Passkeys: consumer-friendly password killers?
Chris Sherwood: Passkeys are essentially just a public-private key pair authentication but sort of bundled into a consumer-friendly format.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's Hacking Humans Podcast where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We got some good stories to share this week, and later in the show, Chris Sherwood, owner of Crosstalk Solutions is joining us to talk about passkeys. [ Music ] All right, Joe, before we jump into our stories this week, we got a little bit of follow-up here. What do we got?
Joe Carrigan: The first one is on our comment, I think two episodes ago, in the Catch of the Day, we talked about revert as, what does this mean? This didn't make sense to us.
Dave Bittner: When you used the phrase "revert," like --
Joe Carrigan: Revert back to, and apparently a number of people have reached out to us to say in Indian English, like in India --
Dave Bittner: Yeah.
Joe Carrigan: This is a synonym for "reply."
Dave Bittner: I see.
Joe Carrigan: So a lot of times in email, you'll hear "revert back" which means "reply."
Dave Bittner: I see. So do we suspect it's a translation error or is that idiom used when people of Indian descent are speaking English?
Joe Carrigan: Yeah, people in India are speaking English.
Dave Bittner: Okay.
Joe Carrigan: Or people who are from India speaking English.
Dave Bittner: Right, okay.
Joe Carrigan: I don't know if that applies to people of Indian descent, but --
Dave Bittner: Well, for people for whom English is not their first language, who a -- one of the many languages of India is their first language -- I guess I'm --
Joe Carrigan: Right.
Dave Bittner: Overcomplicating it, but you know what I'm asking.
Joe Carrigan: But everybody in India learns to speak English pretty quickly.
Dave Bittner: Ah.
Joe Carrigan: So I don't know. They grow up in a bilingual environment.
Dave Bittner: Right.
Joe Carrigan: With English being one of the languages.
Dave Bittner: But it's a local idiom that gets loaned to English -- to their English usage.
Joe Carrigan: Yeah, that was one of the -- one of the respondents noted that he didn't know where in India the guy was from.
Dave Bittner: Okay.
Joe Carrigan: But I think it is maybe a local -- a local thing, yes.
Dave Bittner: Yeah, yeah, okay. All right, cool. What else we got?
Joe Carrigan: We got Jack, who writes in, says, "Hi, Dave and Joe. I'm going to start by saying that I love tuning in to the show every week and hearing the different tricks and simple attacks that are being proven to be more successful at large companies than a zero-day. Jokes aside, during the last episode, you guys were talking about side-loading applications on one's Android phone and how that can compromise the device. So I decided to dig a little bit into this attack vector and see how prevalent and possibly successful it is. I discovered quickly with some Googling, and, of course, some Google Dorking," which is just advanced Google search, you know, using some of the keys that you can limit, like, to a site.
Dave Bittner: Right.
Joe Carrigan: Which is a great way, actually, to do open source intelligence gathering as well. "I was able to find that many threat actors are using Google Sites to host and spread malicious apps around. This, for one, bypasses checks for random domains," which is true because it all goes from site -- it all comes from sites.google.com. "This, for one, bypasses checks for random domains as it's being served from a Google domain," which is true because these are all coming from sites.google.com, and he put a link in here that is a search result link and, sure enough, you know, I run this search in Google and there are just tons of apps, APKs, being hosted, which is what an Android app compiles to. That's what you download when you go to the Google Store, Google Play Store, you download an APK and that gets installed on your phone. All these sites are just serving out free APKs. I don't know how many of them are malicious. I didn't analyze any of them. I didn't download any of them.
Dave Bittner: Right.
Joe Carrigan: That's for certain.
Dave Bittner: Yeah.
Joe Carrigan: Even though I would have been downloading them on my Windows machine still. Jack goes on to say, "I guess you guys are right about Google not particularly caring about scams and malware on their products as a lot of these sites look the same." AI could recognize such a pattern and take them down before anyone gets hurt. I'd also recommend playing around with the search terms a little bit, like instead of APK try PDF, which is a great way to find open source intelligence on things, but yeah, PDF might also have viruses as well in it, other common scam warnings. You'd be shocked how many Google Sites are hosting that. Google appears to be doing nothing about it. "Thanks again for the great show and I hope to tune in again next week." So I don't know if AI is, I mean, I guess, maybe, what I would be doing if I were Google is looking at every single file and running that through some kind of malware analysis if people are serving APKs out on my site's site.
Dave Bittner: Yeah.
Joe Carrigan: This is -- this is actually pretty interesting, this work. I mean, can we put this search link in the show notes so people could check this out for themselves?
Dave Bittner: I don't see why not. Sure.
Joe Carrigan: Yeah. It's a good -- everybody could take a look at it and see what -- see what's going on here. I don't recommend downloading or installing any of these products. So please, do not do that.
Dave Bittner: Right.
Joe Carrigan: If you're going to click on this link.
Dave Bittner: Okay. All right, interesting. Well, thank you, Jack, for sending that in. Joe, let's jump into our stories here. You want to start things off for us?
Joe Carrigan: I sure do, Dave. My story comes from a listener named Kyle who sent this in as a Catch of the Day, but I actually think it merits a whole story. Kyle writes, "Hello, Dave and Joe. I'm an information security analyst that works at a bank." I won't say where. "I always listen to y'all's show and I thought this would be of some interest. The email chain was reported to Fish ER by Patricia, a senior accountant. At first glance, it looks like a normal conversation, but when I looked up the history, we had no records of this conversation between Timothy, the executive, and the bad actor, Greg. It was completely fabricated to provide legitimacy, and they also made it seem like Timothy, the executive, was cc'd on the last email, but he was not. It had a few red flags, but we wonder if the person used AI to generate it." So let me summarize what's going on here. You have three actors in this story.
Dave Bittner: Right.
Joe Carrigan: One of them is Patricia. She is the target. One of them is Greg. He's the bad guy.
Dave Bittner: Okay.
Joe Carrigan: All right? And the third guy -- oh, by the way, Greg's name probably isn't actually Greg.
Dave Bittner: Right.
Joe Carrigan: I probably didn't need to say that, but I want to make this lucidly clear. And the third guy is Timothy. He's the executive, but I don't think he's aware of any of this stuff happening, because if he were, he would have said, "Slow down." So I'm looking at this email chain and the email chain starts with a -- with an email from Gregory that says, "Hello, Timothy. We would like to express our heartfelt appreciation for the recent phone call. Your interest and dedication supporting our organization's upcoming gala are truly commendable. We are extremely grateful that you have agreed to become a sponsor for this important event. Your partnership and contribution will play a pivotal role in ensuring its success. To fulfill your request, we are pleased to provide you with a comprehensive sponsorship package. The package outlines in detail various benefits associated with each sponsorship level. Additionally, you will find valuable information about the event itself, including the details and how the funds raised will be utilized to support our cause," and it goes on with still more stuff about, you know, thanks for -- thanks for being a fundraiser or a philanthropist.
Dave Bittner: Right.
Joe Carrigan: It's signed "Gregory K. Labella, Office Manager, Special Events, President of the George Rill Foundation." Now, the George Rill Foundation is a real foundation.
Dave Bittner: Okay.
Joe Carrigan: Okay? It's a small foundation. It's actually called the "George Rill Veterans Charity Fund, Incorporated," and it's based in the same general area as this bank is, which I kind of just gave it away, right?
Dave Bittner: Okay.
Joe Carrigan: So that's the first email that is on the chain. The second email is an email that looks like it came from Timothy, the executive, saying, "Hi, Gregory. I hope this letter finds you well. I wanted to express my gratitude for considering our involvement in your upcoming gala. Your organization's cause deeply resonates with us and we are eager to support the initiative. After careful deliberation, I am pleased to inform you that I am choosing the lead support level which is at $15,000," right? So Timothy didn't write this letter to Gregory.
Dave Bittner: Right.
Joe Carrigan: It never transpired.
Dave Bittner: Right.
Joe Carrigan: But that got sent and it said -- but the next letter in the -- in the email chain as well, "Thank you for your pledge and interest in sponsorship of our gala. We're thrilled to have you on board as a lead sponsor. SuperValu and C&S Wholesale Grocers have responded positively. We'll keep you updated. Please find a sponsorship pledge invoice attached," right? So there's an invoice attached. And the next email in the chain is an email allegedly from Timothy that says, "Hi, Gregory, please send all invoices to Karen for payment processing." Then this is the first, probably first real email in this entire chain.
Dave Bittner: Okay.
Joe Carrigan: The first thing that actually got sent over the email system using some email protocol. It reads "Hello, Karen. Attached, per the request of Timothy, you will find the gala and sponsorship invoice. Thank you and have a wonderful day." It's interesting for me that the person who received this and sent this in was Patricia. Patricia, I don't know if Patricia -- if Kimberly works for Patricia or if Patricia was just receiving Kimberly's email while Kimberly was on vacation, but what's happened here is somebody has synthesized an entire conversation. So this first email that comes in to Karen's inbox looks like it's also going into Timothy's inbox, so when Karen opens the email, she will see that she has Timothy copied on the email, essentially. He isn't copied on the email at all. He didn't receive an email. He knows nothing about this.
Dave Bittner: Right.
Joe Carrigan: So you could see how this would work, right?
Dave Bittner: Sure.
Joe Carrigan: This would be like, well, okay, Tim knows everything about this. He's copied on this email.
Dave Bittner: The boss wants this to happen.
Joe Carrigan: Right. I'm going to go ahead and send this guy a check for $15,000.
Dave Bittner: Right, right. Now, if I could pile on here --
Joe Carrigan: Sure.
Dave Bittner: And say that if these bad guys were super-duper smart, they could also wait for a time using open source intelligence to figure out when Timothy was on vacation.
Joe Carrigan: Right.
Dave Bittner: You know, like on Facebook or LinkedIn, if Timothy says, "I'm about to head off on a two-week cruise," you know.
Joe Carrigan: Yeah.
Dave Bittner: That's when you drop this.
Joe Carrigan: Right.
Dave Bittner: So that Timothy is out of touch, but it all looks like Timothy wants this to happen, and it's time-sensitive, you know, the event's coming up, so we better take care of this.
Joe Carrigan: Right, the deadline is before Timothy gets back from his cruise.
Dave Bittner: Exactly.
Joe Carrigan: Yeah. That's a good point. Now, Kyle asked if artificial intelligence was involved here in some way. I say there's a really good chance. These things are well written.
Dave Bittner: Yeah.
Joe Carrigan: And I can read them easily. I don't have the, you know, I don't have a lot of the -- well, I do have some of the stammering, but not a lot of the stammering. I normally have to try to do these cold reads like --
Dave Bittner: Yeah.
Joe Carrigan: I'm no Dave Bittner, ladies and gentlemen. But yeah, they're really well written. I would not be surprised to find out that these are written by somebody -- some LLM somewhere.
Dave Bittner: Right, right. So I guess the good news here, since Kyle sent this to us, is that this likely got caught before things went really bad.
Joe Carrigan: Yes. Yeah, it did, and Kyle did the forensics on it and then noticed that Timothy didn't receive or send any of these things that he --
Dave Bittner: Interesting.
Joe Carrigan: Reported to have received or sent.
Dave Bittner: Yeah. So I wonder whose, if anyone's, email got compromised here, if anyone's. It may not have been anyone's.
Joe Carrigan: Yeah, this doesn't involve anybody's email getting --
Dave Bittner: Doesn't require anyone's email.
Joe Carrigan: Does not require it, because Greg, with air quotes --
Dave Bittner: Yeah.
Joe Carrigan: Could send this first email in and completely fabricate that chain behind it, that conversation behind it.
Dave Bittner: Right.
Joe Carrigan: That's just text.
Dave Bittner: Yeah.
Joe Carrigan: An email. So yeah, it looks convincing, but it's entirely faked.
Dave Bittner: That's clever. All right. Well, thank you, Kyle, for sending that in. That is an interesting story. My story this week is actually one, similarly, something I saw over on Mastodon. This is a user whose name is Bjorn Toft Madsen, who seems to be from the U.K., from what I can gather, because the dollar amounts are actually pounds. So --
Joe Carrigan: Okay.
Dave Bittner: Bjorn tells the story of how he was almost scammed, and, in fact, was scammed, but it all ended out well for him.
Joe Carrigan: Good.
Dave Bittner: I'm going to paraphrase what he writes here. He starts off by saying, "I was the victim of an extremely clever card fraud social engineering hack. Well, partly a victim since I managed to stop it. I was called by my bank as they wanted to verify some suspect transactions on my account, then things got weird." All right, so we're tracking along here, Joe.
Joe Carrigan: Right.
Dave Bittner: Bjorn is minding his own business, his phone rings, it's his bank.
Joe Carrigan: Right.
Dave Bittner: Right? His bank says there had been a charge for 2,900 pounds on a travel booking site, and Bjorn says, "As this conversation with my bank's counter-fraud team was happening, I logged into my bank account and could see the fraudulent charge. The bank said, 'Was this you?'" And Bjorn said, "No, it definitely wasn't me." Well done for catching it. And then the bank said, "Also, sir, there is another transaction occurring right now that seems odd for 5,900 pounds at Marbella Boat Hire. Is this you?" Bjorn says, "No, that wasn't me either." And Bjorn says, "At this point, my pulse was raised and I was worried what else was going on." And the bank said, "Okay, sir, we're going to send you a verification code which we need you to read back to cancel the transaction," and Bjorn says, "Okay, let's get these canceled."
Joe Carrigan: Okay.
Dave Bittner: So then a text or SMS message arrives with a six-digit code and Bjorn puts the call on speaker so he can read it out, but then he notices something odd. He says, "The full text of the message says, 'Do not share this message with anyone. To approve the purchase from Marbella Boat Hire for $5,900, use this code.'" And Bjorn says to the person on the line from the bank, he says, "Hold on." He says, "I -- this says to approve the purchase."
Joe Carrigan: Right.
Dave Bittner: Without skipping a beat, the person from the bank says, "Ah, right, sir. We've had a few problems with our messaging system, so I'm not 100% sure what the message actually says. We just need the code so we can get the purchase blocked. You can ignore the start of the message." So Bjorn says his spider sense is tingling.
Joe Carrigan: Right. So actually, let's stop right here.
Dave Bittner: Yeah.
Joe Carrigan: What's already happened is exactly what we talk about all the time in this show. He logs in, he sees one fraudulent transaction.
Dave Bittner: Right.
Joe Carrigan: And he's being told that another one is about to happen.
Dave Bittner: Right.
Joe Carrigan: So his thinking is already short-circuited here.
Dave Bittner: Yeah.
Joe Carrigan: And that's what these guys are relying on.
Dave Bittner: Yeah.
Joe Carrigan: Now, fortunately, Bjorn has the wherewithal to go, "Hold on."
Dave Bittner: Right.
Joe Carrigan: "This doesn't seem right."
Dave Bittner: Right, and so that's what happened. Bjorn says, "I can't share this code," and the bank person says, "Sir, that is very smart. I'm sorry about our messaging system being so odd. Let me send you a notification inside your banking app instead," and the notification arrives and he opens his banking app and he sees a red warning label. That's going to be a button to cancel the transaction, but again, it just says, "To approve this transaction," so Bjorn is starting to worry.
Joe Carrigan: Right.
Dave Bittner: So he says, "Look, I need to call my bank directly. This all seems a bit odd." And then, of course, the guy from the bank hangs up.
Joe Carrigan: Right, yup.
Dave Bittner: So Bjorn calls the bank. They verify that it wasn't him.
Joe Carrigan: Right, wasn't them.
Dave Bittner: Wasn't them, rather, right.
Joe Carrigan: Right, yeah.
Dave Bittner: So Bjorn says very cleverly the fraudster has used their first fraudulent transaction to socially verify that they knew something that only the bank could know about a transaction on his card. Then they used that transaction, that they themselves had done, to get him to read a 3D secure code, and 3D secure code is a kind of an extra measure you can put in place with your credit card company to have -- to basically do exactly what happened here, to have them send you a code. Evidently, this is quite popular in Europe, not as popular here, although it does exist.
Joe Carrigan: I will bet -- I'm going to bet, Dave.
Dave Bittner: Yeah.
Joe Carrigan: That the limit on his account for the code was 3,000 pounds.
Dave Bittner: Could have been. Bjorn goes on to say that they were able to do this because the first transaction had happened on a site that didn't use 3-D Secure. So 3-D Secure is the --
Joe Carrigan: Oh, okay.
Dave Bittner: The brand of this -- this thing that gets tacked on to your credit card service to activate this extra level of security.
Joe Carrigan: Right.
Dave Bittner: Bjorn says, "I'm surprised this is still possible. In the end, my bank refunded the first transaction, so I haven't lost anything." And he goes on to say, "But it shows the clever tricks fraudsters will try to pull and how easy it is to be fooled by the boiler room trick. It's happening right now. Do something quick."
Joe Carrigan: Yup.
Dave Bittner: So I thought this was a fascinating story. You know, Bjorn got lucky here. His combination of luck and his own good gut feeling --
Joe Carrigan: Yeah.
Dave Bittner: That led him to refuse to give them the code that they wanted. But I thought the actual attack here is clever of using -- convincing him that they were the bank by leading with information that most people would presume only the bank would have.
Joe Carrigan: Right.
Dave Bittner: They will say, "Here is the transaction, it was fraudulent, go look it up," and you look it up and it's exactly what they described, and how could someone else know what was going on with your bank account other than your bank?
Joe Carrigan: Right, unless they're the fraudsters.
Dave Bittner: Exactly.
Joe Carrigan: Right? They know.
Dave Bittner: Exactly.
Joe Carrigan: They know exactly what's going on.
Dave Bittner: Right, right. What do you make of this, Joe?
Joe Carrigan: Exactly what it seems to be.
Dave Bittner: Yeah.
Joe Carrigan: I mean, this is a -- this is a clever follow-on to them compromising or somehow getting his credit card information.
Dave Bittner: Right.
Joe Carrigan: Using it in a web purchase. The first web purchase happens for $2,900.
Dave Bittner: Yeah.
Joe Carrigan: I hope the bank was able to call that money back.
Dave Bittner: They did, yeah. He says they refunded --
Joe Carrigan: Gave it back to him.
Dave Bittner: Yeah.
Joe Carrigan: But I wonder if they're out the money.
Dave Bittner: Oh, yeah, yeah.
Joe Carrigan: If it's a credit card company, then I'll bet they have recourse.
Dave Bittner: Yeah.
Joe Carrigan: But if it's -- if it's just a bank and they're, like, doing debit cards or something, who knows? I don't know.
Dave Bittner: Yeah. All right, well, it's an interesting one. We will have a link to that thread. Again, that's over on Mastodon, and I appreciate Bjorn Toft Madsen sharing that story with the world.
Joe Carrigan: It's important to do that.
Dave Bittner: Yeah, yeah. And happy for him that all's well that ends well.
Joe Carrigan: Indeed.
Dave Bittner: But good cautionary tale there. All right, Joe, it is time to move on to our Catch of the Day. [ Soundbite of reeling in fishing line ] [ Music ]
Joe Carrigan: Dave, our Catch of the Day comes from Alec who writes, "I received this incredibly long and oh-so-tempting," please note my sarcasm, "request in my Instagram conversation requests. The screenshot is attached," which, of course, I didn't need to read that. I did. "I imagine if I tried to pursue this European lady, I would end up getting a nice Trojan on my phone or possibly purchasing some fake Bitcoin. Enjoy."
Dave Bittner: All right, it goes like this. "Sorry to bother you. We are a European dating platform. Excellent singles are recommended here."
Joe Carrigan: Hot singles near you, Dave.
Dave Bittner: "Our platform won the Best Marriage and Love Platform in 2022 and has helped 100,000-plus men and women achieve marriage and love. Let me introduce our wonderful female guest. She is Echoleen [phonetic] Meenyo [phonetic] from Canada."
Joe Carrigan: Don't you hear the Match Game music playing? Or not the Match Game. The -- what was it? The Dating Game.
Dave Bittner: Dating Game, sure.
Joe Carrigan: The Dating Game, "Let me introduce our bachelorette."
Dave Bittner: Right. "She is Echoleen Meenyo from Canada currently living in the U.K. She has many hobbies, such as running, fishing, mountain climbing, and learning all kinds of knowledge that she doesn't know." [laughter] That's funny.
Joe Carrigan: That's awesome.
Dave Bittner: That's hilarious.
Joe Carrigan: I love learning knowledge, too, Dave.
Dave Bittner: You know, the best kind of knowledge to learn is knowledge that you don't know, right?
Joe Carrigan: Right.
Dave Bittner: It's so -- it's so much better than learning knowledge that you already know. It's just a better use of your time.
Joe Carrigan: That's a huge waste of time, Dave.
Dave Bittner: Yeah, it really is. It goes on, "Have their own business. A perfect man is one who has no bad habits, is self-motivated, loves life, and can tolerate his own petty temper. Age over 30 years old. If you like our female guest, you can click the link below to add her WhatsApp account. Sexual harassment, do not disturb." And then there's a link. Why do you -- okay, why do you suppose the last sentence in here is "sexual harassment, do not disturb"?
Joe Carrigan: I think that means if you plan on sexually harassing this girl, please don't bother her.
Dave Bittner: Okay.
Joe Carrigan: Right?
Dave Bittner: Right. That makes sense.
Joe Carrigan: But I guarantee you, if you click on this link, you are not going to talk to some girl --
Dave Bittner: No.
Joe Carrigan: Who's looking for love. You're talking to some scammer.
Dave Bittner: No, no. Did you ever have a girlfriend in Canada, from Canada, Joe?
Joe Carrigan: No. No, I did not.
Dave Bittner: Okay. Never claimed to have a girlfriend from Canada, Joe?
Joe Carrigan: Never claimed to have a girlfriend from Canada.
Dave Bittner: No?
Joe Carrigan: No.
Dave Bittner: Okay.
Joe Carrigan: I just always own up to how pathetic I was. "Do you have a girlfriend? No."
Dave Bittner: No? Not even one in Canada?
Joe Carrigan: No. There's this one girl in --
Dave Bittner: Okay.
Joe Carrigan: No.
Dave Bittner: All right. Well, that is a pretty funny one and --
Joe Carrigan: It is. That's really good. Thank you for sending it in, Alec.
Dave Bittner: Yeah, thank you, Alec. And, of course, we would love to hear from you. If there's something you'd like us to consider for the show, you can email us. It's hackinghumans@n2k.com. [ Music ] All right, Joe, we have an interview this week that actually I am excited about, and I'll tell you why. I have been wanting to have a guest on for quite some time who could explain passkeys, and I don't know how far you've gone down the path with passkeys, but I have been very passkey curious, but I have not engaged with anything with passkeys just because I haven't felt like I've had a really good explainer of exactly what passkeys are and how to use them. I know there's excitement around them, and then magically and mystically, on my YouTube feed there came a video that Chris Sherwood had posted that was an explainer on passkeys, so I watched it. It was excellent, and I said, "Aha, got to get this guy on the show." So we reached out and he signed up, and so happy to share that interview today. Here's my conversation with Chris Sherwood from Crosstalk Solutions.
Chris Sherwood: So I probably don't know the full, full history of it. What I do know is that passkeys have been a technology that has been around actually for many, many years. I think they've been available on, you know, for instance, YubiKey hardware devices for more than five years now. Essentially what it is, passkeys are a consumer-friendly version of what's known as the FIDO2 WebAuthn authentication protocol, and what happened is about a couple of years ago, you know, YubiKey and Apple and Google are getting together and they're like, "Oh, we got to do something more about security. Why don't we do something with these, you know, discoverable WebAuthn FIDO credentials?" And Apple came along and they said, "Yeah, but we can't call it that because no one's going to know what that means." So they came up with the term "passkeys." So passkeys are essentially just a public-private key pair authentication but sort of bundled into a consumer-friendly format.
Dave Bittner: And so I recall, you know, it's been probably within the past year or so that there was really a lot of talk about this and some, you know, the announcements were made, and, as you say, it seemed like Apple was kind of leading the charge here, but they're not the only ones involved. A number of organizations have agreed to use the name "passkey" and also integrate it into their devices and systems.
Chris Sherwood: Yeah, that's correct. So I think the forefront leaders are Apple as well as Google. I believe Microsoft is in there as well because they use passkeys with Windows Hello. But then certainly companies like YubiKey have been using them for years, and a lot of the password managers, the popular password managers are also hopping on the bandwagon. For instance, one password, Dashlane, and I believe Bitwarden has also announced support for passkeys. I think those are all sort of like coming soon, you know, beta -- beta announcements.
Dave Bittner: So correct me if I'm wrong here, but the notion is that we're trying to do away with passwords to allow an alternative and also more secure way to log in to things. How does it work?
Chris Sherwood: Yeah, so great question. So really what it comes down to, in my mind, is that passkeys are -- the key to passkeys is that consumer friendliness, right? So, you know, you and I, as folks who are, you know, adept at security practices, you know, we understand that, like, higher levels of security, two-factor authentication, you know, TOTP, time-based one-time pass codes, things of that nature are important for ensuring that we stay as secure as possible. But like, what about your, you know, your wife or your kids or your grandparents or your, you know, neighbor next-door who doesn't know about these types of things? I mean, those are people that use the same password over and over on different sites. They have memorized passwords that are super weak and they can't, you know, they reuse them across all sorts of different platforms. Those are really the folks that are going to benefit most from passkeys because those are the folks who are most susceptible to phishing attempts, and something like 80-plus percent of all successful phishing attempts happen because of weak passwords, right? So passkeys attempt to get that sort of out of the equation by using a technology that most of those folks might already be familiar with. And so if we're talking about, for instance, the Apple ecosystem of products, it's going to be something like Face ID or touch ID, right? So rather than, you know, authenticating with a password, even if you have a password and a password manager and you're using, you know, two-factor authentication enabled, using Face ID with a public-private key authentication and no actual password in the mix is more secure than even the most secure versions of, like, TOTP two-factor authentication.
Dave Bittner: So the notion here is that you have both the device -- let's say for argument's sake you have, you know, an iOS device, an iPhone, something like that, so you have the device in your possession and then also it's scanning your biometrics with Face ID to verify that it's you, so there are multiple factors there.
Chris Sherwood: That's correct, yes. And then the other sort of key thing in my mind is that as far as, you know, when you're authenticating with Best Buy or eBay or Twitter or whomever, right, right now they have a salted hashed copy of your password and that is certainly susceptible to server leaks and server haps [phonetic], right? Hacks, right? Those end up kind of like on the proverbial dark web and, you know, you get notifications that, hey, there's been a compromise and that sort of thing. With passkeys, those services and websites only have a copy of your public key, the public key side of your private-public key pair, so when you go to authenticate with a passkey, what's actually happening is they are sending -- they're using your public key, they're creating an authentication challenge, they are sending that to your device, whether that device is your browser or your iPhone or your Android device, and your private key, or your passkey that is stored on that device, is completing that challenge and then sending back to that service basically, yes, this person authenticated successfully. So by doing that, the private key never leaves your device. So even if, you know, Best Buy or eBay or Walmart or whomever gets hacked and their whole database of information gets leaked out to the rest of the world, all they have is your public key and that's something that really isn't phishable or hackable. There's not a lot that hackers can do with it and that's kind of the whole point. Now, is this completely infallible? No, it's not, right? There are ways, you know, if someone shoulder-surfs your PIN code and then steals your phone and they can get in and they can, you know, share your passkeys to their devices, certainly that is possible, but it would reduce the vast majority of those types of phishing and hacking attempts.
Dave Bittner: You know, Chris, I must admit, I've been a little timid at jumping in with this, mainly because of my lack of having a complete understanding about it. What is the transition like for folks? You know, let's say I'm logging into my Gmail account or something like that and I'm using a username and password combination and I want to switch the passkeys. What's that going to look like for me as a user?
Chris Sherwood: Yeah, so typically, it's just going to be almost similar to the same signup process that you do with like a two-factor authentication setup, right, where you scan a QR code and go through the, you know, you use Google Authenticator to set that up. It's basically just going into your settings and saying "enable passkeys" and it walks you through a quick sort of wizard that sets that all up for you, which is actually pretty easy. The problem is, in my mind, it's not quite fully mature yet. So in -- I did a video on passkeys recently on YouTube, and in that video, I used Best Buy as the example. So here in the U.S., we have Best Buy, a big chain electronic store, and they have passkeys enabled for their accounts. Now, when you go to enable passkeys, you can certainly enable that passkey, but they're not fully committed to it yet, right, because number one, you still need an email and password created in order to sign up originally, and then once you create your passkey, you can switch to it and use it on your device, but there's no option for deleting the password off of Best Buy's site, like you can't only use the passkey. So we're not quite there yet. It's getting there, though, and certainly, you know, the reason that passkeys are so geared towards the general consumer is that a lot of people are already used to Face ID, right? They're used to, like, looking at their phone and authenticating, you know, to open it up. So it's essentially the same thing, but now you're doing that for all websites instead of just to unlock your phone.
Dave Bittner: And is this handled on a site-by-site basis? I mean, there's not -- it's not going through Apple or Google or Microsoft. It's not centralized, is it?
Chris Sherwood: So it is not. It is -- the only centralization is your passkey manager, right? So the passkey manager is going to be your Apple iCloud. It's going to be your, you know, Google Chrome or Android ecosystem of products. If you're going to use a password manager, like 1Password, for instance, that becomes your password manager. So there is some level of trust that you are still having to put into a third-party organization. I guess on the plus side, you can pick and choose which organization you put your trust into. I know that a lot of my viewers, you know, are going to say like, "Wait a minute. I don't -- I don't trust Apple and I don't trust Google and I don't want them to have that information." Well, there are other options out there, and certainly even something like Bitwarden, which is a password manager that allows you to self-host all of your passwords, would be a good option for I think the folks that are most security-conscious.
Dave Bittner: What are your recommendations for folks who want to start down this path? You know, like I said, I'm -- I've been a little hesitant just because of my own misunderstanding or ignorance of it. Is there an easy way to start, you know, a place you'd recommend as a good example of how this all works?
Chris Sherwood: I would certainly try some site that is not quite -- like not your most sensitive and important stuff, like your bank account or your work accounts, right? So something like Best Buy would be a good example, and what you want to do is basically look for the passkey symbol, and you can sort of Google that and see what it actually looks like. It's basically like a little icon of a guy with a little key next to him, and if you see that passkey symbol, that means that that particular website or service supports passkeys and you should have the option to switch over to them.
Dave Bittner: Is it your sense that this is gaining traction, that it seems like this may stick?
Chris Sherwood: You know, I don't really have a sense of that. I would certainly hope so, and it does seem like more and more entities are supporting passkeys. You know, again, like I said, there's been announcements from, as far as I know, most if not all of the major password managers, Apple, Google, Microsoft, and everyone does seem to be sort of hopping on the passkey bandwagon. There's also a pretty good directory. It's -- if you go to the website passkeys.directory, it's a directory that was created by one password that lists all of the websites that currently support passkeys, or at least a vast majority of the ones that currently support passkeys. So you can kind of go to that website and just look around and see, "Hey, oh, yeah, I use that service, I use that service," and then you can log in to those services and try them out.
Dave Bittner: And for folks who want to check out your own video on this, so that you posted on YouTube, which, by the way, is how I found you, what's the best way for them to do that?
Chris Sherwood: Yeah, it's Crosstalk Solutions on YouTube, straightforward. [ Music ]
Dave Bittner: Joe, what do you think?
Joe Carrigan: We're getting very close, Dave.
Dave Bittner: Yeah.
Joe Carrigan: Very close to the death of passwords.
Dave Bittner: Yeah.
Joe Carrigan: And hopefully this is -- this could be -- well, this could be the password killer.
Dave Bittner: Yeah.
Joe Carrigan: Right? I love the discussion that he talks about, what do you call it, "discoverable WebAuthn FIDO credentials"?
Dave Bittner: Yeah.
Joe Carrigan: Discoverable web authentic FIDO credentials, get your discoverable web -- can't do that.
Dave Bittner: Right.
Joe Carrigan: All the marketing in the world is not going to make that work.
Dave Bittner: No.
Joe Carrigan: It's got to be something that everybody understands.
Dave Bittner: Yeah.
Joe Carrigan: Passkey.
Dave Bittner: Yeah.
Joe Carrigan: Very elegant.
Dave Bittner: Yeah.
Joe Carrigan: Very nice.
Dave Bittner: Like he said, very Apple-y.
Joe Carrigan: Right, right. Yeah, it is very Apple-y.
Dave Bittner: Right.
Joe Carrigan: It works, and if that's what it takes to work, then that's great.
Dave Bittner: Yeah.
Joe Carrigan: Basically, essentially, it's just a way of doing public key encryption for authentication.
Dave Bittner: Yeah.
Joe Carrigan: Across all the platforms, and it's a system that is managed by the FIDO Alliance who does the FIDO2 authentication protocol, which is for multifactor authentication.
Dave Bittner: Yup.
Joe Carrigan: And what I think is of paramount importance in this entire conversation is this has to be consumer-friendly. So it has to be -- I like that it's integrated with other systems, right, that like Apple and Google and Microsoft are involved in this. Password managers are working on it.
Dave Bittner: Right.
Joe Carrigan: It can be integrated with Face ID from Apple. It can probably be integrated with your phone from -- from Google.
Dave Bittner: Yeah.
Joe Carrigan: It is definitely integratable with your YubiKey. Your YubiKey can support these.
Dave Bittner: Right.
Joe Carrigan: So probably your Google Titan can also support it, but I think it is really important that it be integrated into an existing system. Chris touches on a few points here. One of the things he says is when you log in with a password, those sites have salted hashed versions of your passwords. Let's hope that's what they have. Chris doesn't talk about this, but let me -- this is one of my -- one of my -- one of my pain points. When you sign up for a website, you have no control over how they store your password.
Dave Bittner: Right.
Joe Carrigan: You can only hope that they are salting and using a good hashing algorithm.
Dave Bittner: Right.
Joe Carrigan: They could very well be storing it in plain text.
Dave Bittner: Yeah.
Joe Carrigan: Right? And you'd never know.
Dave Bittner: No.
Joe Carrigan: Tat site gets breached.
Dave Bittner: And it happens. I mean --
Joe Carrigan: It happens.
Dave Bittner: Every now and then, there'll be a breach, and the revelation comes that despite what they said in their -- all of their security guidelines, that -- turns out that they were storing passwords in the clear.
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: That has happened multiple times.
Dave Bittner: Yeah.
Joe Carrigan: That reason, that reason alone is reason enough to look for some kind of public key-private key solution where, like Chris talks about, if you get your public key stolen, who cares? This is my public key.
Dave Bittner: Right.
Joe Carrigan: I don't need my -- I don't care if you have my public key. I might not try to authenticate to you.
Dave Bittner: Yeah. The way the system's designed, it doesn't matter if they get that.
Joe Carrigan: Right.
Dave Bittner: That's a security feature of the design of the system.
Joe Carrigan: Of the design of the system, exactly. And generally with public keys, they're public knowledge anyway. So they're not -- actually, with public and private key encryption, that key was never intended to be private.
Dave Bittner: Yeah.
Joe Carrigan: It was always intended to be something that could be public knowledge.
Dave Bittner: Right.
Joe Carrigan: I mean, it works for authentication, but it also works for communications as well. So if I want to send a message that only you can read, I can encrypt it with your public key. Then I know that only Dave Bittner can be crypted because he's the only one with the private key.
Dave Bittner: Okay.
Joe Carrigan: Right?
Dave Bittner: Yeah.
Joe Carrigan: But we're not talking about communication. We're talking about -- we're talking about authentication. Now, Dave, I'm shocked that it took us this far in the show to digress any amount from what we were talking about.
Dave Bittner: We were so close.
Joe Carrigan: We were.
Dave Bittner: We were so close.
Joe Carrigan: We almost made it, Dave.
Dave Bittner: Yeah. Whatcha mean "we"? [laughter].
Joe Carrigan: One of the issues with this is it relies on the site you're accessing to use the implemented protocol. So this is going to have to face an adoption climb, if you will, a slope of some kind.
Dave Bittner: Yeah.
Joe Carrigan: And if you want to know how the how the system works behind the scenes, FIDO Alliance has a great FAQ on it. One of the things I do want to talk about that Chris touched on was sharing these passkeys. He talks about airdropping passkeys or sending passkeys to somebody else. The problem is that's like swapping your private key. So my concern here is that there's a way to socially engineer your private key from somebody. All you have to do in this case is, remember, never send your private key to anybody else unless it's the use case, like where you have to give it to your wife for some reason and your wife is standing there and her phone is open and your phone is open.
Dave Bittner: Right, right, right, right. But if you're on an airplane --
Joe Carrigan: Right.
Dave Bittner: Something pops up.
Joe Carrigan: Somebody says, "Hey, it's your wife. I need" --
Dave Bittner: Yeah.
Joe Carrigan: I need to buy the key. Don't. Don't do that.
Dave Bittner: Yeah.
Joe Carrigan: Don't do that.
Dave Bittner: Yeah.
Joe Carrigan: Me, for me personally, I would prefer to have the hardware solution, although the software solution does provide a lot of flexibility.
Dave Bittner: Right.
Joe Carrigan: One of my big concerns would be being locked out of my account should the hardware solution fail. So that's something to keep in mind.
Dave Bittner: Or maybe the hardware solution is a backup, you know.
Joe Carrigan: Right.
Dave Bittner: In other words, should you -- should the -- should your phone fail or get lost or whatever, then if you have a hardware key, you can use that as a secondary verification of who you are.
Joe Carrigan: Right, or maybe you can just verify with two keys or three keys, or however. You could have as many public keys as you want in this --
Dave Bittner: Right.
Joe Carrigan: This server.
Dave Bittner: Right.
Joe Carrigan: But yeah, I'm really -- I'm really -- I'm going to look into -- I'm going to watch this video. I'm going to look into this, look into this protocol, read this FAQ on the FIDO Alliance, do a little bit more research on this because this sounds like a really good idea.
Dave Bittner: Yeah, absolutely. All right. Well, our thanks to Chris Sherwood for joining us. Again, he is the owner of Crosstalk Solutions. We'll have a link in the show notes to the video that originally caught my eye, but we appreciate him taking the time for us. [ Music ] That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our senior producer is Jennifer Eiben. This show is edited by Tre Hester. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening. [ Music ]
