ProtonThe maker of a well-known email system, known for its high level of security, added support for passkeys to its password manager, while criticizing “Big Tech” who entrap their users’ passkeys in “walled gardens.”
“Even though passkeys were developed by the FIDO Alliance and the World Wide Web Consortium to replace passwords and are meant to provide ‘faster, easier, and more secure sign-ins to websites and apps across a user’s devices,’ their rollout hasn’t lived up to these lofty ideals,” Son Nguyen, founder of SimpleLogin and a developer of Proton Pass, wrote in a blog Monday.
He continued: “Instead of providing a secure solution for everyone, Apple and Google prioritized using passkeys to lock people in their walled garden rather than use the technology to provide a safe solution for all.” “This closed-off approach lessens the value and likelihood of passkeys being adopted universally, which will be critical if passwords are to ever be replaced.”
Roger Grimes, a defense evangelist at KnowBe4Nguyen was agreed by, a provider of security awareness training in Clearwater (Florida). The original and existing FIDO standard, and the way big vendors such as Microsoft implement it, are in agreement with Nguyen. GoogleHe told TechNewsWorld that Apple would implement the walled garden.
“FIDO knows about this problem, and is working on an update of the passkeys which removes this restriction,” he stated.
He added that “Proton wasn’t the only company to address the issue of the passkey platform lock.” “For example, the 1Password Password Manager allows you to use passwords on different platforms.”
No Vendor Lock-In
Proton’s claims were not accepted by the FIDO alliance. Andrew Shikiar, Executive Director and CEO of the FIDO Alliance, said that “Passkeys weren’t created just for Big Tech.”
He told TechNewsWorld that he had always envisaged an open ecosystem for this. This is why companies such as 1Password, Dashlane and other credential manager take part in the FIDO Alliance.
“There is no vendor lock in,” he said. “In fact, these companies all work actively within the FIDO-Alliance to examine a new credentialing protocol. All of them are working to allow you to move passkeys between clouds.
James E. Lee added that Passkeys can be used with any type of platform, app, or operating system. Identity Theft Resource CenterA nonprofit organization in San Diego dedicated to minimising risk and reducing the impact of crime and identity compromise.
He told TechNewsWorld that “that’s exactly what is happening now.” To do otherwise would further delay adoption of a process that is exponentially more secure.
Clunky User Interfaces
Nguyen claimed that following the Big Tech rollout of passkeys several password managers also rushed to their own. release of passkeysThis results in a poor user experience.
He wrote: “Some password manager only support passkeys through their web extension. This makes it difficult for anyone to log into the same app using a passkey from their mobile phone.” “Most password manager that support passkeys offer them only with a paid-for plan. This means Google Password Manager, and Apple Keychain are the only viable free providers of passkeys until Proton Pass included them.”
Anna Pobletts from 1Password, the head of passwordless, said: “Big Tech was the first to develop solutions for a world without passwords. But a walled gardens approach limits the potential adoption of passkeys by consumers.”
“At 1Password,” she told TechNewsWorld, “we’ve taken an interoperable approach so that users can navigate the transition from passwords to passwordless and to ensure they have a choice in how they manage their online identities across platforms and devices — both at work and at home.”
Anti-Phishing Solution
Darren Guccione, CEO of Keeper SecurityA password management company in Chicago noted that traditional password systems suffer from inherent vulnerabilities. These include vulnerability to brute-force attacksHuman-factor weaknesses, such as phishing and spoofing, are also a concern.
He told TechNewsWorld that “passwordless authentication methods leveraging biometrics and multi-factor authentication as well as advanced technologies provide a robust defence against these threats.”
He explained that passkeys are based on public-key principles, as opposed to passwords which usually consist of a combination characters, numbers and symbols. They use a pair cryptographic keys, a private one that is stored securely on the device of the user and a registered public key with the service provider.
Passkeys are based on a challenge and response mechanism.
The service provider sends a challenge when a user tries to log in to their account. The device then signs the challenge using the private key, and sends it back to the server as a response.
The private key never leaves your device, and it isn’t sent over the network. This provides a higher level of security than traditional passwords.
Guccione stated that passkeys can only be used on the device where they were created, unless the passkey is saved to a password management program. “Storing your passkeys on a secure password management system allows you to have access to them, no matter which device you use or where you log in, so you can use them across multiple browsers and operating platforms.”
“Passkeys eliminate some of the most common social engineering attacks, like phishing or credential stuffing, altogether, as they remove the reward that hackers are after — credentials,” added Pobletts.
Passwords are not being suprooted
Guccione stated that the future of passkeys is promising but cautiously, and will be marked by gradual improvements. He noted that “the robust support from tech leaders like Microsoft, Apple and Google is a big step in the right directions.” “Standardization initiatives may play an important role in overcoming interoperability and fostering wider adoption.”
He added that “passkeys” will never replace passwords, at least in the near future.
He continued: “Of the billions websites that exist, only a fraction offer passkey support.” “This very limited adoption can be attributed a variety of factors, such as the level support from the platforms, the necessity for website adjustments, or the requirement for user initiated configuration.”
Nguyen continued that for passkeys to be a truly effective account security measure, they must be made universal.
He wrote that passkeys, like many other online features, benefit from the network effect. “The more websites and services that implement passkeys, then the better solution and easier it will be for users. Unfortunately, Big Tech is using passkeys to further their commercial interests and not to ensure universal security.