Passkeys: Easy, strong and secure authentication

By Beate Thomsen, Co-founder & Product Design - August 09, 2023

Want to try Rapidi?

Integrate any Salesforce and Microsoft Dynamics systems fast

TALK TO AN EXPERT

Security: Make strong authentication easy for users

In November 2021 we released our support for passkeys (back then called Security keys) as an authentication method for Myrapidi. We are pleased to announce that we have done further development on even stronger authentication. In this article, we will go through what a passkey is, how to use it with MyRapidi, and which passkeys are right for your organisation to ensure strong authentication is easy for users.

Some history

The term passkey was first popularized in June 2022 when Apple announced they would be adding support for passkeys in iOS and macOS. This was the first time that most people had heard of the term, and many assumed that it was specific to Apple. However, the term is also used by other companies such as Microsoft and Google.

The passkey implementation from Apple, Microsoft, and Google all relies on the FIDO2 and WebAuth standards that have existed since xxx. But in order to get a wider adoption of a more secure authentication the big three implemented a non-hardware bound option relying on their respective login accounts and renamed the daily term from security keys to passkeys.

What is a passkey

A passkey is a digital credential that is used as an authentication method for websites and applications. The passkeys standard is a type of passwordless authentication, promoted by the World Wide Web Consortium and the FIDO Alliance. They are often stored by the operating system or web browser and synchronized between devices from the same ecosystem using the cloud, however, they can also be confined to a single device such as a physical security key also known as a hardware-bound passkey.

Synced versus hardware-bound passkeys

As mentioned above, you have two different passkey implementations: synced and hardware-bound.

Synced passkeys are authentication credentials that are synchronised or shared across multiple devices such as smartphones, laptops, and tablets connected to a user account. The main idea is to have the same authentication credentials available on all the user's devices, allowing for a consistent login experience across different platforms and devices.

Hardware-bound passkeys are authentication credentials that are securely bound to a specific hardware device such as a USB key - like the Yubikey - or other pieces of hardware separate from everyday devices. This means that the passkey's private key material is stored and protected within dedicated hardware, ensuring that the key cannot be easily accessed, copied, or moved to other devices. The hardware-bound passkey option delivers higher security assurance compared to the synced passkey option.

difference between synced and hardware-bound passkey

Image source: Yubico

The Main difference between synced and hardware-bound passkeys

The main difference between synced passkeys and hardware-bound passkeys lies in their storage and authentication process:
  • Synced passkeys are authentication credentials that are synchronised or shared across multiple devices, offering convenience but potentially raising some security concerns.
  • Hardware-bound passkeys are cryptographic keys stored in dedicated hardware devices, providing a higher level of security and protection against various attacks.

Which passkeys are right for your organisation?

Passkeys are designed to be more convenient and phishing-resistant than conventional authentication methods. Passkeys are more secure than passwords and enable a move to passwordless authentication that enables greater security and efficiency. Which type of passkeys would be the best solution for your organisation will totally depend on which internal security policies your organisation operates after, and using one of the methods will keep you much more secure than just relying on passwords. Passkeys are better than passwords because they’re based on modern FIDO protocols and offer stronger protection against phishing.

In the infographic below the different usages of each method are illustrated, and might help you be more clear about which implementation method to use for your organisation.

purpose of passkeys

Image source: Yubico 

Synced Passkeys

If you need ….

Hardware-bound Passkeys

YES

To sync passkey between devices

NO

May not work

Platform flexibility between Apple, Google, and Microsoft

YES

NO

Hardware attestation

YES

YES

Shareable credentials

NOT Sharable

MAY NOT meet enterprise-level security and regulatory requirements

Complies with regulations

YES - Meets strict compliance and regional certification needs.

Easy to recover

Account Recovery

Requires more steps

Not easily integrated

Use in higher security environments like mobile restricted, shared workstations, and “bring-your-own-device”

YES

 

PROS & CONS OF THE TWO AUTHENTICATION METHODS

Synced Passkeys: Pros:
  • Accessibility: Synced passkeys are usually stored on a user's multiple devices (e.g., smartphone, tablet, laptop), making them readily accessible wherever the user goes.
  • Convenience: Users can easily switch between devices without needing separate hardware tokens.
  • Backup options: In case a device is lost or stolen, users may have the option to recover or reset their synced passkeys using account recovery methods.
Cons:
  • Vulnerability to Device Compromise: If a device where the synced passkey is stored becomes compromised, it could lead to potential security risks if attackers gain access to the passkey.
  • Single Point of Failure: If a user's primary device is lost, damaged, or unavailable, and they haven't set up proper backup options, they may have difficulty accessing their accounts.
Hardware-Bound Passkeys: Pros:
  • Enhanced Security: Hardware-bound passkeys are physically separate from the user's devices, making them less vulnerable to software-based attacks or malware.
  • Phishing Protection: Hardware keys offer protection against phishing attacks because they require physical interaction to authenticate, which cannot be replicated by malicious websites.
Cons:
  • Dependency on the Physical Key: Users need to carry the hardware key with them, which may be cumbersome for some individuals.
  • Cost: Hardware keys typically have an upfront cost, which might be a deterrent to widespread adoption.

In summary, the choice between synced passkeys and hardware-bound passkeys depends on the balance between security and convenience that your organisation prioritizes. Synced passkeys offer greater convenience and flexibility but may be more vulnerable to device compromise. On the other hand, hardware-bound passkeys provide higher security levels but might require users to manage a physical token and incur additional costs.

WHY USE PASSKEYS WITH MYRAPIDI?

At Rapidi security is a top priority, so we take the use of passkeys very seriously and have enforced it internally. What does this mean? It means that when a user tries to log in without a passkey this is not possible.
Rapidi does support the synced passkeys method, but highly recommends the hardware-bound authentication method, as it still remains the most secure method. As hardware-bound passkeys- using the WebAuthn and FIDO2 standards - provide a very secure way to authenticate yourself and avoid practically all possibilities of account takeover.

A passkey can be set up in two different ways with MyRapidi - either as Passwordless (no password is needed at login) or as a Second Factor (like the Google 2FA but more secure as it is a hardware key). Passwordless authentication combines the use of a physical device (which has some unique key and the ability to securely authenticate with a service) and then some personal knowledge like a PIN code or a personal feature like a fingerprint.

So as passwords can be stolen or guessed (and used remotely), it is much harder for someone to get hold of both the piece of hardware AND the personal knowledge or feature (PIN code or fingerprint). Even strong passwords used in combination with 2FA codes (like what we support with the Google Authenticator app) are less secure than using passwordless login. Hackers could steal your mobile phone number remotely and get access to your email account and then reset your password and get into your account. With passwordless login enabled (and passkeys enforced), they will always need the physical hardware key also!

HOW TO ENABLE PASSKEYS ON MYRAPIDI

So how do you enable your passkey for your login?
You need the following items to use a passkey with MyRapidi:
  1. A browser that supports FIDO2. In general, regarding the latest versions of Google Chrome, Safari, or Microsoft Edge, visit this page for more details about FIDO2 and U2F support.
  2. A hardware-bound passkey (like YubiKey) or biometric devices like a built-in fingerprint reader in your laptop or mobile device.

Then to set up a passkey with MyRapidi:

passkeys in myrapidi

Go to Personal Settings > Passkeys
MyRapidi will check if your browser is supported. If it is not supported, you will get a message about this

 

passkey_myrapidi_2

In the section “Add new Passkey” enter a name for your key (for example: "Beate's Yubikey")
Check the box "Passwordless" if you would like it to be passwordless, if you do not check it you will register it as a second-factor key.
Click the button "Add passkey"

Then follow the steps provided in the popup browser window as illustrated below:

 

setup passkeys first step


Once you click on "add passkey" the browser will prompt you with the first pop-up window. Click "Continue"

 

passkey enter pin code

Enter the PIN code for your passkey

passkey touch it

If you have not already done so, add your hardware-bound key to your device (laptop, desktop...) and touch it to complete the process.

passkey successful setup

Congratulations! You have successfully added your first passkey, and you will see it in the list of active passkeys.

We recommend that you add at least two different devices so that you have a device that you normally use and a backup device. If you do not check the box "Passwordless" the key will instead be used as a secure Second Factor device. In this case, you still have to enter your password, and you then have a more secure second-factor authentication that MyRapidi will ask for after the password is entered.

After you have registered your passkey it will appear in your list of passkeys.

  • Origin: the URL where it's registered under
  • Name: the name you gave the passkey
  • Type: either it will be passwordless or second factor
  • Authentication type: a) platform: a synced passkey or b) cross-platform: a hardware-bound passkey
  • Finally, in the action column, you can edit the name of your passkey or delete it.

Read more on our wiki: Passkeys

ENFORCE THE USE OF PASSKEYS

A system is only as secure as the weakest link and adding a security key is very good, but if you can cancel out of using the key and then login with just a password as before, then you do not really have a more secure system (but you do have a more convenient login method). As an Account Administrator, you can enforce the use of a passkey for a user. This means that the use of a passkey is always required to log in to MyRapidi. In order to do so you need to do two things: 1) enforce the use of a passkey for yourself as an admin and 2) enforce the use of a passkey for a user. For this two-step process go to Account Admin > Manage Users. Below we will walk you through this process.


ENABLE ENFORCEMENT FOR THE USE OF PASSKEY FOR YOURSELF AS ACCOUNT ADMIN

Again, to ensure the overall security of your MyRapidi account, it will require that you enable the enforcement of a passkey for yourself first.

To enable the enforcement for yourself please ensure that you have added at least 1 passkey to yourself (under Settings -> Passkeys), then go to 'Manage Users' and click the key icon with the "+" for your user. 

passkey_myrapidi_enforce_you_admin

step 1: enforce the use of Passkeys for yourself

A key icon with a "*" will appear in the 'Keys' column.

Please note that for security reasons you cannot undo the enforcement yourself. To disable the enforcement you will need to ask another MyRapidi Account Administrator.

enforce use of passkey for admin

step 2: after enforcing the use of Passkey for yourself - the right to enforce it on other users becomes available


ENABLE ENFORCEMENT OF THE USE OF A PASSKEY FOR A USER

After you have enforced the use of a security key for yourself you can enforce the use of passkeys for other users. If you enforce the use of passkeys for a user who has not yet set up a passkey, the only way for the user to log in to MyRapidi is for the Account Administrator to reset the user's password. After resetting the password, the user will be able to log in and can then set up a passkey. So it is better to wait for the users to set up some security keys, but you can force them like this.

enforce use of passkey for user

image: an overview of users who have the use of passkeys enforced

MANAGE USERS - SOME ADDITIONAL FUNCTIONALITY

In order to make it easier for MyRapidi Account administrators to ensure the strong security of their MyRapidi Account, we have added additional functionality on the 'Manage Users' page. First of all, you will be able to see the activity history for each user and what Services the user has access to. As before, you can also reset a user's password, assign or remove admin rights to a user, disable 2FA for a specific user and delete a user. The image below should give you an overview of the possibilities to manage your users.

manage_users_overview

image: Account Admin > Manage Users Read more on our wiki: Manage Users

LOGIN PROCEDURE

With the support for passkeys, the login process is a two-step process. The first step will be to put in your user name and click "Continue".

login procedure with passkey

The next step will depend on what has been set up for the specific user. If you have set up a fingerprint reader on your laptop, then you just touch the fingerprint reader, and you are logged in.

If you have set up your passkey with a hardware-bound device you will be prompted with the browser pop-up that pretty much resembles the process when setting up your passkey in myrapidi.com.

 

login with hardware bound passkey

Choose "USB security key"



login_2
Insert your passkey into your device (if you have not already done so) and enter your PIN code for your passkey. Click "Next".

enter pin when logging ind with passkey

Touch our passkey again to complete the process and you will be logged in. Congratulations! You have successfully logged in to MyRapidi.

touch passkey at login

If you have not yet set up any passkeys (and it is not enforced) it will ask you for your login credentials with password and 2FA.

login without passkey defaults back to 2FA authentication


About the author

Beate Thomsen, Co-founder & Product Design

Picture of
As co-founder of the Rapidi Data Integration platform, Beate has spent over 15 years on its development, building it around her motto: 'keep it simple, functional yet beautiful.'
INTEGRATING Salesforce And Microsoft Dynamics AX HAS NEVER BEEN EASIER Read more now
   CUSTOMER SUCCESS STORY: ReadSoft  See how ReadSoft is using Rapidi to integrate its Salesforce and Microsoft  Dynamics AX to improve business performance and customer satisfaction Download Guide
WHY CHOOSE RAPIDI?  We’ve been helping businesses integrate their data, perform better and grow  faster since the 1990s.  Our solutions work:   * No programming needed.   * 97% customer support satsifaction reported   * Completely elimminate double data entries   * Salesforce AppExchange top satisfaction rate 4.9/5.0   * Securely managed in the cloud   * Salesforce and Microsoft certified

Data Integration Handbook

Your business is 10 steps away from perfectly integrated data systems. Learn about key preparation, best practise and more in our data integration handbook.


FIND OUT MORE

Rapidi-eBook---Data-Integration-Handbook-min.jpg