Passkeys show why standards need explaining

I got a new phone recently, with mixed emotions. Delight: it’s a shiny new gadget! Scepticism: is it really that much better than my last phone was when that was new? Regret: could I have eked my old phone out for a bit longer, even though it was getting steadily slower and more full?

And, of course, dread: can I still access all the apps that I need to access? How many of my credentials have transferred seamlessly? How many apps just need a simple re-validation? And how many will trap me in a loop of email resets, forgotten user ids, and notifications sent to devices which I don’t even own any more?

Authentication has been a mess for years. Passwords provide flimsy protection, and companies keep trying to make them stronger by making them more complex: for example, sixteen characters, including numbers and special characters, leading to the absolutely unbreakable ‘Passwordpassword123!’, written on a PostIt note and stuck to the monitor. Password managers and strong password suggestions make them marginally better, at the cost of making password managers a target for attack. Two factor authentication is stronger still, if only providers could agree on what extra factors to use and how to implement them: I currently have four different authenticators on my phone.

Passkeys promise to simplify and strengthen authentication, and NCSC’s latest recommendation that we all switch to them as soon as possible is welcome.

Except, just like passwords and two factor authentication, the technology industry, the cyber security industry, and the companies that are building passkeys into their services have not done enough to explain how they work.

I must admit that, although I work in the technology and cyber security industries, I did not done enough to learn about passkeys until recently. I simply noticed that I was occasionally getting asked for a passkey instead of a password. I also noticed that the experience of being asked for a passkey was weird and inconsistent. Sometimes I was asked to use the biometrics built into the device. Sometimes I was asked to go to a separate authenticator app. Sometimes I was asked to make sure that the device with my passkey had bluetooth switched on and was nearby, an unsettling request when accessing sensitive data.

After a while, I realised that I must have created a few passkeys. The problem was that, because I hadn’t been paying enough attention when I was creating them, I couldn’t be sure whether they were on my phone, on my laptop, or on one of my accounts for cloud services. When I was asked to switch on bluetooth on the device that held my passkey, I had no idea which device that was.

Alarmed (and concerned that I would inadvertently lock myself out of my accounts) I did some reading and found that, if you are following the right standard, a passkey is a piece of public key cryptography: a private key which you hold securely, and which, with your authenticated authorisation, is used to sign some data, which can then be used to check that you are the holder of the private key.

I also found that it was virtually impossible to get a good explanation of how passkeys work which is understandable by non-technical people. My own paragraph above adds to the list of terrible explanations: it assumes some knowledge of public key cryptography, a topic which is hard to explain even when you understand how it works. The NCSC's page does a better job, but even that is difficult for laypeople. Articles in the press which people might read were not much more use, avoiding concepts such as cryptography in favour of analogies which just confused things further. Worse still were the explanations given on apps and sites attempting to implement passkeys, because most of the time those explanations did not exist: users were just told to follow instructions which they were unlikely to understand or remember.

I think that there are two ways to tackle this problem, one individual and one systematic. The individual approach is that those of use who work in the technology and cyber security industries should do the work to understand how mechanisms such as passkeys work. I put this off for far too long, and wish I had paid attention sooner. We should then take the trouble to explain these mechanisms to the people around us in terms which are comprehensible and useful to them. This will vary from person to person and will take time and patience. But if we’re going to build digital systems that people depend on, then we had better take the trouble to explain them to those people.

The systematic approach concerns how we go about setting standards. Passkeys are based on a WebAuthn standard which has existed for several years. Like most such standards, you only need to skim the contents page to understand the level of thought and expertise that has gone into its development. But, also like most such standards, you won’t find a section in that table of contents which describes how to explain the standard to end users. I think that, in a standards-based industry such as technology, we would do well to adopt a practice that says every new standard must include an explanation accessible to non-specialists. That would be hard to write, but the goal of standards should be comprehension as well as utility.

Passkeys are a good mechanism. But to work well, and to be adopted swiftly, they need just as good an explanation. The same goes for all other advances in technology.