News: 1734543009

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Microsoft won't let customers opt out of passkey push

(2024/12/18)


Microsoft last week lauded the success of its efforts to convince customers to use passkeys instead of passwords, without actually quantifying that success.

The software megalith credits passkey adoption to its enrolment user experience, or UX, which owes its unspecified uptake to unavoidable passkey solicitations – sometimes referred to as "nudges."

"We're implementing logic that determines how often to show a nudge so as not to overwhelm users, but we don't let them permanently opt out of passkey invitations," explained Sangeeta Ranjit, group product manager, and Scott Bingham, principal product manager, in a [1]blog post .

[2]

The corporation's onboarding strategy seems to suit its corporate address: One Microsoft Way.

[3]

[4]

Ranjit and Bingham describe that strategy in a post titled "Convincing a billion users to love passkeys: UX design insights from Microsoft to boost adoption and security." But they don't disclose how many customers love passkeys enough to actually use them.

They do reveal that the Windows maker's latest sign-in experience led to a 10 percent decline in password use and a 987 percent increase in passkey use. And they anticipate that given the reimagined sign-in experience, "hundreds of millions of new users will create and use passkeys over the coming months."

[5]

Microsoft did not immediately respond to a request to put a number on current passkey adoption.

It was only in May – on World Password Day no less – that Redmond [6]made passkeys available to Microsoft consumer accounts. The biz at the time described the occasion as the culmination of a ten-year journey that began in 2015 with passwordless sign-in via Windows Hello and Windows Hello for Business.

But really the possibility of a future without passwords dates back a decade further – to 2004, when Microsoft co-founder Bill Gates [7]predicted the death of the password at the RSA Security conference. It was wishful thinking at the time – password problems led to security breaches then, as they do today – though it now appears to be within the realm of possibility.

[8]

The Fast Identity Online Alliance (FIDO) has been [9]pursuing the same goal since 2013. With the publication of the [10]WebAuthn authentication standard and the development of the FIDO2 Project, tech giants Apple, Google, and Microsoft gained a common means to implement passkeys. And they've begun doing so.

[11]Will passkeys ever replace passwords? Can they?

[12]AWS is pushing ahead with MFA for privileged accounts. What that means for you ...

[13]Microsoft, Google do a victory lap around passkeys

[14]Go ahead, forget that password. Use a passkey instead, says Google

Apple introduced passkey support in iOS 16 and macOS Ventura in September 2022. Google did so shortly thereafter in [15]Chrome and later in [16]Android and [17]Google Accounts . Microsoft introduced passkey support [18]in Windows 11 version 23H2 , and is starting to see more adoption thanks to its insistent UX design.

[19]Passkeys rely on public key cryptography. When a user elects to create a passkey – or does so just to make the solicitations stop – a private key is created. That key gets stored securely on a device (such as a PC or a phone), where it's associated with the device's unlock mechanism (a biometric signal or a PIN). The corresponding public key is stored on the server for the associated application.

Thereafter, the user can log in more efficiently. Selecting an app's passkey login option prompts the server to check with the device to authenticate using the cryptographic key pair. No password entry or 2FA step is required.

The benefit of this approach is that there's no secret stored on the server that can be compromised and stolen – public keys need no protection. And each passkey is associated with a specific application, so credential reuse attacks aren't a thing.

Passkeys are not foolproof though. A compromised device might expose private keys, and a successful social engineering attack could dupe a user into creating a passkey for a malicious service.

There are also potential problems if the user loses access to a device that stores passkeys – another means of authenticating to a passkey-linked service would be required, which might involve passwords or a more involved recovery process. Also, passkey portability between credential providers (across platforms or password manager applications) is still [20]a work in progress .

At the 11th annual FIDO Tokyo Seminar last week, the FIDO Alliance [21]declared , "More than 15 billion online accounts can use passkeys" – which does not mean that many are actually doing so. The group also claims that Google has reported 800 million Google Accounts now use passkeys, which is up from the 400 million figure Google [22]reported in April. The folks at FIDO further observed that Amazon introduced passkeys this year, and now has 175 million accounts using the technology.

Microsoft is apparently on its way to a billion passkey users and the eventual elimination of passwords – but hasn't revealed its progress. Given enough persistent, unavoidable passkey enrolment notifications, it's only a matter of time. ®

Get our [23]Tech Resources



[1] https://www.microsoft.com/en-us/security/blog/2024/12/12/convincing-a-billion-users-to-love-passkeys-ux-design-insights-from-microsoft-to-boost-adoption-and-security/

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z2NUGYp0bT2mC0zlRIeo7QAAAFI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z2NUGYp0bT2mC0zlRIeo7QAAAFI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z2NUGYp0bT2mC0zlRIeo7QAAAFI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z2NUGYp0bT2mC0zlRIeo7QAAAFI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://www.theregister.com/2024/05/02/microsoft_google_passkeys/

[7] https://www.theregister.com/2004/02/25/who_needs_passwords/

[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z2NUGYp0bT2mC0zlRIeo7QAAAFI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[9] https://www.theregister.com/2013/02/13/fast_identity_alliance_launched_with_lenovo_and_paypal_support/

[10] https://www.theregister.com/2018/04/11/fido_takes_a_bite_out_of_passwords_with_two_authentication_standards/

[11] https://www.theregister.com/2024/11/17/passkeys_passwords/

[12] https://www.theregister.com/2024/06/17/aws_mfa_roll_out/

[13] https://www.theregister.com/2024/05/02/microsoft_google_passkeys/

[14] https://www.theregister.com/2023/05/04/google_passkey/

[15] https://blog.chromium.org/2022/12/introducing-passkeys-in-chrome.html

[16] https://android-developers.googleblog.com/2023/02/bringing-together-sign-in-solutions-and-passkeys-android-new-credential-manager.html

[17] https://security.googleblog.com/2023/05/so-long-passwords-thanks-for-all-phish.html

[18] https://support.microsoft.com/en-us/account-billing/set-up-a-security-key-as-your-verification-method-2911cacd-efa5-4593-ae22-e09ae14c6698

[19] https://www.microsoft.com/en-us/security/business/security-101/what-is-passkey

[20] https://blog.1password.com/fido-alliance-import-export-passkeys-draft-specs/

[21] https://fidoalliance.org/passkey-adoption-doubles-in-2024-more-than-15-billion-online-accounts-can-leverage-passkeys/

[22] https://blog.google/technology/safety-security/google-passkeys-update-april-2024/

[23] https://whitepapers.theregister.com/



Paul Crawford

There are also potential problems if the user loses access to a device that stores passkeys – another means of authenticating to a passkey-linked service would be required, which might involve passwords or a more involved recovery process.

And therein lies the practical pain in supporting anyone using them, and the easy route to compromise. True, it is not as easy as folks who use "qwerty" or similar as their password, and it avoids the password reuse problem, but it puts everything in a given device's internal store for better or worse.

Putting all your eggs

Steve Davies 3

into one basket

Then Dropping it... (because of the non opt-out crap)

MS is working hard to piss all its customers off (so that the give MS the finger)

It is almost as if they have been studying the "Rise and Fall of Gerald Ratner".

That didn't end well for him.

Re: Putting all your eggs

Doctor Syntax

And yet...a friend who doesn't use MS Office decided that signing up for a subscription was an acceptable cost to get rid of the ads. There seem to be no limits to the amount of abuse their customers will accept.

MachDiamond

"and it avoids the password reuse problem,"

reusing a password isn't a problem. Reusing passwords improperly is a problem. I'd never use my password here on El Reg at my bank, nor my email/web server/FTP, but I use it in a few other places. I do have a password generator/manager for things that require a very strong password, but I don't carry that around with me everywhere so it's much easier to remember a few passwords that I might need when I'm out and about.

That's not a problem with passkeys

DS999

It is a problem common to ALL authentication schemes. In order to avoid being totally user hostile, there has to be some "backup" method of authentication if you forget your password, lose access to your passkey, lose your hardware token, change your phone number (if you're using SMS based 2FA) and so on.

The typical reliance on "security questions" which are almost always far more easily guessable/learnable passwords leaves a gaping hole no matter how good your security is on the primary authentication method. The more pick-proof you make your front door, the more that thieves will decide it is easier to get in via the 2nd story window you've left unlocked to have a way in for when you lose your house key.

There are ways to move passkeys between devices, Apple can manage them via iCloud for example - but they are only copied between devices if the user has set the "advanced protection" mode for iCloud which encrypts everything with a user supplied encryption key. That's very secure, but then you have potential recovery issues for that user supplied key so you're just pushing the problem up one level. Apple has solutions for that too, but at some point every solution depends on the user taking some ownership in being able to recover their access if a device is lost/stolen, passwords/encryption keys are lost/forgotten, and so forth.

I'm not sure it is possible to create an authentication method that is both secure from remote exploit, and trivially recoverable for the typical non-technical end user without re-opening the door for remote exploit. The only exception is within a smaller security domain - like if you lose access to your university resources if they have a way you can go to a physical office and present your official ID they can get back your lost access without opening things up to remote attack. But in a general sense for an "internet user" I don't think it is possible to have both security against remote attack and ease of restoration if you lose access.

One ring to rule them all.

DMcDonnell

"One Ring to rule them all, One Ring to find them, One Ring to bring them all and in the darkness bind them.", JRR T.

Re: One ring to rule them all.

Mentat74

Don't you mean : "One passkey to rule them all"...

Re: One ring to rule them all.

MrDamage

Someone mention onion rings? No? Dammit.

Better security doesn't just stop the scammers

Lost in Cyberspace

As I've found out, when trying to help end users, the extra security doesn't just inconvenience the hackers and scammers.

It often prevents the rightful owner from getting in, when things go wrong. I've had a few customers completely lose access to dozens of services.

One had their Android phone stolen and they got locked out of their Google account (and the associated saved passwords, passkeys). Google won't let you speak to a real person.

Another had their Microsoft Account hacked (and email address changed). They lost access to their Authenticator app, OneDrive files, 365 apps, Windows Store purchases, email, LinkedIn and Facebook. The hacker relied on the fact that Microsoft are completely useless at restoring the account to the original owner - even a real person just sends you back to a recovery form, which won't work because we don't know the email address and it doesn't ask for anything else to identify the account.

As for Facebook? Again, once an account gets disabled all the recovery options stop working too. And good luck getting a real person to help.

Re: Better security doesn't just stop the scammers

Anonymous Coward

@Lost in Cyberspace - you saved me from typing a reply. So I'll just say "ditto". Microsoft and the other big companies just don't live in the RealWorld™. I've also seen all of the items you describe. It is not unusual.

Some how Microsoft assume that RealLife™ does not happen to people. Account loss now is way more extreme due to what is locked up inside it.

And the absolute worse part is that inability to talk to a human to prove the account has been stolen. I guess they don't have any cash left in the profits to pay people. (Or worse, the AI responses sending you in circles)

Instead just have to sit and watch the scammer have full run of everything.

Just a simple check like looking at the location where the new logins are coming from would be enough to prove the theft...

Re: Better security doesn't just stop the scammers

DS999

There are ways around that, but they require an informed and minimally technically competent end user. I'm sure Google and Microsoft both have a way to get back into your account if you've lost your access, but it would require some sort of action by the end user to prepare for that and will be its nature either be complex or leave gaping holes in security.

On my iPhone for instance I have a couple passkeys (not doing anything useful they were just creating because I wanted to know how it worked) but if I lose my iPhone and get another I'll get access to those passkeys. That's because they are getting backed up to iCloud - which for security critical stuff like passkeys only happens if you have set "advanced protection" mode for iCloud, which is not the default. That encrypts your iCloud backup with a key you provide - and puts the onus on you to do something about protecting your access to that key (that's why this mode is not the default)

Apple has two ways of getting back your access to your iCloud encryption key. There's a way you can create a "recovery key" which you can use to restore that access. The other option is you can set up "recovery contacts" which are trusted people who can provide that recovery key to you. I'm not sure of the exact details of how that process works, I saved a copy of that recovery key when I set it up in my safe. But I suppose if someone broke in and stole both my phone and my safe I'd be screwed - if I wanted to protect against that I'd have to store another copy of that recovery key elsewhere like a safe deposit box.

All this is to say that while it is possible to recover your lost access in a secure way, it is not something easy nor should we expect casual users to understand it at all. That's why advanced protection is not the default on the iPhone, but users may assume their passkeys are getting backed up in iCloud and be rudely surprised when they learn otherwise.

Passkeys are a bad idea, or at least badly implemented

sarusa

Basically, they started with the premise that 'passwords are bad', which I will even agree with, and then came up with something worse.

Yes, it's very convenient for the machines where you have biometrics and only need access from that machine (though just using keepass seems just as convenient). It's also (as noted) a complete disaster if you lose the device with the passkey or things go wrong. Best case, then, you fall back to... yes, passwords, so you still need good passwords.

I also need access to things from multiple machines, most of them lacking biometrics, including in places where, guess what, there's no cell service. So passkey on phone fails even if I wanted to put all my security on the phone. I actually lost my phone in a lake this year - this would have been a real problem. But MS doesn't give a shit about that, nobody there is ever using the crap they're actually peddling in the real world.

So far I haven't found anything better than keepass file with deceptively named keyfile + password, 20 char unique passwords for every site. I'm not dependent on a 3rd party like LastPass (boo!) not to have another breach. I use pcloud to distribute it where I need it. And then I use Authy for 2FA. Thanks to these I was only mildly inconvenienced by losing my phone this year rather than it being a complete farking disaster (I just switched to my tablet for the time). Again, whatever password system works for you - it's still better than passkeys.

Re: Passkeys are a bad idea, or at least badly implemented

Dan 55

Welcome to hotel Microsoft. The default behaviour will be your MS account saving all your passkeys for all your apps/online services. Who's going to leave then?

Re: Passkeys are a bad idea, or at least badly implemented

Anonymous Coward

No... the default behaviour will be "login with your Microsoft account". Just like now you see the options to login with your Google\Apple\Facebook accounts...

Am amazed Micro$oft is being so slow on this front.

Re: Passkeys are a bad idea, or at least badly implemented

richardnpaul

Log into your microsoft account, from a new Win11 machine, when your account is protected by passkeys, and you don't have any passkeys on the device, yet.

Re: Passkeys are a bad idea, or at least badly implemented

DS999

Yes, it's very convenient for the machines where you have biometrics and only need access from that machine

There is no reason passkeys can't be transferred between the various pieces of hardware you own, so long as you "bless" them appropriately. That's already possible within your (Apple/Google/Microsoft) ecosystem, the missing piece is to make it possible outside of your ecosystem. That's something they are working on, and maybe it is partially there already (my "other hardware" is Linux so I'm assuming it will take longer to get there than it will between the big three)

My ideal would be to keep the passkeys on my iPhone (where they are secured, securely backed up, and can be securely recovered if I lose my phone) and have it talk via bluetooth to my PC so when I login to the Reg it would tell my browser "access passkey for www.theregister.com" and my browser would talk to the Fedora/GNOME key manager which would talk via bluetooth to my iPhone (which I would have previously allowed to talk to my Linux PC if asked for a passkey) and my phone would require me to authenticate via Face ID if I hadn't done so within a configurable number of minutes (because I don't want to keep looking at my phone for every login) and then provide the passkey to the Linux PC which could use it to login to the Register. I suspect we're a few years away from it being this smooth, but we'll get there faster for people staying inside the "big three" ecosystems.

There is no security.

Kaltern

Nothing is secure. Nothing. The illusion of security is just another method of control.

- Me.

Once breach to breach it all

Anonymous Coward

(repeat same)

Once your device that uses Passkeys is breached - Everything is breached. If you have passwords (and they are unique) only one thing is breached. If you use MFA with a password, you are as safe as you can be.

The hardware keys are only to sell you a new device, have been in use for over 20 years and clearly not the answer.

MFA has saved our company 3 times from Email pass the hash (malicious Emails abusing MS authentication), and a couple times from idiots putting their password in a fake OWA site. - and Conditional access alerted us.

Companies want to move you from things you have, to things you access. This is how to cut people off from all services/access in one bite.

Re: Once breach to breach it all

DS999

Passkeys aren't accessible to the OS, or at least they aren't supposed to be. They'd be secured by the security chip on the device (Secure Enclave on iPhone/Mac, TPM on PC, whatever Android calls theirs) and you'd access it via biometrics (or a password on your phone if you are too paranoid to use biometrics)

That protects it against remote exploit, or even remote compromise of your phone. Physical security is beyond the scope of what passkeys are intended to do.

I just came to say

chivo243

Soylent Green is People

Open the Pod bay doors Hal

Ah, Roedecker...

So it is THIS scene - in an endless loop.

Jou (Mxyzptlk)

Up to now I was planning to use 10 loops of [1]this scene to illustrate why MS is hated - every hit knocks an MS-important-notification-we-have-a-new-feature popup away.

Now it will be an endless loop... "how often to show a nudge"...

[1] https://www.youtube.com/watch?v=f4CizzE-zZo

So, passkeys

Anonymous Coward

Just very long passwords, so complex that they have to be written down, stored in a file, entered automatically when needed by whomever has access to the device they are stored on. Sounds great. Luckily most will be stored on a really secure windows pc or an android phone, 80% of which no longer receive security updates. This is real progress, not, we are living in Idiocracy.

This why we need a Pi-based alternative.

Tron

So we can ignore the fascist diktats of the Microsoft reich.

Technology is dominated by those who manage what they do not understand.