Aurich Lawson | Getty Images
My recent article on password keys attracted a lot of interest, with several of the 1,100+ comments raising questions about how the password system actually works and whether it can be trusted. In response, I’ve put together this list of frequently asked questions to debunk some myths and shed some light on what we do and don’t know about access keys.
Q: I don’t trust Google. Why should I use passkeys?
A: If you don’t use Google, then Google passwords aren’t for you. If you don’t use Apple or Microsoft products, the situation is similar. The original article was aimed at the hundreds of millions of people who do (even reluctantly) use these major platforms.
That said, the use of passkeys is rapidly expanding beyond the big tech players. For example, within a month or two, 1Password and other third parties will support passkey synchronization that will populate the credentials to all your trusted devices. While Google is ahead of any other service in allowing passkey logins, new services allow users to sign into their accounts with passkeys virtually every week. In short, you can use passkeys even if you don’t trust Google, Apple, or Microsoft.
Q: I don’t trust any company to sync my credentials; I only keep them on my local devices. Why would I ever use passkeys?
A: Even if you don’t trust it each cloud service to sync your credentials, the FIDO specs allow for something called single device access keys. As the name suggests, these access keys work on a single device and are not synced by any service. Single device access keys are usually created with a FIDO2 security key, such as a Yubikey.
However, if you’re syncing passwords through a browser, a password manager, iCloud Keychain, or any of its Microsoft or Google equivalents, keep in mind that you’re already trusting a cloud service to sync your credentials. If you don’t trust cloud services to sync password keys, don’t trust them to sync your passwords.
Q: It seems incredibly risky to sync passkeys. Why should I trust sync from any service?
A: Currently, the FIDO specifications call for synchronization with end-to-end encryption, which by definition means that nothing but one of the trusted end-user devices can access the private key in unencrypted (i.e. usable) form. The specifications currently do not provide a baseline for this E2EE. For example, Apple’s sync mechanism is based on the same end-to-end encryption that iCloud Keychain already uses for password sync. Apple has documented the design of this service in great detail here, here, here, and here. Independent security experts have not yet reported any discrepancies in Apple’s claim that it lacks the means to unlock the credentials stored in the iCloud keychain.
iCloud is a fundamental security feature. The burden of proof should be on the company claiming it is safe to prove that safety [sic]not on others to refute [sic] It.
A: As noted earlier, if you don’t trust Apple or any other company that offers sync, consider using a single site access code. If you don’t trust Apple or any other company that offers synchronization And you don’t want to use a single site access key, passkeys aren’t for you, and there’s not much point in reading future Ars articles on the subject. Just remember that if you use iCloud et al. to sync your passkeys, don’t trust them to sync passkeys or other sensitive data.
Q: What about the other synchronization services? Where is their documentation?
A: Google has documentation here. 1Password has documentation on the infrastructure it uses to sync passwords (here and here). Again, if you already trust each cloud-based password synchronization platform, it’s a bit late to ask for documentation now. There is little or no additional risk in syncing passkeys as well.
Q: Wasn’t there a recent article about new macOS malware that could steal iCloud keychain items?
A: This could be a reference to MacStealer, malware that was recently advertised on underground crime forums. There are no reports of MacStealer being used in the wild, and no confirmation that the malware exists. We only know advertisements to claim that such malware exists.
That said, the ad-hawking MacStealer says it’s in early beta and comes in the form of a standard DMG file that needs to be manually installed on a Mac. The DMG file is not digitally signed, so it cannot be installed unless an end user is messing around in the macOS security settings. Even then, a victim would have to enter their iCloud password into the app after it is installed before cloud-based data can be extracted.
Based on MacStealer’s description from Uptycs, the security company that saw the ad, I don’t think people have much to worry about. And even if the malware poses a threat, that threat extends not just to access keys, but to everything else that hundreds of millions of people already have stored in iCloud Keychain.
Q: Access keys control your credentials for Apple/Google/Microsoft, a third-party sync service, or the site you’re logging into. Why would I ever do that?
A: Assuming you use a password to sign in to a service like Gmail, Azure, or Github, you already trust these companies to implement their authentication systems in such a way that the shared secrets you use to log into one of these sites with a password instead of a password, it gives the sites the same control – no more, no less – over your login details than before.
The reason is that the private key portion of a password never leaves a user’s encrypted devices. The authentication takes place on the user device. The user’s device then sends the site being logged in cryptographic proof that the private key is on the device that is logging in. The cryptography involved in this process ensures that the evidence cannot be falsified.
