Telco Passkey Implementation by Telstra
vdelitz
Posted on October 23, 2024
1. Introduction: Telstra Passkeys
To protect against growing cybersecurity threats, the Australian government's national cybersecurity strategy has emphasized the adoption of passkeys as a key component. Passkeys offer the only viable solution for achieving phishing-resistant multi-factor authentication (MFA) for consumers.
In this article, we analyze Telstra’s implementation of passkeys, examining the technical implementation, product flows,
and the strategic thinking behind this move. Our goal is to provide a comprehensive overview that educates software developers and product managers on how to implement passkeys following industry best practices, while providing some recommendations for further improvement of Telstra’s implementation.
2. Summary of Telstra Passkeys Analysis
In our detailed analysis of Telstra’s passkey implementation, several key findings highlight both strengths and areas for improvement. Here’s a concise summary of our observations:
Our Findings of Telstra Passkey Implementation:
- Upsell to Passkeys After Login with Password: After logging in on a passkey-ready device, Telstra prompts users to create a passkey.
- Passkeys are the preferred MFA Method: If a user logs in with a password and a passkey is available, passkeys are automatically used as the preferred MFA method.
- Identifier-First Passkeys: The user provides their identifier first, and Telstra’s backend determines whether to offer passkeys or fallback to password + SMS OTP.
- Correct WebAuthn Server Settings for Passkeys: WebAuthn server settings, including ceremony flags in the PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions, are correctly implemented, ensuring optimal passkey usage.
- Correct Error Handling in Safari Clamshell Mode: Telstra correctly handles errors related to User Verification in Safari’s clamshell mode, ensuring no reduction in security in this scenario.
- Implementation of Conditional UI (Passkey Autofill): Both the web (mobile and desktop) and native apps support Conditional UI, improving user experience.
- Good Email Notification Strategy: We were particularly impressed with the transactional emails sent for key actions, such as passkey creation or password deactivation.
In the following sections, we will go deeper into each of these points, exploring the implications and offering
recommendations for improving passkey adoption and user experience in Telstra.
The table provides a good overview of Telstra’s passkey implementation of certain passkeys features. Features marked
with a ⭐ are considered the top features of their category and are crucial for a great and secure passkey experience.
3. Product Flows and UX of Telstra Passkeys
This section analyzes the product flows of Telstra’s passkeys across a variety of platforms, including web apps, as well
as native Android and iOS apps. The availability of passkeys extends across all major operating systems - iOS, Android,
macOS, and Windows.
The following parts analyze sign-up, passkey creation, passkey management, and login processes within Telstra’s passkey
integration.
3.1 Sign-up
A pure passkey-only sign-up on Telstra is currently not (yet) possible. Instead, users must confirm their account via
SMS OTP and then provide a password. After completing these steps, they can add a passkey to their account.
3.2 Passkey Creation
As passkeys cannot be created in the account sign-up process, we need to create them via the promotional page in the
login process or in the account settings.
For the following screenshots, we’re using a Windows 11 device and the Chrome browser.
- Go to Profile
- Scroll to Advanced security settings and select Set up or manage passkeys
- Add your passkey by clicking on Create a passkey and use Windows Hello as local authenticator.
In the Passkeys page, we see the new passkey in the list on the bottom, with a pre-defined name (here “Win10 10/2024”), date for creation and last used date.
3.3 Passkey Management
Let’s have a look at the passkey management capabilities. Therefore, we stay in this Passkeys settings page to
analyze the different passkey management options.
As you can see, there are two “Win10 20/2024” passkeys, even though Telstra correctly checks that only one passkey per
authenticator is created. The second one of them was created when using a hardware security key (e.g. YubiKey), but
Telstra does not show the difference which could cause some serious confusion for users.
To rename a passkey, click on the Rename button, so that you can better distinguish them.
When trying to create multiple passkeys from the same passkey provider, we see that excludeCredentials is properly
implemented and the creation of multiple passkeys on the same authenticator is prevented to avoid duplication of passkey
creation.
A notable feature within the passkey management settings is the option to turn off Password authentication, what we do now by clicking on the corresponding toggle.
We confirm by clicking on Turn off in the appearing modal.
In parallel, the following email and SMS is sent out:
Afterwards, we’ll see this screen:
However, when trying to sign in subsequently, the Sign in with password button is still displayed:
When you click on the button, you end up in the known sign in screen and can provide a password. However, you will get
the following error message when providing any password:
You have the option to turn on passwords again in the Passkeys settings:
In parallel, you will get his email and SMS notification:
Then, you can use both passwords and passkeys to sign in.
This implies that theoretically the passwords could still be breached and stolen from Telstra’s databases. However, the
chance of getting the password phished decreases significantly.
3.4 Login
Let’s take a deeper look at the login process.
3.4.1 Login in Web App
If you open the login page, you can log in either via Conditional UI or via regular passkey login. The former way is
pretty straight-forward. You just select the passkey you want to use, use the local authenticator and you’re logged-in.
Non-Conditional-UI logins require to provide your username and a click on Continue. In the next screen, you have to
decide if you want to Sign in with passkey or Sign in with password.
If no passkey is set up, the login screen shows directly only a password field:
After the click on Sign in with passkey, the local authenticator emerges, you authenticate and are redirected to the
logged-in page.
Note, that in one of our tests, we switched the browser (from Chrome to Firefox in Windows 11) and could successfully
log in to Firefox with the passkey from Windows Hello that existed (was created via Chrome). However, after successful
passkey authentication, the promotional passkey screen to create a new passkey emerged. When creating one, it failed, as
there was already a passkey existing on this platform. This could cause some real confusion for users and should be
fixed.
3.4.2 Login in Native iOS / Android App
In the following, you’ll see the login process for the native iOS / Android app in the screenshots. Also in the native
iOS as well as the native Android app, you can use Conditional UI to log in seamlessly and with a single click and local authentication.
The login process appears in a WebView. After providing your identifier, you will see this
screen:
Click on Sign in with passkey and use your local authenticator on the mobile device.
When you log in the first time on the mobile device (with password / SMS OTP), there is a promotional screen offering to
create a passkey:
When you click on Create a passkey, then on iOS, Face ID / Touch ID will emerge and the equivalent on your Android
device. After successful passkey creation, you’ll see the following screen:
Afterwards, you are redirected to the logged-in part. In all subsequent logins, you can click on the Sign in with passkey button to start the passkey login (or use Conditional UI).
If you want to log in on a macOS device using Safari in clamshell mode, you are prompted to provide credentials, so the
clamshell mode does not bypass any security issue.
3.4.3 Conditional UI Login
Conditional UI login is implemented in the web app (mobile + desktop) and in the native iOS / Android apps.
However, on iOS the Conditional UI login did not always work as expected as the password managers / passkey providers
often suggested to use the password at first and only offered passkeys afterwards for autofill.
3.4.4 Hybrid Login (Cross-Device Authentication)
After QR hybrid login (cross-device authentication via QR code and Bluetooth), a creating a local passkey was suggested:
Simultaneously, an email with a notification is sent out:
That’s a pretty good feature to make sure that passkeys are available on all user devices.
4. Technical Passkey Implementation Details
Let’s have a brief look at the technical implementation details of Telstra’s passkey implementation.
4.1 Analysis of PublicKeyCredentialCreationOptions
At first, we analyzed Telstra’s PublicKeyCredentialCreationOptions. Our review revealed that Telstra requires the use of
resident keys. It shows clearly that passkeys are favored and hardware security keys which only deal with non-resident
keys are second degree. However, as described in
this blog post, quite often the authenticator itself
decides if it wants to use resident or non-resident keys.
Also, userVerification is required which shows that users should actively authenticate and attestation direct provides
more insights into the used authenticators, mainly the AAGUID.
The Relying Party ID is set to “myid.telstra.com” and the Relying Party name is set to “Telstra”. The user.id
is set a random and technical value, while the user.name
and user.displayName
are set to the email address (login
identifier).
{
"attestation": "none",
"authenticatorSelection": {
"residentKey": "required",
"userVerification": "required"
},
"challenge": "fhokH-XwW2wBL1rmKoJopg",
"excludeCredentials": [
{
"id": "OOm5pFsDUcmToXIYqrEHKOwtSskS0oOoDNvkT4XD8",
"transports": [
"internal"
],
"type": "public-key"
},
{
"id": "RMJBo4KA_ALdfNAxd5dnOrig",
"transports": [
"hybrid",
"internal"
],
"type": "public-key"
},
{
"id": "YhCD_R3nNdf3hItLjWnce3Ug70O98",
"transports": [
"hybrid",
"internal"
],
"type": "public-key"
}
],
"pubKeyCredParams": [
{
"alg": -7,
"type": "public-key"
},
{
"alg": -257,
"type": "public-key"
}
],
"rp": {
"id": "myid.telstra.com",
"name": "Telstra"
},
"user": {
"displayName": "vincent.delitz@corbado.com",
"id": "MTk0MGQxOWMtNWJkMS00NTlhI2NDEtOTU1ODYwNDYyYTZk",
"name": "vincent.delitz@corbado.com"
}
}
4.2 Analysis of PublicKeyCredentialRequestOptions
In the analysis of PublicKeyCredentialRequestOptions, the noteworthy element is the use of allowCredentials, which is
filled with all the values for available passkeys of a device – independently if the device could access these passkeys
or not.
{
"allowCredentials": [
{
"id": "OOm5pFsDUcmToXIYqrEHKOwtSskS0oOoDNvkT4XD8",
"transports": [
"internal"
],
"type": "public-key"
},
{
"id": "RMJBo4KA_ALdfNAxd5dnOrig",
"transports": [
"hybrid",
"internal"
],
"type": "public-key"
},
{
"id": "YhCD_R3nNdf3hItLjWnce3Ug70O98",
"transports": [
"hybrid",
"internal"
],
"type": "public-key"
}
],
"challenge": "oMyXbqjhiTKuhV8U7Aqmw",
"rpId": "myid.telstra.com",
"userVerification": "required"
}
5. The Strategic Advantage of Passkeys for Telstra
- Get Recognition as Digital Leader: Telstra's integration of passkeys marks a big advancement in user-friendly cyber security for public services. By adopting passkeys, Telstra sets a precedent for the telecom sector in Australia. This bold move places Telstra at the forefront of cyber security practices, showcasing their dedication to protecting sensitive information while enhancing user experience.
- Ensure Future-Readiness By Adhering To Essential Eight Framework: by Australia's evolving cyber security legislation, such as the updated Essential 8 framework. This framework emphasizes the importance of phishing-resistant MFA, pushing organizations towards more secure authentication methods.
- Avoid Data Breaches My Disabling Passwords and Offering Phishing-Resistant MFA: As passwords can be entirely disabled (a very bold move!), password-based phishing attacks can be avoided and if passkeys become the standard login method for many users, these users are protected from phishing threats.
- Save Millions Per Year on SMS OTP Costs: If passkeys become the preferred MFA method, then we expect a high decline in SMS OTP costs, which we estimate to be in the millions per year for Telstra.
- Decrease MFA Recovery Costs: Recovering MFA protected user accounts is among the most user-unfriendly and cost-intensive processes. By pushing for (synced) passkeys, we expect the number of MFA recovery support cases to drop significantly, which could eventually be materialized in further savings for personnel and increase user satisfaction.
6. Recommendation for Telstra to Improve Implementation
Telstra has shown great courage by being among the first Australian companies to implement passkeys. Its passkey
implementation is solid, and we only have one recommendation:
- Recommendation 1 - Reduce Manual Selection Between Passkey and Password for Users: If a passkey is available, the system should default to using it immediately, rather than requiring the user to manually choose between passkey and password.
- Recommendation 2 - Correctly Detect Hardware Security Keys: When creating a passkey with a hardware security key (e.g., YubiKey), the system should correctly detect and display it to the user. Currently, there’s no distinction between hardware security keys and platform authenticators in the passkey settings.
- Recommendation 3 - Improve Passkey Intelligence for Creating Passkeys on New Browsers: When switching to a new browser on a device that already has passkeys, the system sometimes prompts the user to create another local passkey, even though they have just logged in with a passkey. This can confuse users. Enhancing passkey intelligence to avoid unnecessary passkey creation prompts, particularly when promotional passkey pages are shown, is recommended.
7. Conclusion: Telstra Passkeys
In conclusion, Telstra's implementation of passkeys represents a forward-thinking approach to improve cyber security in
the public sector. The current implementation shows strong technical foundations and also the UX and user communication
is on a high level.
Moreover, the future-readiness is secured as passkey align with the national cyber security strategy and the Essential
Eight framework.
We continue to monitor the implementation of passkeys at Telstra and keep you posted about any changes.
Posted on October 23, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.