Proton Adds Passkey Support to Password Manager, Knocks Big Tech

Proton, the maker of an email system known for its strong security, has added passkey support for its password manager while knocking “Big Tech” for trapping their users’ passkeys behind “walled gardens.”

“Even though passkeys were developed by the FIDO Alliance and the World Wide Web Consortium to replace passwords and are meant to provide ‘faster, easier, and more secure sign-ins to websites and apps across a user’s devices,’ their rollout hasn’t lived up to these lofty ideals,” Son Nguyen, founder of SimpleLogin and a developer of Proton Pass, wrote in a blog Monday.

“Instead, the first organizations to offer passkeys, Apple and Google, prioritized using the technology to lock people into their walled gardens rather than provide a secure solution to everyone,” he continued. “This closed approach diminishes the value of passkeys for everyone and makes it less likely that they’ll be universally adopted, which is critical if they’re to ever replace passwords.”

Roger Grimes, a defense evangelist at KnowBe4, a security awareness training provider in Clearwater, Fla., agreed with Nguyen. “The original and current existing FIDO passkey standard and the way the big vendors, such as Microsoft, Google, and Apple implement it, create walled gardens,” he told TechNewsWorld.

“FIDO is aware of this problem and is currently working on an updated version of passkeys that removes this limitation,” he said.

“Proton isn’t the first company to tackle the problem of passkey platform lock,” he added. “For instance, the 1Password password manager allows you to use passkeys across platforms.”

No Vendor Lock-In

However, the FIDO Alliance disagreed with Proton’s assertions. “Passkeys were never created to be only the domain of Big Tech,” said Executive Director and CEO Andrew Shikiar.

“We’ve always contemplated an open ecosystem around this, which is why you see companies like 1Password, Dashlane, and other credential managers taking part in the FIDO Alliance,” he told TechNewsWorld.

“There’s no vendor lock-in,” he said. “In fact, all these companies are actively working in the FIDO Alliance to look at a new protocol to allow for credential portability. They’re all working on allowing you to migrate passkeys from one cloud to another.”

“Passkeys are designed to be implemented with all types of platforms, apps, and operating systems,” added James E. Lee, chief operating officer of the Identity Theft Resource Center, a nonprofit organization in San Diego devoted to minimizing risk and mitigating the impact of identity compromise and crime.

“That’s exactly what we are seeing now,” he told TechNewsWorld. “To do otherwise would even further delay the adoption of what is an exponentially more secure process.”

Clunky User Experiences

Nguyen maintained that after seeing Big Tech’s rollout of passkeys, several password managers also rushed their release of passkeys, resulting in a clunky user experience.

“Some password managers only support passkeys via their web extension, making it difficult for anyone trying to log in to the same app with a passkey on their mobile phone,” he wrote. “Most password managers that support passkeys only offer them with a paid plan, meaning Google Password Manager and Apple Keychain were the only viable free passkey providers until Proton Pass added them.”

“Big Tech was among the first to begin building solutions for a passwordless world, but a walled-gardens approach limits the adoption potential of passkeys among consumers,” added Anna Pobletts, head of passwordless at 1Password.

“At 1Password,” she told TechNewsWorld, “we’ve taken an interoperable approach so that users can navigate the transition from passwords to passwordless and to ensure they have a choice in how they manage their online identities across platforms and devices — both at work and at home.”

Phishing-Resistant Solution

Darren Guccione, CEO of Keeper Security, a password management and online storage company in Chicago, noted that traditional password-based systems are plagued by inherent vulnerabilities, including susceptibility to brute-force attacks, phishing, and human-factor weaknesses.

“Passwordless authentication methods that leverage biometrics, multi-factor authentication, and advanced technologies offer a robust defense against these threats,” he told TechNewsWorld.

In contrast to passwords, which typically consist of a combination of characters, numbers, and symbols, passkeys rely on the principles of public-key cryptography, he explained. They utilize a pair of cryptographic keys: a private key securely stored on the user’s device and a public key registered with the service provider.

Behind the scenes, passkeys employ a challenge-response mechanism, he continued.

When a user attempts to access their account, the service provider dispatches a challenge to the user’s device. Subsequently, the device signs the challenge with the private key and transmits the signed response back to the server for validation.

Because the private key never leaves the user’s device and isn’t transmitted over the network, passkeys provide a heightened level of security compared to traditional passwords and are phishing-resistant.

“Passkeys are limited to the device on which they are created unless you create and save the passkey in a password manager,” Guccione said. “Storing passkeys in a secure password manager provides access to your passkeys, no matter what device you’re using or where you’re logging in from, allowing you to use them across different browsers and operating systems.”

“Passkeys eliminate some of the most common social engineering attacks, like phishing or credential stuffing, altogether, as they remove the reward that hackers are after — credentials,” added Pobletts.

Not Supplanting Passwords

Guccione noted that the future of passkeys appears promising but cautiously so and marked by gradual advancement. “The robust backing from tech leaders such as Microsoft, Apple, Google, and Amazon is a step in the right direction,” he said. “Standardization endeavors may play a pivotal role in overcoming interoperability challenges and fostering more widespread adoption.”

“Nonetheless,” he added, “it’s vital to acknowledge that passkeys will not supplant passwords in the near future, if ever.”

“Among the billions of websites in existence, only a fraction of a percent currently offer support for passkeys,” he continued. “This extremely limited adoption can be attributed to various factors, including the level of support from underlying platforms, the need for website adjustments, and the requirement for user-initiated configuration.”

To be a true account security solution, passkeys must become universal, Nguyen added.

“Like many online features, passkeys benefit from a network effect,” he wrote. “The more sites and services that use passkeys, the better and easier a solution they are for users (with the added benefit of making everyone’s data more secure). Unfortunately, Big Tech has treated passkeys as an opportunity to advance their commercial interests rather than as a tool to provide universal security.”

Read the full article here