Introducing Passkeys on Ente

June 17, 2024

Today, we're excited to announce the introduction of passkey support on Ente!

Passkeys offer a cutting-edge alternative to traditional two-factor authentication (2FA) methods, such as time-based one-time passwords (TOTPs). With passkeys, the authentication process is streamlined and more secure. Forget about unlocking your phone, searching for your 2FA app, and entering a 6-digit code. Now, you can authenticate effortlessly using your device's biometric capabilities, like fingerprint or facial recognition.

Why add passkeys now?

The World Wide Web Consortium (W3C), an international community dedicated to developing open web standards, introduced the WebAuthn Level 1 standard on March 4, 2019. Think of a standard as a universally agreed-upon playbook. As a respected organization, the W3C wields significant influence over the internet.

Since its introduction, hardware manufacturers, browsers, and password managers have tirelessly worked to integrate passkeys in the most user-friendly way possible. By 2024, passkeys have reached their pinnacle of accessibility. Support for them is now ubiquitous across every major platform, and an increasing number of password managers, including 1Password, Proton Pass, and Bitwarden, offer syncable passkey implementations.

This widespread adoption is not without good reason. Passkeys offer numerous user benefits. For instance, they are confined to secure connections and can only be used on their originating website. This means if you're on a compromised network—a scenario known as a man-in-the-middle attack—your browser will block passkey use. And once a passkey is registered with a website, browsers prevent its use elsewhere, eliminating phishing attacks.

Passkeys are inherently secure. The components of passkeys, created on-device, are stored, by default, in the system's trusted platform module (TPM). This specialized chip, found in most computers, secures cryptographic keys and other sensitive data within a secure enclave, isolated from the rest of the system. Even if an attacker gains physical access to your device, the TPM's security features, including at-rest encryption and brute-force attack resistance, safeguard your passkeys.

The above sounded fantastic to us, so we chose to adopt passkeys, allowing our user base to leverage the substantial security and convenience benefits they offer.

How can I use passkeys?

To get started with passkeys, you'll first need to choose a provider.

Choosing a provider

A passkey provider is the software or device that will securely store your passkeys for every site and app that you register with. This is an important decision because, just like choosing a password manager, it's not always easy to migrate between each provider. For instance, if you're on an Apple device, by default, passkeys will be saved to your iCloud Keychain. However, unlike passwords, passkeys are currently not exportable. Due to the lack of standards for what exporting a passkey would look like, nobody has agreed on a format that would allow such portability.

Our recommendation is to instead use a cross-platform password manager that supports passkeys. Our team has a lot of Bitwarden fans, while I'm the one 1Password advocate 😄, but you should thoroughly research the password management solution that works best for you. Our suggestion is that, whichever one you decide on, ensure that it uses end-to-end encryption. Password managers, like Google's, do not end-to-end encrypt your passwords by default, thus allowing anyone who has access to their database to view or modify the contents of your vault.

Adding a passkey to your account

This process will differ based on the service you're trying to add a passkey to, but on Ente, it's quite simple.

Once you're on an Ente app, like Photos or Auth, simple open the left-hand drawer and click on "Passkey".

Left-hand drawer with Passkey button

Then, the app will open Ente Accounts in your default browser. Behind the scenes, if it's your first time setting up passkeys, the app will also generate the necessary recovery information seamlessly, allowing you to get back into your account if you ever lose access to your registered passkeys.

On Ente Accounts, you'll be able to see all your currently registered passkeys and add new ones.

Management page with a friendly name field and a button to add a passkey

When you click on "Add passkey", your browser or password manager may prompt you to scan your biometrics to create and securely store the new passkey. After that, you're all done!

Logging in with a passkey

After logging in with your email and password, Ente will redirect you to Ente Accounts and prompt you to login with a passkey registered to your account.

Box that says 'Login with Passkey' with a cute image of a duck's head

How do passkeys work under the hood?

Passkeys operate as cryptographic keypairs, replacing the traditional username and password duo with a more secure asymmetric system of public and private keys. These keys are foundational to encryption protocols, enabling secure, verifiable sharing of information—like how we facilitate the protected exchange of photos among various recipients on Ente. At their core, these keypairs utilize complex mathematical principles, such as the difficulty in factoring large prime numbers, to allow two parties to communicate securely without revealing sensitive information over unsecured channels. This involves the exchange of public keys, with each party using their private keys to decrypt messages received.

Building on the principles of asymmetric cryptography, the W3C crafted a method for secure server authentication. Creating a passkey involves your client (such as your browser or password manager) generating a unique keypair. It then shares the public key with the server—us, in this context—while keeping the private key confidential. By only sharing the public key, the server can authenticate messages from your client without being able to generate messages itself.

When you attempt to log in again, your client crafts a message, signs it with your private key, and sends this signed message to the server. The server uses your public key to verify that the message indeed originated from your client before granting access to your account. This process ensures a secure and private authentication mechanism, leveraging the strengths of asymmetric cryptography.

Ente has your best security interests at heart.

By integrating passkeys, we join the thousands of other websites in elevating authentication security standards, building a more secure Internet for everyone while upholding our commitment to protecting your data. Over a year ago, we introduced Ente Auth, an innovative, open-source, cross-platform, end-to-end encrypted, cloud-synced two-factor authentication app. This was our response to the shortcomings of existing apps in the market. In March of this year, we took transparency to the next level by open-sourcing our entire infrastructure, including the backend.

We eagerly look forward to the advancements and possibilities passkeys will bring to the future of digital security.