パスキーは、Google、Apple、Facebook、Meta などの消費者向けサービスによってますます一般的になってきています。パスキーを使用すると、従来のパスワードを利用したログインと比べてセキュリティが大幅に向上します。translated
消費者向けのソリューションがプロフェッショナルな用途に流用されるのはよくあることです。例えば、絵文字リアクションをメールに送ることができるようになったのもその一例です。しかし、Instagramでパスキーを使ってログインできるからといって、ビジネスで使用すべきだというわけではありません。translated
簡潔に言うと、FIDOパスキーは企業での使用に適しているのでしょうか?translated
アメリカの FIDOアライアンス (ファイドアライアンス)は、2013年に設立された組織で、パスワードに代わる強力な認証方法を開発しています。FIDOはその名が示す通り、「Fast Identity Online」を提供し、パスワードレスでの認証を実現しています。translated
Since 2013, FIDO has become one of the most popular passwordless login methods in large part because it delivers on the acronym that makes up its name: it provides fast identity online. The FIDO Alliance has a strong focus on the consumer environment. No wonder, as its largest members are active in this area: Apple, Google, PayPal, and Microsoft. (RSAもFIDO Allianceのメンバー and co-chairs its Enterprise Deployment Working Group.)translated
FIDO認証は非対称鍵ペアを使用してサービスにログインします。FIDO認証情報がサービスに登録されると、新しい鍵ペアがFIDO認証器で生成され、その鍵ペアだけがサービスに信頼されます。この鍵ペアはサービスの正確なドメイン名に結びつけられます。translated
That strict pairing between a service and a FIDO credential is what creates a high degree of phishing resistance: if a user were to try to log in to a phony phishing site with the passkey created for the real site, they would fail because the domain named wouldn’t match with the key pair.translated
2022年にはApple、Google、Microsoftが 「パスキー」. In 2023, the FIDO Alliance adopted the term “「パスキー」” for any type of FIDO credentials, leading to potential confusion in exactly what an organization means when it mentions “passkeys.”translated
This possible ambiguity has been addressed by the FIDO Alliance (see below) but could still exist in organizations. It’s important to address that ambiguity, because not all passkeys are created equal or appropriate for enterprise use.translated
There are now two types of passkeys, as defined by the FIDO Alliance: device-bound and synced.translated
Device-bound passkeys vs. synced passkeystranslated
Device-bound passkeys are generally hosted on specific “security key” devices. On a device-bound passkey, key pairs are generated and stored on a single device; moreover, the key material itself never leaves that device.translated
With synced passkeys, the key material is saved via a so-called remote sync fabric, and the key material can then be restored on any other devices owned by the same user. The current major sync fabrics are Microsoft, Google, and Apple. This means that if you were to register your Android phone as a passkey, then the corresponding key material would be available on all your other Android devices shortly after.translated
Synced passkeys are—in addition to having the support of widely used services such as WhatsApp or Facebook—a main reason for the sharp increase in the general use of passkeys. It’s easy to see why: one user with a lot of accounts and a lot of devices can use the same synced passkey between all of them.translated
Passkeys are an excellent MFA method: phishing-resistant, fast, convenient, and already familiar to users. Today, the passkey benefit that’s been getting the most attention is the phishing resistance.translated
Passkeys can help organizations stop traditional phishing in its tracks: if there’s no password being used, then there’s no password to steal. And while that’s true for other passwordless MFA methods, passkeys have an added level of security provided by that synced key/service domain match.translated
アメリカでは、フィッシング耐性が重要な要素となっており、 エグゼクティブオーダー14028 では、重要なインフラを保護するためにフィッシング耐性のあるパスワードレス認証が求められています。translated
パスキーは大きな利点を提供しますが、いくつかの重要な課題や問題も伴います。translated
User experiencetranslated
消費者向けに発展してきたソリューションであるため、ユーザガイダンスやユーザエクスペリエンスが課題になることがあります。translated
例えば、ユーザにパスキーをUSBポートに挿入させる、またはPINを入力させるダイアログは、オペレーティングシステムやブラウザによって異なります。これらのプロンプトは、ユーザのトレーニングやサポートコールの最小化を難しくする可能性があります。translated
Why not just change the prompts, you ask? Because third-party service providers like RSA can’t: those prompts are set by the browser or OS vendor themselves in their own vendor (for instance, Apple sets their prompt for iOS, Google for Chrome, etc.). There’s some good reason for this: if vendors could change the prompt, then so could attackers, using an updated form to spy on users. Keeping those login prompts locked is an important security measure, but it can make for a one-size-fits-all approach.translated
Distraction from other attackstranslated
高いフィッシング耐性は明確な利点ですが、それで万全というわけではありません。パスキーを使用すれば、すぐに社会工学的攻撃から免れると考えるのは誤りです。パスキーはフィッシングという特定の社会工学的攻撃に対抗する助けになりますが、他のバリエーションも存在します。例えば、 MGM Resorts いただくか、 Caesars Palace などラスベガスでの攻撃は、MFA認証器の登録を許可するために ヘルプデスクを悪用する など、ソーシャルエンジニアリングな要素が含まれていました。translated
Attackers adapt as a matter of course. The proliferation of MFA has made phishing much less attractive, so it’s only natural that vulnerabilities around the MFA system are exploited, such as the way users register. Anyone who thinks passkeys solve these problems is very wrong.translated
Given the challenges today’s passkeys pose when it comes to delivering uniform workflows across various browsers, devices, and operating systems, what can the industry do to ensure a truly seamless, cross-platform experience? How can we determine the best path to resolving the inconsistencies that may confuse users and stall widespread adoption? At RSA, our UX leadership is actively involved in the FIDO Alliance’s working groups to advocate for consistent user experiences. By contributing our insights, we aim to help shape standards that result in fewer distractions, less friction, and more uniformity for end users.translated
Mobility is another aspect of creating a seamless passkey experience across environments. Workforce users increasingly expect the convenience of mobile-first workflows. If accessing corporate resources on a smartphone feels as intuitive as unlocking that same device, adoption of new authentication methods—like FIDO passkeys—becomes significantly easier. A frictionless mobile experience helps break down user resistance, minimizing the learning curve and making the transition away from passwords far smoother. By delivering an interface that’s familiar, transparent about permissions, and consistent regardless of the user’s device or platform, organizations can reduce confusion and improve trust. The RSA mobile FIDO solution serves as an example of how to implement a FIDO passkey in a device-agnostic manner.translated
They say that when you have a hammer, everything can look like a nail. Turning a solution—even a great solution—that was originally intended for consumer use into an enterprise application can introduce significant risk.translated
While reading this article, you may have had a queasy feeling at the mention of “sync fabric.” Your gut was right.translated
パスキーがAppleやGoogleを通じてユーザがログインしているすべてのデバイスにまるで魔法のように現れるという事実は、企業環境では大きな警告となり、いくつかの重要な疑問を引き起こすはずです:translated
- translatedShould users be allowed to use several (possibly also privately used) devices for authentication at all? If so… how many?
- Synced passkeys make restoring a “lost” passkey possible with the account recovery processes of, say,Google or Apple. That’s great… but are these processes secure enough for you?translated
- The Apple feature that allows users to share passkeys with friends or family is quite nice… but does this also apply to passkeys that are used to log in to enterprise applications?translated
translated同期されたパスキーを使用する場合、企業のセキュリティは突然、AppleやGoogleの技術的、組織的なセキュリティに大きく依存することになります。確かに、iOSやAndroidを使用している以上、ある程度の依存はありますが、同期されたパスキーはこの依存度を大幅に高めます。
This isn’t a theoretical vulnerability, either. Last year Retool discussed how threat actors had used it to gain access to its systems: Retool wrote that the functionality means that “if your Google account is compromised, so now are your MFA codes.”translated
これは理論上の脆弱性ではありません。昨年、 Retool は、脅威アクターが同社のシステムにアクセスするためにこの機能をどのように利用したかを説明しました。Retoolは、この機能により「Googleアカウントが危険にさらされると、MFAコードも危険にさらされる」と述べています。translated
Whether passkeys should be used in the company cannot be answered in a general way. Every organization is different and must balance its unique security and operational priorities.translated
Moreover, whether to use passkeys shouldn’t be a yes/no question. The introduction of passkeys or passwordless logins in general should be used to fundamentally review an organization’s entire MFA processes. What has been good for hardware OTP tokens for 15 years is probably no longer entirely true for passkeys or other MFA methods today.translated
RSA believes that passkeys can be deployed for enterprise use if they align with organizational strategy and if organizations think through their answers to the following questions. We’ve seen organizations use passkeys successfully using RSA® ID Plusを使用して、パスキーを活用して導入している組織も見られます。これは、さまざまなパスワードレスオプションを提供する包括的なアイデンティティおよびアクセス管理(IAM)プラットフォームです。translated
Because we’re a security-first organization and use Secure by Design / Secure by Default principles, we prevent using synced passkeys by default. Only device-bound passkeys are available by default in RSA environments to provide the maximum level of security out-of-the-box, and without any extra work by admins.
translated
When assessing whether to introduce passkeys, organizations should ask: How are our authenticators registered? Are there processes that safely handle the “I lost translatedmy authenticator” scenario? What about the classification of users, applications, and data?
translatedPasskeys are one MFA method among many. Yes, their phishing resistance is fantastic, but can users log in with it on their remote desktops?
translatedFor these reasons and many others, it’s important that your MFA system isn’t just technically up to date, but that it also supports a wide variety of MFA methods, such as QR codes, biometrics, OTP, push messages, and FIDO passkeys.
It is also important that the processes around MFA are adapted to new threats. This goes far beyond the actual MFA system: is your help desk also safe from social engineering attacks?translated
パスキーの導入が理にかなっていると思われる場合は、お手伝いします。詳細についてはお問い合わせ からご連絡をいただくか、ID Plusの無料45日間トライアルをお申込みください。translated
