Part of the “passkeys are more secure than passwords” story is derived from the fact that passkeys are non-human-readable secrets — stored somewhere on your device — that even you have very limited access to.
OK, so what happens to those passkeys if your device is stolen?
Over on Spiceworks.com, ZDNET’s sister site for IT professionals, a community member posed some insightful passkey edge case questions regarding my ZDNET story about the industry needing to get its passkey story straight if the relatively new authentication technology is to stand any chance of fulfilling its ambitions to replace passwords.
Also: How passkeys work: The complete guide to your inevitable passwordless future
In one of those questions, Spiceworks member GMXOasked, “What if the device is stolen? How do I prevent the thief from exploiting [any passkeys that are stored on it]?” Code98765, another member, noted that “these edge cases don’t get talked about enough.”
In most circumstances, once you’ve enrolled a passkey to work with a certain website or app, your device has everything it needs to sign into that site or app. It’s not much of a leap, then, to regard a passkey’s relationship to your device as if it were a keyfob to your car. So, for anybody just starting out with passkeys, “what if the device is stolen?” is a pretty obvious question to ask. But unlike the keyfob to your car, which gives the thief everything needed to steal the car, there are a variety of obstacles that should prevent a thief from using your “stolen” passkeys to access your accounts.
Spiceworks member m@ttshaw, who self-identifies as a solution architect from the UK, correctly responded that it’s “dependent on the security used to protect the passkeys on that device.”
Another member from the UK — itskieran — chimed in that “if you can remotely wipe your phone and/or it’s protected by a strong PIN or password and set to auto-wipe after a certain number of attempts, then you should be safe. Also, at least on Android, you have to authenticate with your biometrics a second time to allow the passkey to be used.”
Also: I replaced my Microsoft account password with a passkey – and you should, too
I’d like to expand on these great answers while also providing additional detail: There is more you can do to give yourself additional peace of mind.
How are passkeys stored on your device?
As described in Part 4 of ZDNET’s six-part series on how passkeys work (and why they’re more secure than traditional credentials), passkeys are typically stored in encrypted form. You cannot browse your device’s filesystem, see where they are listed, and do anything with them — except use your password manager to see a list of them, delete them, and, in some cases (depending on the password manager), rename them.
For example, in most cases where you’ve opted to create a non-synchronizable passkey that is stored on the device itself, that passkey will be generated in non-human-readable form, encrypted, stored, and protected with the help of the device’s on-board security hardware such as a trusted platform module (TPM) or secure enclave. Like all end-user interactions that involve data stored in a TPM or secure enclave, retrieval of that data requires the user to supply a biometric, secret PIN, or a passcode. In other words, whether it’s you or a malicious actor, discovery and retrieval of your passkeys from where they are securely stored is nearly impossible.
Also: Passkeys won’t be ready for primetime until Google and other companies fix this
For those passkeys that are synchronizable (and not tied to any specific device or its security hardware), the passkey is managed and protected by whichever password manager you use (e.g., 1Password, Apple Passwords, BitWarden, Dashlane, Google Password Manager, LastPass).
When a password manager is used to manage synchronizable passkeys, other credentials (user IDs and passwords), and other secrets, it typically encrypts and stores them in a secure software container using a process that essentially emulates the capabilities of a TPM or secure enclave. The password management industry often refers to these containers as “vaults” — although not all password managers use this nomenclature.
(As a side note, keep in mind that the phrase “password manager” is a misnomer. To the extent that these so-called password managers manage non-password-oriented credentials (i.e., passkeys), they deserve to be classified more broadly as “credential managers.”)
Regardless of whether you’re relying on synchronizable or non-synchronizable passkeys (or both), it’s important to configure your device in a way that requires some form of local authentication — a pin, a biometric, or passcode — to not only access the device, but also to access your vault when the time comes to authenticate with a relying party (a website, app, etc.). For example, a thief shouldn’t be able to pickpocket your phone, unlock your phone, go to your bank’s website, and login without first encountering a roadblock to authenticate with your phone and then again with your password manager.
Also: Biometrics vs. passcodes: What lawyers say if you’re worried about warrantless phone searches
Where possible, you may want to consider non-biometric forms of security due to the apparent lack of protections that are legally available during a smartphone shakedown.
All of this said, as the old Boy Scouts saying goes, “Be Prepared.” There are important additional preparations that end-users should consider to further protect themselves from the possibility of device theft. The first batch of these preparations concerns basic device and account security.
Device security matters
For starters, all users should be familiar with the various options for manually and automatically locking their devices. There are a multitude of options, some of which are discussed in Dan Patterson’s 7 ways to lock down your phone’s security.
Also: 7 ways to lock down your phone’s security – before it’s too late
For example, consider automatically locking your device after some period of inactivity, when it is not within proximity of a Bluetooth-connected accessory like a smartwatch, or after a device detects that it might have been snatched. Additionally, users should know about the options available to them for remotely or automatically wiping their devices. Through Apple’s Find Devices and Google’s Find My Device, devices can not only be located (when they are online), but they can be remotely locked or wiped. As Spiceworks member itskieran noted, devices can also be configured to automatically wipe themselves after a certain number of failed unlock attempts.
What if the thief has access to your unlocked device?
Let’s move on to another scenario: a thief has somehow managed to gain access to your unlocked device.
Be sure to protect any authenticator apps with a password or pin (biometrics, too, but consider the aforementioned legal rights you could be sacrificing). This will prevent thieves from accessing any accounts that depend on authenticator-based multifactor authentication.
Also: How to sync passkeys in Chrome across your PC, Mac, iPhone, or Android
Additionally, Android has a feature called Private Space that essentially sets up a secure, password or biometric-protected partition separate from your other apps. Once you’ve created this so-called Private Space, you can install apps from the Google Play Store almost as though it’s another smartphone. The data that goes with those apps stays in that private partition as well.
Although iOS doesn’t have a corresponding feature to Android’s Private Space, it can be configured to similarly obfuscate app access through a feature that allows you to lock apps, hide them, or both (requiring a passcode, Touch ID, or Face ID to gain access). This is above and beyond any security that’s built into the app itself.
In either case, consider obfuscating and securing your most sensitive apps with these features.
Should you delete ‘stolen’ passkeys?
What about the passkeys that were on the stolen device — either the non-synchronizable ones specific to the device or the ones that were synced to it with the help of a password manager? Should you delete those?
That depends.
Do you feel there’s still a chance the thief could somehow gain access to your password manager and sign into a website or app as though they are you? If you’ve set your password manager to require some form of password, passcode, or biometric authentication before it supplies whatever credentials are necessary to sign into a site or app, then you should be safe.
Also: Want to change or delete your passkey? It’s complicated
“I don’t think there is a need to reset all of your passkeys or credentials for each relying party,” FIDO Alliance User Experience Working Group co-chair James Hwang told ZDNET. Hwang is also a senior product designer in Microsoft’s Identity Standards group. (Microsoft is one of the chief proponents of passkeys.) “It would be kinda crazy to do that for each one as there could be hundreds of credentials,” Hwang noted.
But if you want to go the extra mile regarding “stolen” passkeys — for no reason other than exceptional credential hygiene — you can implement a strategy that makes it easy to identify and unenroll those passkeys from their associated relying parties, as described in, Want to change or delete your passkey? It’s complicated. Like many other passkey-related activities, this requires a bit of forethought and planning.
First, as suggested in ZDNET’s 10 Passkey Survival Tips, give meaningful names to any passkeys that you have enrolled with any relying parties. For example, if you have created a passkey for some website that’s specific to your iPhone, give that passkey a new name like “iPhone passkey.”
Some relying parties offer users the capability to rename the passkeys you’ve enrolled with them. Unfortunately, others provide a default name (e.g., “Passkey #1”) that cannot be changed. This capability is typically offered through a website’s or app’s security preferences section. The partial screenshot below shows the security settings for Microsoft’s Live.com, where two passkeys have been enrolled and, at the user’s option, have been given meaningful, user-provided names: Non-Syncable Passkey on Yubikey and Synced Passkey for BitWarden (see red-boxed callouts).
Microsoft is one relying party that allows users to give meaningful names to any enrolled passkeys. Not all relying parties offer this capability.
Screenshot by David Berlind/ZDNET
If you cannot rename your passkeys, you should make a note somewhere that tracks which passkeys with default names go with which devices (if you set them up to be device-specific, which is not a requirement). As shown in the next screenshot of Shopify.com’s security settings, two passkeys have been enrolled with default names that cannot be changed. However, Shopify offers other clues about how the passkeys were created, including which browser on which operating system was used to generate the passkey and when the passkey was enrolled. Basically, these serve as additional clues as to what device(s) a passkey is associated with.
Like many relying parties that support passkeys, Shopify allows users to enroll multiple passkeys. However, in Shopify’s case, those passkeys are assigned default names that cannot be changed.
Screenshot by David Berlind/ZDNET
Once you’re organized to know which passkeys go with which devices, you’re prepared for easier passkey removal in the event that your device is stolen. If you’re really worried about a potential compromise to certain accounts, then sign in to those accounts and remove (unenroll) any passkeys that are specific to the stolen device, or synced to it with your password manager. If it’s a synchronizable passkey that’s been synced with your password manager to multiple devices, you should probably delete it from your password manager as well, since it’s of no use once you’ve unenrolled it from the relying party.
Also: Going passwordless with public key cryptography
A technical gap in the passkey ecosystem
All this said, the need to manually remove any trace of a passkey from both your password manager and the relying party speaks to a technical gap in the passkey ecosystem that the FIDO Alliance is aware of: the lack of an API where removal of one triggers removal of the other. For example, if you delete a passkey from your password manager, you shouldn’t have to take the additional step of deleting the corresponding component (the public key of the public/private key pair that constitutes a passkey) on the relying party’s server.
Also: How to set up and use passkeys across your iPhone, iPad, and Mac
Until the FIDO Alliance addresses that gap, users who want to delete passkeys have to manually (and painfully) cover the bases. As Microsoft’s Hwang told me, going to the trouble of doing this manually could end up being a lot of tedious work for marginal gain. Hwang thinks the idea of remotely “revoking the session for the credential manager” might make more sense. This advice largely applies to situations where synchronizable passkeys are being synchronized across multiple devices, each of which is signed into the same credential management account. Any one of those multiple devices can be used to deactivate an active credential management session on one of the other devices.
But when I inquired with the various password manager solution providers — including 1Password, BitWarden, Dashlane and NordPass — it became clear that the implementation of this remote session deactivation capability, where it exists, varies from one credential manager to the next (and in some cases from one license type to the next).
Whereas some password managers can remotely decommission sessions at the device level (where all active password management sessions on the device are simultaneously deactivated), others make it possible to more surgically target a specific session (i.e., a browser- or app-specific session) for such revocation, while others don’t offer the capability at all. Also, the password managers differ in how they aggregate a history of sessions from all devices and any last known end-user activities.
Also: The best password managers: Expert tested
The Spiceworks post that inspired this article included other questions deserving of answers. For example, how does one use a passkey with a borrowed device? (This use case is akin to signing into your Netflix or YouTube account with the smart TVs found in today’s hotel rooms.) I plan to explore this and other questions in future articles.
Stay ahead of security news with Tech Today, delivered to your inbox every morning.
Leave a Reply