What Happens If You Lose Your Passkey in a Passwordless System?

0
11
Asked By CuriousCactus42 On

The security team is planning to transition to a passwordless system using FIDO2, which sounds promising. However, there's a concern about what happens if a user loses their hardware key or if their phone fails while they're traveling. The recovery process seems to revert to using a password-equivalent secret, which seems counterproductive. Microsoft's documentation suggests using multiple passkeys for each user, but that's optimistic, considering our executives struggle to keep track of just one. This leads to two scenarios: either we have to deal with calls to the help desk for identity verification, which doesn't scale well, or we find a way to implement a recovery mechanism that could be exploited, akin to how attackers exploit password resets. What am I missing here?

5 Answers

Answered By SecuritySavant On

Yeah, you’ve hit the nail on the head about the weak spot of passwordless systems—the recovery. It’s a classic trade-off, either you play it safe with strict measures (which means tough recovery processes) or you seek smoother recoveries at the expense of some security. Most teams I’ve seen manage it by using a mix of multiple passkeys (like a phone and a laptop) along with some backup options like verified email or helpdesk checks, which isn’t ideal but does make it manageable.

RealWorldChallenger -

Exactly! It’s all about finding that balance between being secure and being user-friendly!

Answered By RemoteAccessPro On

Having 400 employees each with FIDO2 keys, we realized the loss rate is about one or two keys per month. It's really similar to the issues you would face with traditional MFA methods. We use TAP as an acceptable temporary workaround, especially since many of our employees work remotely.

CloudNavigator1 -

That’s interesting! It’s reassuring to know you have a system in place for loss.

Answered By TechSavvy33 On

When people lose their phones and can't use MFA, the situation is pretty similar to losing a passkey. The big issue is actually having a reliable reset process in place. We’ve explored some options like syncable passkeys, authenticators that work in a passwordless mode for backup, or using trusted devices as a signal to temporarily create new access methods. We ended up opting for human verification as a fallback because that matched our risk tolerance better; it’s not a perfect solution, but FIDO2 is certainly an upgrade over traditional MFA!

HelpdeskHero99 -

That makes sense! It's all about balancing security with usability, right?

Answered By KeyKeeper88 On

We made the shift to passkeys last year, providing everyone with a hardware key, and we’ve got a policy to replace the first lost one for free. For any additional losses, users are responsible for buying a new one. We also support Windows Hello for Business to keep access convenient. If someone loses their key, HR verifies identity beforehand, and then IT steps in to help, like setting up new keys. It’s a process, but we’ve found it helps maintain security while accommodating users better.

SupportHero2023 -

Sounds like a solid approach! Having backup options seems crucial.

Answered By IdentityExpert On

You’re absolutely correct. The increase in security with passwordless authentication does lead to a heavier reliance on strong identity verification for recovery, which is the tricky part. But I think there are some innovative solutions developing to help here.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.