user enters a car rental website where the car token can be used (for instance, to generate a time-limited key to the car rental website), then this triggers the anti-phishing technology in PassKeys, as the key’s identifier does not match the website at which it is being used.
To be fair, even if there is no such anti-phishing protection, it would be a bad idea to use a Tesla car’s smart token key on the car rental website. Trust doesn’t pass forward, so just because a user trusts Tesla, it doesn’t mean they will trust the markets which utilize Tesla.
Ultimately, you need a token scripting framework like TokenScript. It should be implemented at a level as close to the user’s mobile phone as possible, not as part of the website. This generates the transactions the websites need from the tokens. It also creates a firewall between the website and the token.
The website should be satisfied with the cryptographic proof that the user owns the token. Often, this does not require additional proof from the user-identifying key, such as how the PassKey is defined. However, this is outside the scope of PassKeys technology. As a result, I am not entirely confident that Microsoft, Google, and Apple will embrace the token use-cases and tweak their technology for smart tokens.
My thoughts
In conclusion, PassKeys represent a significant step forward in authentication technology, built on FIDO/WebAuthn standards and supported by major tech giants like Microsoft, Google, and Apple. However, its current form is not suitable for direct application within the web3 ecosystem due to the unique requirements of decentralized trust and token management. For PassKeys to be successful in the web3 space, these internet centres must proactively embrace token use-cases and adapt their technology accordingly.
On the other hand, if internet centres aim to undermine web3, their focus on PassKeys to address the long-standing authentication issue in a centralized manner, while disregarding the need for tokens, devalues the transition to web3. This approach not only delays the evolutionary process but also could be detrimental to web3, as web3 token-based use-cases can be cornered to depend on less user-friendly Ethereum wallets.
As the future of authentication and key management continues to evolve, the role of PassKeys in this rapidly changing landscape remains to be seen.
In either case, the fact that Internet centres will be the managers of most users' keys is a plausible future scenario. The only difference is whether Microsoft, Google, and Apple wants this to be used for or against web3.
