Tag: Passkeys

Posted on

Digital Identity

We’ve touched on this topic in number of ways “over the years”, but never specifically looked at Identity – our identity and how it is handled, and yes mistreated, in the digital world.

I don’t intend to go over old ground again, but will provide a basis to introduce what will be the main subject of today – Passkeys, which Iain will present. I will do that through referencing previous posts on this website.

We start with the first post I wrote way back in 2015, aptly entitled “Let’s start at the beginning …“. In this I go through the basic steps in creating a strong password and a few other things besides.

Then in 2020 we discussed using Password Managers in the post “Using a Password Manager and implementing Two Factor Authentication” which again reviews setting a password before moving into the area of using password managers – which have the advantage of your passwords being configurable to be available on any many machine, anywhere as they’re held in encrypted form, in the cloud. This post also introduces the idea of Two Factor Authentication (2FA) whereby having logged into a website you’re challenged to use an application (usually held on your smartphone), eg Google’s Authenticator or Authy (the one I use) to provide a second credential to the website to confirm you are who you said you are! [I’m afraid the images appear to be missing, but I’ll try and find them!!!]

Earlier this year (in January, I touched on Passkeys) in this post “Prevention and protection from Scams“, which also referenced my main post on the subject – “Keeping safe online” – which I’ve tried to keep up-to-date and will review again in the near future.

And then, in March 2025, I made you aware of the value of having an Apple ID and account – even if you’re not an Apple user, as a means of getting a set of user credentials (Identity) that you can use instead of supplying your regular email address, and creating a password, when requested, when visiting a website – often for purchases. Apple is well recognised for its privacy and security concerns, and unlike Microsoft, Google, Facebook or X, is more likely than any of the others to not use your Identity for any other purpose other than providing you with a digital identity.

That leads nicely into a bit of history from my working life at Cardiff University that I’ve never shared with you before which I’m very pleased to have been part of. Let me paint a picture, you need to go back 20 years; I’ll share a number of scenarios.

First. You’re a student, or a member of staff, you want an email address, you want to access file store, you want to access the growing number of resources available from the internet through the library, or even just manage your library subscription. You need a UserID and Password, or multiple UserIDs and Passwords to do what you want to do online. Nothing new here, it’s what you experience every time you access a new website! But quite a drudge when you’re in the same institution.

Solution. The IT department creates a unified Identity system that all departments can use. A single UserID and Password for each user.

However. If the staff member or student (on vacation at home say) wants to access their email, file store, whatever from another institution, they most normally couldn’t and the best they could hope for was applying for a “temporary”, or “guest user” account which would at best only provide limited privileges to the visited institution. Rather frustrating.

Solution. Cardiff University through the work of a young researcher – Rhys Smith (who’s tragically not with us anymore) – investigated and implemented (with external funding from JISC) the possibility of using a technology which went by the name of Shibboleth, but more accurately used Security Assertion Markup Language (SAML) architecture to provide Single Sign On to all resources within an organisation in the first instance …

In information technologyShibboleth is a community-wide password that enables members of that community to access an online resource without revealing their individual identities. The origin server can vouch for the identity of the individual user without giving the target server any further identifying information.[25] Hence the individual user does not know the password that is actually employed – it is generated internally by the origin server – and so cannot betray it to outsiders.

… but then by binding other organisations together into Federations, allowed all users of a federated organisation to access the resources they were entitled to use (from their host organisations’ permission policies) from any other institution in the same federation. In the UK this became the UK HE Federation. Nirvana! [Following on from this in due course, individual Federations applied to become members of more universal federated access and Microsoft and Google (for instance) implemented federated access using SAML v.2]

But how about WiFi, wasn’t that the solution anyway? Well yes, it was in one sense but if you wanted to move from one campus to another and use that institutions’ WiFi network you still had to apply for a separate UserID and Password. The work Cardiff did was to extend their work with SAML/Shibboleth to provide WiFi Roaming which meant that you could move between institutions and your host institution would provide the credentials that allowed you to login on different campuses.

End of history, but a fine exemplar of the implementation of Single Sign On. My role … I led a UK project to encourage and develop good practice in Identity Management within institutions, and then to encourage the institutions to take-up Shibboleth and Federated Access Management. For more information on this you can refer to Perplexity (of course!!!)

And so to Passkeys …


Link to the Google video on YouTube about Passkeys.

Finally, a couple of links to hardware implementations of Identity Security …

Claude

Can you detail and describe physical devices used for identity purposes to allow access to systems, ie dongles or USB-stick based devices

Physical identity devices for system access come in several forms, each with different security mechanisms and use cases:

Hardware Security Keys

FIDO2/WebAuthn Keys (like YubiKey, Google Titan, SoloKeys)

  • Small USB, NFC, or Bluetooth devices that implement open authentication standards
  • Generate cryptographic signatures to prove identity without transmitting secrets
  • Often feature a physical button that must be pressed to authorize access
  • Resistant to phishing attacks since they’re bound to specific domains
  • Support multiple authentication protocols (FIDO2, U2F, PIV, OATH)

Smart Cards and Tokens

PIV/CAC Cards

  • Credit card-sized devices with embedded chips
  • Common in government and enterprise environments
  • Require PIN entry and card reader
  • Store certificates and cryptographic keys securely

USB Cryptographic Tokens

  • Larger than security keys, often with displays and keypads
  • Can store multiple certificates and keys
  • Some generate time-based one-time passwords (TOTP)
  • Examples include SafeNet eToken, Nitrokey Pro

Biometric Devices

USB Fingerprint Readers

  • Standalone devices that authenticate users via fingerprint
  • Often used with Windows Hello or similar systems
  • Can be integrated into keyboards or mice

Facial Recognition Dongles

  • Less common but emerging technology
  • Small cameras that perform facial authentication

Specialized Security Dongles

Software License Dongles

  • Protect expensive software from piracy
  • Contain encrypted keys that applications check
  • Examples include HASP dongles, Sentinel keys

Cryptocurrency Hardware Wallets

  • Secure devices for managing digital currency private keys
  • Examples include Ledger, Trezor devices
  • Often require physical confirmation for transactions

Technical Characteristics

These devices typically feature:

  • Tamper-resistant hardware that protects stored secrets
  • Secure elements or trusted platform modules (TPMs)
  • Various connectivity options (USB-A, USB-C, NFC, Bluetooth)
  • Battery-free operation (powered by host device)
  • Cross-platform compatibility

The main security advantage is that sensitive cryptographic material never leaves the device, making them highly resistant to remote attacks and credential theft compared to software-only solutions.

… and from ChatGPT.

Posted on

Prevention and protection from Scams

And so we turn to passwords and online security. I’ve dealt with this at some length previously in a post entitled “Keeping safe online” which I last updated in May 2023, and although much of it is still relevant and most, if not all, of the links are still working, I thought to write something from scratch, rather than do another edit/revision.

I’m going to skip to the content at the end of the article referred to above and pick-up the theme of Passwords, Passkeys and Two-Factor Authentication (TFA).

First-of-all – you want a fright? Try typing your favourite password(s) – you do have more than one, don’t you? – into this website.

Secondly, check to see just how vulnerable your email address might be, using …

Screenshot

… go to haveibeenpwned? – and if you want to know what pwned means, and how to pronounce it, look here. If a service you use is in this list, you seriously should change your password!

Another approach is to use a tool that looks at your “digital footprint” to examine where you might be exposed. Such a tool is this one from Malwarebytes.

So that’s got your attention, right? You really need to deploy/use a Password Manager to hold your passwords – preferably one that is usable/consistent across all your devices. Two such products are 1Password and Dashlane. Both of which get very good reviews.

The alternative to using a Password Manager application is to use the password security offered by your browser. In Apple’s case this is iCloud Keychain – which stores the passwords – with its associated Passwords app; in Google’s case this is Google Password Manager. Both of these now offer support from one ecosystem to the other – so multi-platform users can choose one or the other. Microsoft also offer a Password Manager using the Edge browser, but its features are possibly not as well developed as those of Apple or Google, nor of dedicated password manager applications such as 1Password or Dashlane which score best with users who have a mixture of Microsoft, Apple and Google devices and applications.

And now we have Passkeys. When assessing whether you want to move to a Password Manager, you MUST check that the chosen one supports Passkeys as defined in the FIDO Alliance …

… and the key to its success and inter-operability is its integration with biometric signatures. So Passkeys are the platform for increased and improved internet security and should be welcomed with open arms – for Apple, for Google and for Microsoft.

If a Passkey can’t be employed on your favourite website, or even if they are, you may be asked to use 2FA (two-factor authentication). Using this means that when you’ve typed in your username and password you’ll be challenged to provide a code from a mobile phone, an authenticator app such as Google Authenticator, or go to another app (particularly if its a Google app), and do that extra second step (hence 2FA) to authenticate you are who you are.

We’re entering the passwordless world. It’s long overdue!

Finally, some other links to help you navigate the digital security world.

7 phone apps you need to secure right away – if you value your privacy – this could have formed the basis of an article in itself. It’s important to just check you’re doing the best you can to secure your favourite apps.

Best antivirus: Which? Best Buys and expert buying advice – a review for both PCs and Macs of anti-virus software – of course you could just be relying and using Windows Defender (for Windows) or nothing at all (if on a Mac), both of which are acceptable decisions, which then leads into …

Everything you need to know about cybersecurity basics – an inventory of terms, some with links to free tests, and the option to purchase tools. The definitions of terms are good.

Online learning events from the u3a – especially a recurring event “Staying Safe Online – A u3a Presentation with Q&A”