As multi-factor authentication (MFA) has become more widespread in recent years, the challenge is to balance user convenience and security. MFA is a security method that prevents unauthorized access to accounts by combining multiple authentication methods, such as biometric authentication and one-time passwords in addition to passwords. However, the introduction of MFA means that users have to go through an increased number of cumbersome procedures. A new authentication technology called Syncable Authenticator, also known as Passkey, has emerged to solve this issue.
Synchronizable authenticators allow users to use the same authentication information on any device by synchronizing the private key used for authentication across multiple devices. This greatly improves convenience. However, sharing a private key across multiple devices poses security risks. Therefore, the US National Institute of Standards and Technology (NIST) has published guidelines for the secure use of synchronizable authenticators (an addendum to SP 800-63B).
This document is a supplement to NIST Special Publication 800-63B and provides guidance on the use of synchronizable authenticators (also known as passkeys) that allow authentication keys to be replicated and synchronized across devices. Key points include:
- A properly constructed synchronizable authenticator can mitigate threats such as man-in-the-middle attacks, verifier impersonation, and replay attacks, and provide authentication intent to achieve Authentication Assurance Level 2 (AAL2), a level that requires a high level of security, including resistance to phishing, while still providing some ease of use.
- This document updates SP 800-63B to allow for duplication of authentication keys for synchronizable authenticators, provided certain requirements for key generation, storage, and access control are met, thereby enabling the use of passkeys for government organizations.
- It discusses implementation considerations, such as using flags in the WebAuthn specification to determine if an authenticator meets the requirements of AAL2. For enterprise use cases, Attestation can be utilized to validate the functionality of an authenticator.
- We outline potential threats and challenges for synchronizable authenticators, including unauthorized key use, compromise of the synchronization fabric, and difficulty of revocation, and propose methods to mitigate them.
- This document recognizes the risks of user-to-user key sharing in some implementations and provides guidance for enterprise and public use cases.
Overall, this supplement is intended to help institutions make informed, risk-based decisions regarding the integration of synchronizable authenticators that, if deployed properly, can provide convenient, phishing-resistant authentication.
This addendum provides important criteria for verifying the suitability of syncronizable authenticators for AAL2. It also discusses new threats such as key misuse and cloud storage compromise, and suggests countermeasures. It shows that by recognizing the potential risks of syncronizable authenticators and introducing them appropriately, security can be improved without sacrificing convenience.
This addendum provides useful information not only for security personnel but also for all parties considering the introduction of syncable authenticators. The existence of public guidelines from NIST will increase confidence in the security of syncable authenticators and encourage their widespread use. An increase in the number of users will encourage further technological innovation. This addendum is considered to be an important milestone that will contribute to the healthy development of new authentication technologies that combine security and convenience.
For background information, please see this post by @phr_eidentity.记事1is detailed.