Why Dfns Uses Passkeys

Why Dfns Champions Passkeys for Unparalleled Security

At Dfns, security isn't just a feature; it's the foundation of our platform. To provide the highest level of protection for your digital assets, we've moved beyond traditional authentication methods like passwords and typical two-factor authentication (2FA). Instead, we rely exclusively on passkeys, the modern standard for phishing-resistant authentication.

This document explains why we made this choice and why we recommend using hardware security keys for the utmost security.

The Problem with Passwords & Traditional 2FA

For decades, the standard for online security has been the combination of a password and a second factor (2FA), often an SMS code or a time-based one-time password (TOTP) from an app. While better than a password alone, this model has critical vulnerabilities that modern threats exploit:

  • Passwords are a weak link: They can be stolen in data breaches, guessed, or phished through fake login pages. Even strong, unique passwords are still a "shared secret" that can be compromised.

  • Many 2FA methods are phishable: Attackers can create sophisticated proxy phishing sites that capture not only your password but also your 2FA code in real-time, allowing them to hijack your session. SMS-based 2FA is also vulnerable to SIM-swapping attacks.

Passkeys were designed from the ground up to solve these problems.

How Passkeys Provide Superior Security

Passkeys are a more secure and user-friendly replacement for passwords. They are based on the FIDO2/WebAuthn standard, which uses public-key cryptography to create a phishing-resistant login experience.

Here’s how it works on a technical level:

  1. Registration (Key Creation): When you create an account with Dfns, your device (like your phone, computer, or a hardware key) generates a unique cryptographic key pair:

    • A private key, which is stored securely and never leaves your device. This is your secret.

    • A public key, which is sent to and stored by Dfns. This key is mathematically linked to the private key but cannot be used to derive it.

  2. Authentication (Login): When you sign in:

    • Dfns sends a unique, one-time challenge to your device.

    • Your device uses the stored private key to sign this challenge.

    • The signed challenge is sent back to Dfns.

    • Our server uses your public key to verify the signature.

This process has two game-changing security benefits:

  • No Shared Secret: Your private key is never transmitted over the internet or shared with Dfns. There is no secret for a phisher to steal or for a data breach to expose.

  • Origin-Bound: The cryptographic keys are bound to our website's domain (dfns.co). This means even if you are tricked into visiting a fake website, your browser and authenticator will refuse to use the key, making phishing impossible by design.

Key Security Advantages of Passkeys:

  • Phishing Resistance (Origin Binding): Passkeys are cryptographically "bound" to the specific domain or origin they were created for. This is a crucial security feature. If an attacker creates a fake Dfns website (a phishing site), your device's passkey will only work with the genuine Dfns domain. When you try to use your passkey on the fake site, your browser or operating system (which mediates the passkey process) will detect the domain mismatch and simply refuse to sign the authentication request. This makes it impossible for you to be tricked into giving your "secret" to a malicious actor.

  • No Shared Secrets: Unlike passwords, where a secret (the password itself) is shared between you and the service, passkeys involve no shared secrets. The private key never leaves your device. Even if Dfns' servers were compromised, attackers would only get public keys, which are mathematically impossible to reverse-engineer to obtain your private key. This renders server breaches much less impactful from an authentication perspective.

  • Strong by Design: Passkeys eliminate weak or reused credentials. Each passkey is a unique, cryptographically strong credential generated by your device, removing the burden of password hygiene from the user.

  • Inherently Multi-Factor: The act of using a passkey inherently combines "something you have" (the device storing the passkey) with "something you are" (biometric verification like fingerprint or face scan) or "something you know" (a device PIN/pattern). This provides strong multi-factor authentication in a single, seamless step, without the friction of separate OTPs or codes.

  • Resistant to Credential Stuffing and Brute Force: Since there are no passwords to guess or reuse, these attacks become obsolete. Attackers cannot "stuff" credentials because there's no common secret across services, and they cannot brute-force a private key.

Recommendation: Use a Hardware Security Key

Dfns supports two types of passkeys, and while both are highly secure, we strongly recommend using a hardware-based passkey for institutional-grade security.

Software vs. Hardware Passkeys

  • Software Passkeys: These keys are stored securely on your device, such as in your phone's secure enclave or your computer's keychain (e.g., Apple iCloud Keychain, Google Password Manager). They are convenient and provide excellent protection.

  • Hardware Passkeys (Recommended): These are stored on a dedicated, physical device, often a USB key. YubiKeys are a popular example of FIDO2-compliant hardware keys.

Why Hardware Keys Offer the Highest Assurance

Using a dedicated hardware key provides a critical layer of security known as cryptographic isolation.

Key Takeaway: With a hardware key, the private key is generated, stored, and used entirely within the secure chip of the hardware device. It never touches the memory or storage of your computer, which could potentially be compromised by malware or viruses.

This physical separation ensures that even if your primary computer is completely compromised, an attacker cannot extract or use your private key. The key can only be activated to sign a request when you physically interact with it (e.g., by touching it).

For users managing significant assets or operating in high-stakes environments, the physical isolation provided by a hardware key offers the ultimate peace of mind and the strongest defense against sophisticated attacks.

Why Hardware devices are the Recommended Gold Standard for Passkey Storage

While passkeys can be stored on various devices (e.g., in operating system keychains or password managers), Hardware devices such as Yubikeys offer an unparalleled level of security due to their hardware-based nature and additional security features:

  • Hardware-Bound Security (Secure Element): dedicated, tamper-resistant secure element chip. This specialized hardware is designed to perform cryptographic operations and store private keys in an isolated environment. The private key never leaves the device, making it extremely difficult for malware or sophisticated attacks on your computer to extract or compromise the key. This contrasts with software-based passkeys, which, while secure, can still be theoretically vulnerable if the entire device operating system is deeply compromised.

  • Physical Presence Requirement: To use a passkey stored on a device, you typically need to physically touch the key. This "user presence" check adds an additional layer of security, ensuring that a human is initiating the authentication and preventing automated or remote attacks. It proves "something you have" in the strongest possible way.

  • Immunity to Remote Attacks: Because the passkey's private key is stored on the physical device and requires a physical touch, it is virtually impossible for remote attackers to compromise your authentication. They cannot be digitally stolen, duplicated, or guessed over a network.

  • Enhanced Multi-Factor Protection: When using a dedicated hardware device, the "something you have" factor is exceptionally strong. To compromise an account protected by those devices, an attacker would need to physically obtain your device and know its PIN (as enforced by Dfns) or bypass your device's unlock mechanism, making a successful attack highly improbable.

Dfns' Commitment to Your Security

By adopting passkeys as our primary authentication method and recommending hardware security keys for their secure storage, Dfns is taking a proactive stance against evolving cyber threats. This combination provides:

  • Superior Protection: Drastically reduces the risk of phishing, credential theft, replay attacks, and account compromise.

  • Enhanced User Experience: Eliminates the need for complex passwords and streamlines the login process, making strong security easier to adopt.

  • Future-Proof Authentication: Aligns with industry standards and the future direction of secure online interactions, ensuring our authentication methods remain at the forefront of cybersecurity.

More information

You can read more about passkeys on the Fido Alliance pages: https://www.passkeycentral.org/introduction-to-passkeys/

Last updated