The passwordless authentication movement has called for backup this past week with Apple announcing its new Apple Passkeys FIDO2 support.
Passkeys are Apple’s replacement for passwords developed to improve the sign-in user experience and security across websites and apps.
However, it’s important to note that Passkeys isn’t a new standalone solution. Instead, it’s a solution built on the FIDO2 standard, the same as Google has done with Android.
So what is FIDO2? Should you integrate Apple Passkeys into your app? Is it better than other authentication solutions?
Let’s talk about it.
Debunking Apple Passkeys: What’s the FIDO2 protocol?
The FIDO2 protocol relies on standard public key cryptography for authentication, and it is the heir to the original FIDO created by the FIDO Alliance.
Upon registration, the user’s client device creates a new key pair: a private key that’s retained on the device and a public key registered with the online service.
To authenticate, the client device has to prove possession of the private key. This is done by the user unlocking the private key locally which is usually done on mobile devices through biometrics or entering a PIN. This private key never actually leaves the device.
Now, Apple Passkeys is authentication technology based on the FIDO2 and the WebAuthentication standard (a part of FIDO2). They work precisely in the way described above with the users authorizing the use of the passkey through Touch ID or Face ID.
It’s a huge step toward passwordless, and it’s great to see Apple join Google in this battle for the security and user experience of users. However, just like any other authentication solution, Passkeys and FIDO2 have some weaknesses of their own.
FIDO2 Recovery Issues and Hardware Limitations
One of the biggest issues of FIDO2 is recovery in cases when users lose their devices.
If you lose your device, getting in your accounts will be all but impossible. Similar to what happens when you lose the codes to your third-party two-factor authenticator app.
However, this is also where Apple and Google have seen their opportunity to capitalize on this weakness by placing key backups in the cloud. In this case, if you lose your device, you would just log into your iCloud account and you’d be good to go.
However, some questions have to be asked about the general security of the cloud with information as sensitive as this. If someone found a way to break into your cloud and then your Passkeys, your online accounts would be their oyster.
To build on that, it’s important to note that FIDO2 requires a special security chip in devices to operate. And yes – that’s a security chip that isn’t supported by all devices at the moment, so many of your users would lose the opportunity to gain increased security.
By now, you most definitely know about our mobile identity solution, IPification. Let’s see how it compares to FIDO2 and Apple Passkeys.
FIDO vs IPification
To start with, at no point in this will we be saying that IPification is better than Apple Passkeys. They are just different, and without a doubt more secure and streamlined than passwords or SMS OTP verification.
Apple Passkeys eliminates the need for passwords through public key cryptography, while IPification relies on mobile network operator infrastructure to verify users via their unique Mobile ID key.
This Mobile ID key is made up of user data that the mobile network operator already possesses such as phone number and device data and the mobile IP address. It’s bank-grade security!
More importantly, when 80% of cyber incidents happen due to human error, both of these solutions help prevent human error by removing any sensitive information that could be phished or otherwise taken from the users’ hands.
Both verify users within milliseconds, therefore proving once again that we can have both security and user experience today.
Moreover, both authentication solutions uphold the highest level of data privacy. Your private key never actually leaves the device while your IPification Mobile ID key is never stored on your device and is instead verified from Telco to Merchant through backend integration.
However, this should be taken with a grain of salt, simply because when the cloud is involved like it is with Passkeys, there will be some concerns, and this is also the only exception in which the private key is transferred from the device.
It should be noted that IPification is overall a more complete solution – a one-stop shop for mobile app security that includes SIM swap detection, device change detection, a know-your-customer solution, and more. On the other hand, FIDO2 won’t work for services who need actual identities to be verified.
But we’d love to hear more about your needs, discuss both solutions with you and make revenue and security projections. Schedule a call today!
