Germany pushes passkey adoption, releases draft technical guidelines

Germany’s Federal Office for Information Security (BSI) is asking for public comment on a draft document that outlines technical considerations for configuring passkey servers.

The draft was published on September 30 and seeks to get inputs from relevant stakeholders, the BSI said in a news release.

The BSI TR-03188 Passkey Server guidelines are available as a draft in version 0.9, the BSI says. It was drafted within the scope of FIDO2 and WebAuthn standards, among others.

Concerned parties have up to November 16 to send in their feedback.

The guidelines come as a major step forward by the German government towards joining the passwordless authentication train.

In an introductory statement to the draft, the BSI recognizes the importance of passkeys in the fight against cybercrimes such as phishing, but notes that for them to be effectively used, websites and other online services require passkey servers. Such servers, the Office added, need to be configured in line with certain technical standards.

The draft thus details those standards, which if eventually endorsed, would become a digital security blueprint for those operating websites or offering any kind of online service, and who intend to use passkeys as an authentication tool.

Apart from recommendations, the document also define trust levels, and offers practical guidance on how to integrate passkey servers into real-world systems.

Commenting on the move, BSI President Claudia Plattner, underscored the critical importance of cybersecurity, adding that it must be simplified and not made complex.

“We must make cybersecurity as simple as possible while at the same time ensuring it is robust. Passkeys are a perfect example of how technical solutions can be used to address technical challenges. They are the future,” she said.

The BSI adds that apart from the security recommendations, the draft technical document also contains guidelines on different integration options, with the goal being to make passkeys a common two-factor authentication (2FA) method for enhanced online security in the country.

The draft document, among other things, defines six threats and attacker models, proposes three security assurance levels, and suggests security recommendations on detailed configuration rules for passkey servers. These include always verifying user presence and user verification flags; enforcing privacy; allowing users to register multiple credentials per account for backup; optionally disabling password fallback once passkeys are active; and a having strong preference for device-bound passkeys for high assurance.

Theres’s been a growing preference for passkeys over passwords given the increasing sophistication of cyber fraud.

Facebook introduced passkeys this year, WhatsApp did for optional use last year, and Microsoft has threatened deleting passwords of account users who are yet to shift to passkeys.

Germany’s direction towards full passkey adoption would require some work as a report in 2024 showed just 38 percent of Germans knew what a passkey is, according to Techradar.

Article Topics

biometric authentication  |  biometrics  |  cybersecurity  |  FIDO2  |  German Federal Office for Information Security (BSI)  |  Germany  |  multifactor authentication  |  passkeys  |  passwordless authentication