Rethinking Authentication: Passkeys vs. Passwords

In the ever-evolving landscape of internet security, authentication stands as a cornerstone of safeguarding personal data and online interactions. However, the conventional method of using passwords has long been plagued by inherent vulnerabilities, leaving users susceptible to breaches and data leaks. Despite efforts to adhere to best practices in password management, incidents of cyberattacks persist, highlighting the need for a more robust and user-friendly authentication solution.

Enter passkeys — a transformative alternative to traditional passwords that promises both enhanced security and improved user experience. Unlike passwords, which often rely on easily guessable phrases or combinations, passkeys leverage advanced authentication methods such as fingerprint recognition, facial scanning, or device-specific PINs. This not only simplifies the authentication process but also mitigates the risk of common online threats like phishing attacks.

But what exactly are passkeys, and how do they differ from the cryptographic keys used in self-custodial wallets like Metamask? This article delves into the intricacies of passkey authentication, exploring its key components and underlying security mechanisms. Additionally, it examines the choice of elliptic curve algorithms—specifically secp256k1 and secp256r1—in the context of passkey generation and its implications for security and trust.

As I unravel the complexities of passkey authentication and cryptographic algorithms, I'll also delve into the intriguing decision of Bitcoin creator Satoshi Nakamoto to opt for the less popular secp256k1 curve. Could this choice signal a deeper understanding of cryptographic vulnerabilities and a proactive stance against potential backdoors? Join us on a journey to uncover the secrets behind passkeys, cryptographic algorithms, and the quest for a more secure and user-centric internet experience.

UX with passwords and their security flaws

Since the early days of the internet, one of the most common actions is authentication. Using a login credential combination of username and password has been the bread and butter of accessing personal data relevant to users. Despite extensive security topics on following safe practices to protect private information, numerous cases of hacks have led to massive leaks of private user data. Nevertheless, following best practices is not always enough, as passing sensitive information like passwords in phony website HTML forms can cause leaks and expose private data to the wrong hands. Luckily, at the moment, we are witnessing a transformation of this authentication process into passkeys, a more robust, secure process that offers a far better user experience. But what are passkeys?

Passkeys - a new solution

Passkeys represent a revolutionary approach to accessing applications and websites. They offer a seamless and fortified alternative to traditional passwords, liberating users from the constraints of memorizing obscure combinations like pet names or birthdays, or resorting to clichéd choices like "password123." With passkeys, users can authenticate themselves in a manner akin to unlocking their devices: through fingerprint recognition, facial scanning, or entering a screen lock PIN. Notably, passkeys boast resilience against common online threats such as phishing attempts, surpassing the security efficacy of methods like SMS one-time codes.

In other words, passkeys are a pair of keys, private and public, that offer a more robust way of authorization. Which means that in theory, this process is almost identical to using a crypto self-custodial wallet like Metamask. I am sure when creating your first crypto wallet you had a chance to learn how such a pair of keys work. My biggest question, though, is there a difference between passkeys and crypto wallet keys? Let's find out.

secp256k1 and secp256r1

From a little bit of research, I found something interesting. There is a difference between the two: its elliptic curve algorithms secp256k1 and secp256r1. The "k" in secp256k1 stands for Koblitz and the "r" in secp256r1 stands for random. A Koblitz elliptic curve has some special properties that make it possible to implement the group operation more efficiently. It is believed that there is a small security trade-off, that more "randomly" selected parameters are more secure. However, some people suspect that the random coefficients may have been selected to provide a backdoor. Now that's where things are getting interesting. I noticed that Bitcoin, as well as Ethereum creators used secp256k1, and passkey generation on Apple and Google devices, as well as numerous other services, are using secp256r1.

Rumors on secp256r1

Bitcoin creator Satoshi Nakamoto chose to use the less popular Koblitz curve for the reasons mentioned above, namely efficiency and concerns over a possible backdoor in the random curve. Before Bitcoin, secp256k1 was not widely used. Ethereum and Vitalik Buterin have followed accordingly. Did they know something we were not aware of?

Satoshi's decision to use a different algo when building Bitcoin

Creating Bitcoin requires advanced knowledge of cryptography, therefore taking an algorithm which was not widely used, like secp256k1, signals me some inside knowledge of mistrust of the more common secp256r1. To confirm this rumor, it's important to note that when Edward Snowden leaked NSA secrets, he blew the whistle on this specific matter. "Internal memos leaked by a former NSA contractor, Edward Snowden, suggest that the NSA generated one of the random number generators used in a 2006 NIST standard — called the Dual EC DRBG standard — which contains a backdoor for the NSA," the New York Times wrote. Did Satoshi consciously try to protect users from Big Brother by ensuring a secure self-custodial system design?

Better UX, less security?

Passkeys provide a far better method of handling private data, which can prevent leaking sensitive data in cyber hacks, as well as a faster and effortless way of authentication. I definitely think this is innovation; however, it's important to note that there is a possibility at the very core of algorithm generation of keys that there might be a deliberate backdoor left. "If we were living in a kinder world, that would be a plausible explanation," Schneier says. "But we're living in a very malicious world, it turns out."

Conclusion

In conclusion, the emergence of passkeys heralds a new era in internet security, offering a seamless and robust alternative to traditional passwords. While passkeys promise an enhanced user experience and protection against common online threats, questions linger regarding the choice of cryptographic algorithms and the specter of potential backdoors. As we navigate this evolving landscape, it's imperative to balance the benefits of passkey authentication with vigilance against potential security vulnerabilities. Ultimately, the quest for a passwordless internet represents a paradigm shift towards a more secure and user-centric online ecosystem.