Privacy + CyberSecurity Law

What are passkeys?

"Passkeys are a modern authentication technology designed to replace traditional passwords with a more secure and user-friendly alternative."

Passkeys are revolutionizing online security by offering a safer and more convenient alternative to traditional passwords.

This innovative authentication method uses public-key cryptography and biometric verification to provide a seamless login experience across devices and platforms.

Unlike passwords, passkeys are resistant to phishing attacks and data breaches, making them a promising solution to many common cybersecurity challenges.

As major tech companies and websites increasingly adopt this technology, understanding how passkeys work is becoming essential for both users and developers in our increasingly digital world.

Here's how passkeys work:

Key Components of Passkeys

Passkeys rely on several key components to function effectively and securely.

The table below outlines the essential elements that make up the passkey authentication system:

These components work together to create a secure, user-friendly authentication system.

The public-private key pair forms the cryptographic foundation, while the authenticator and biometric/PIN verification ensure that only the authorized user can access the passkey.

The WebAuthn API facilitates integration with websites and apps, and synchronization services enhance convenience by allowing passkey use across multiple devices

Public-Private Key Cryptography:

Passkeys use asymmetric cryptography, generating a unique pair of cryptographic keys for each account:

1. A public key stored on the server
2. A private key securely stored on the user's device

Biometric or PIN Authentication:

Users verify their identity using:

1. Biometrics (fingerprint, facial recognition)
2. Device PIN
3. Pattern unlock

How passkeys Function‍

Account Creation:

1. When setting up an account, the device generates a public-private key pair.
2. The public key is sent to and stored on the server.
3. The private key remains securely on the user's device.

Login Process:

1. The server sends a challenge to the user's device.
2. The device prompts the user for biometric/PIN authentication.
3. Upon successful local authentication, the device signs the challenge with the private key.
4. The signed challenge is sent back to the server.
5. The server verifies the signature using the stored public key.

Cross-Device Usage:

1. Passkeys can be synced across devices using secure cloud services (e.g., iCloud Keychain, Google Password Manager).
2. Users can authenticate on new devices by approving the login on a trusted device nearby.

Passkeys function through a combination of cryptographic processes and user authentication methods.

The table below outlines the key steps involved in passkey creation and authentication:

This process ensures secure, passwordless authentication without transmitting sensitive information. The use of public-key cryptography and local biometric verification provides a robust defense against common security threats while simplifying the user experience.

Security Benefits

Passkeys offer significant security advantages over traditional passwords, addressing many common vulnerabilities in online authentication.

The table below highlights key security benefits of passkey technology:

These security enhancements make passkeys a robust solution for protecting user accounts and sensitive information. By leveraging public key cryptography and local device authentication, passkeys significantly reduce the attack surface for common cyber threats, providing a more secure online experience for users and organizations alike.

User Experience Improvements

Passkeys offer significant improvements to the user experience compared to traditional passwords.

The table below highlights key user experience enhancements provided by passkey technology:

These improvements address many common frustrations associated with traditional passwords, such as forgetting credentials or dealing with password resets. By leveraging familiar device authentication methods, passkeys provide a more intuitive and efficient login experience across various services and applications . This enhanced usability, combined with improved security, makes passkeys an attractive option for both users and service providers looking to streamline authentication processes.

Implementation and Support

• Major platforms (iOS, Android, Windows, macOS) and browsers (Chrome, Safari, Firefox) support passkeys.
• Websites and apps need to implement passkey support, which is growing but not yet universal.

Passkeys represent a significant advancement in online security, offering a balance between enhanced protection and user convenience.

As adoption increases, they are poised to become the standard for online authentication, potentially replacing traditional passwords in the near future.

FIDO® Compliance

Passkeys are built on the WebAuthentication (WebAuthn) standard, which is part of the FIDO2 specifications.

This means that all passkeys adhere to the FIDO® Alliance's standards for secure, passwordless authentication.

The FIDO® (Fast IDentity Online) Alliance is an open industry association launched in February 2013 with the mission of developing and promoting authentication standards to reduce reliance on passwords.

Source: Perplexity AI Page curated by James D. Ford

Important Notice:

This FAQ is intended for general interest + information only.

It is not legal advice, nor should it be relied upon or used as such.

We recommend you always consult a lawyer for legal advice specifically tailored to your needs & circumstances.

Congratulations!

You have successfully "Registered as a User" +/or "Logged In" without the need to Setup or Supply a Password

If you are seeing this message, you have been directed to this FAQ webpage after a successful passwordless registration +/or login to the BLUEOCEAN.law website.

Note: For now, this page is public so you may also have stumbled across it within the New Client FAQs.

In the future we may decide to make this FAQ page visible only to authorised users who have successfully logged in!

Phase 1: Passwordless Authentication is Operational ➲ Complete

Implementing passwordless signup & login is just the beginning, i.e., Phase 1.

27 June 2024 ➲ Breaking News! ... "Passwords R.I.P"

Let's face it, we all hate passwords, not to mention Authenticator Apps!

There is a better way. It's called a Passkey.

For more information read our FAQ: How do FIDO® compliant passkeys work to replace traditional passwords with a more secure and user-friendly alternative?

Using a Passkey is highly secure, eliminating the need for both a password and an Authenticator App.

You can now register with and login to BLUEOCEAN.law's website using a passkey.

Passkeys are automatically generated - if required, so you don't need to already have one).

Alternatively, you can use your existing Google | Apple | Microsoft login.

Try it for yourself, the links to signup/login are on the HOME page and under the top menu item ... STAY SECURE.

Why Passkeys are the future of CyberSecurity

The following answer has been extracted from the LinkedIn article by Tertius Wait dated 28 June 2024 called "Say Goodbye to Passwords: Googles New Passkeys Are Here"

"Passkeys represent a robust defense against phishing and other security threats by tying authentication to a physical device specifically authorized by the user. Unlike passwords, which can be easily phished or forgotten, passkeys leverage biometric data or a device-specific PIN that never leaves your device, ensuring both privacy and security.

This approach aligns perfectly with the ISC2's security principle of "something you know, something you have, and something you are."

Traditional passwords are "something you know," easily compromised.

Passkeys combine "something you have" (your device, specifically authorized by you) with "something you are" (biometric data), creating an exceptionally strong and secure authentication method."

With Google's passkeys, the future of online security is not just on the horizon—it is here.

This innovative approach transforms the way we think about logging in, making it easier and infinitely more secure.

By harnessing the power of biometric data and device-specific security features, passkeys provide a seamless and secure experience like never before.

I highly recommend starting to use passkeys today.

They will simplify your life and make your accounts significantly more secure.

Passwords are becoming relics of the past, passkeys are the future.

Embrace this change and step into a more secure and convenient digital world."

About the Author of the Article: Tertius is a Cloud Engineer at iiDENTIFii, ISC2 Cyber Security Certified, and an Identity Verification Sentinel. Passionate about the latest trends in IDV and cybersecurity, Tertius writes to educate and empower readers to protect themselves in an increasingly digital world.

Next Steps

1️⃣ Configure your LOGIN PROFILE SETTINGS

Once registered or logged in, if your scroll down slightly on your HOME page you will see a LOGIN PROFILE SETTINGS button.

Alternatively, at anytime go to the top menu item ... START > LOGIN PROFILE SETTINGS.

Within LOGIN PROFILE SETTINGS you will be able to do the following:

➲ Fix your name (if the default name taken from your email address currently appearing at the top of this HOME page needs adjusting);

➲ Change your email address;

➲ Add up to 6 backup FIDO® USB Security Keys;

➲ Add Social Identity Logins for Google|Apple|Microsoft; or

➲ Add a password and a time-based one-time authentication code. DANGER: Proceed with caution.

2️⃣ Join the Growing Global Community of Passkey Advocates

Now that you have seen for yourself that the technology to eliminate the need for passwords exists and works well, we encourage you to join the growing global community of Passkey advocates to help make your online experience much more enjoyable and secure.

Here is a link to view a community-driven index of websites, apps and services that offer signup/login with Passkeys.

Phase 2: Improved User Experience + Exclusive Freemium Content ➲ Under Development

Phase 2 has just commenced and is a work in progress.

Please check back here regularly for the latest news about planned Phase 2 improvements.

Thank you for taking the time to register and try out our passwordless login experience.

Start looking forward to a more personalised user experience with free access to exclusive freemium content.

‍Credits:

This FAQ was created by James D. Ford Esq., GAICD CIPP/US CC | Principal Solicitor, Blue Ocean Law Group℠.

State of California Bar Number: 346590

Legal Background ➲ Australian privacy act 1988 (Comm.)

The Privacy Act and Australian Privacy Principles (‘APPs’) govern the collection, storage, use and disclosure of Personal Information

Australian businesses/NFP's are bound by the Privacy Act if they:

➲ “Opt-in” or publicly volunteer to be regulated;

➲ Handle Personal Information (defined below) + have $3 million or more in annual turnover; or

➲ Are captured by the second set of criteria set out in the Act.

Caution: The additional “second set” of criteria mean that every business or charity regardless of turnover may be caught if they sell or purchase Personal Information or handle specific categories of Personal Information, such as TFN (Tax File Numbers, Health + Medical Data, etc.)

Small business/NFP operators generally are exempt from the Privacy Act unless one of the above-mentioned points apply.

Does your business/NFP need to comply with the privacy act?

Click the below link to access the online guide:

‍Does my Business/NFP need to comply with the Privacy Act?

If you are still unsure you should take the cautious approach and put relevant privacy measures in place as well as seek Independent Legal Advice.

Credits:

This FAQ was extracted from the blog article "Privacy Policies & Australian Law" by James D. Ford GAICD | Principal Solicitor, Blue Ocean Law Group℠ which was originally published in late 2018 + is hosted on iubenda's website.  

By way of full disclosure: Blue Ocean Law Group℠ is iubenda's Legal Network partner in Australia + New Zealand.

Blue Ocean Law Group℠ also collaborates with iubenda to present regular free webinars entitled:

“How to make your website/app easily compliant with Australian Law?”

Important Notice:

This FAQ is intended for general interest + information only.

It is not legal advice, nor should it be relied upon or used as such.

We recommend you always consult a lawyer for legal advice specifically tailored to your needs & circumstances.

Click here to download ...

Where is your website hosted? Do you target overseas users/clients? etc.

Firstly, your law(s) of reference determine which rules you’re subject to.

Simply put, the laws of a particular region [for example, the EU GDPR] can apply to you in addition to local Australian law even if you don’t live, or run your business or charity (also known as a not-for-profit or NFP) there.

In general, the laws of a particular region can apply if your business or NFP:

➲ Base your operations there; or

➲ Use processing services or servers based in the region; or

➲ Service targets users from that region (example: accepting payment in Euros).

So to be clear, this basically means that regional regulations may apply to you and/or your business or charity whether you’re located in the region or not.

Be on the safe side, ensure you comply with the strictest regulations

For that reason, it’s always advisable that you approach your data processing activities with the strictest applicable regulations in mind.

You can read more about which privacy laws apply to you here.

Another point in favour of having a comprehensive privacy policy in place is that it’s simply good business to have a Privacy Policy.

Regardless of whether legal obligations apply, all customers/clients today fully expect their personal data will be respected + protected.

‍Any breach, aside from potentially leading to legal consequences, will directly impact your business reputation, and ultimately could cause your business or charity to shut-down due to public loss of confidence.

Credits:

This FAQ was extracted from the below blog article "Privacy Policies & Australian Law" by James D. Ford GAICD | Principal Solicitor, Blue Ocean Law Group℠ which was originally published in late 2018 + is hosted on iubenda's website.  

By way of full disclosure: Blue Ocean Law Group℠ is iubenda's Legal Network partner in Australia + New Zealand.

Blue Ocean Law Group℠ also collaborates with iubenda to present regular free webinars entitled:

“How to make your website/app easily compliant with Australian Law?”

Further Reading:

Other Australian Privacy Legislation

While our Privacy Policy solutions make compliance easy for many aspects of privacy law, full business compliance requires a holistic approach which includes regularly auditing your internal processes to see where other obligations may apply.

The following is a (non-exhaustive) list of additional compliance obligations imposed by Australian Law which may apply to your business/NFP:

➲ Non-privacy-policy related aspects of the Privacy Act 1998 – for example, APP8 – Direct Marketing; APP11 – Security of Personal Information. For more information, read this Guide to the APP’s;

➲ Notifiable Data Breach Scheme; and

➲ The SPAM Act.

Credits:

This FAQ was written by James D. Ford GAICD | Principal Solicitor, Blue Ocean Law Group℠.

Important Notice:

This FAQ is intended for general interest + information only.

It is not legal advice, nor should it be relied upon or used as such.

We recommend you always consult a lawyer for legal advice specifically tailored to your needs & circumstances.

What is considered "personal information"?

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

➲ Whether the information or opinion is true or not; and

➲ Whether the information or opinion is recorded in a material form or not.

The above definition of Personal Information is quite broad, and can include Internet Protocol (IP) addresses, Unique Device Identifiers (UDIDs) such as for a mobile phone or tablet, and other unique identifiers in specific circumstances.

Location information, may also be covered because it can reveal user activity patterns and habits.

If you are unsure whether you are using Personal Information please refer to this guide issued by the OAIC, and if still unsure please seek independent Legal Advice.

Important: If you trade in, or use Personal Information to sell advertising, including via an app, you’ll likely fall under the Privacy Act.

Credits:

This FAQ was written by James D. Ford GAICD | Principal Solicitor, Blue Ocean Law Group℠.

Important Notice:

This FAQ is intended for general interest + information only.

It is not legal advice, nor should it be relied upon or used as such.

We recommend you always consult a lawyer for legal advice specifically tailored to your needs & circumstances.

What does “trade in personal information” mean?

A business or NFP is “trading” in Personal Information if it collects from or discloses to someone else, an individual’s Personal Information for a benefit, service or advantage.

A benefit, service or advantage can be any kind of financial payment, concession, subsidy or some other advantage or service.

For example: Buying a mailing list without first getting the consent of all the individuals on that list, or disclosing customer details to someone else for some commercial (monetary or otherwise) gain.

If you trade in Personal Information you will have to comply with the Australian Privacy Principles in the Privacy Act.

Complying with the Privacy Act does not prevent you from collecting Personal Information for your business needs, but it does mean you must follow the rules about how to handle that information.

If you are unsure whether you are using Personal Information to sell advertising, you should seek Independent Legal Advice.

Exemptions may apply where “consent” has been obtained for small businesses with turnover of $3 million or less that are not considered an APP entity for any other reason (refer to the second set of criteria discussed above). However even in this case, your should have an easy-to-read Privacy Policy so that you can ensure that you obtain clear informed consent as required.

In order to avoid any question regarding whether valid “consent” has been obtained in accordance with the requirements of the Privacy Act, it is recommended that you be as clear and transparent as possible in your Privacy Policy about what Personal Information you are collecting, what you are doing with it, and the reasons why.

It’s also highly recommended you request that the user actively indicate consent by having them take an affirmative action such as ticking a checkbox or clicking a button. This can be facilitated by adding a checkbox with a link to the privacy policy to your data collection forms, and by using something like a site banner to alert and collect your users’ consent to tracking technologies such as cookies.

iubenda’s Cookie Solution makes setting up a site banner and linking to the Privacy Policy pretty easy. You can read more about the Cookie Solution here as well as how to customize your site banner here.

Credits:

This FAQ was written by James D. Ford GAICD | Principal Solicitor, Blue Ocean Law Group℠.

Important Notice:

This FAQ is intended for general interest + information only.

It is not legal advice, nor should it be relied upon or used as such.

We recommend you always consult a lawyer for legal advice specifically tailored to your needs & circumstances.

How to keep your Privacy Policy globally compliant + updated!

Blue Ocean Law Group℠ are innovative Counsel [iC]℠ and Australian, New Zealand and California, USA Legal Network Partner for iubenda.

We use iubenda for our own Globally-compliant Privacy Policy, and are an Affiliate -> Get 10% off your subscription with this link!

Alternatively if you do not want to subscribe, you can generate your own subscription-free Privacy Policy as an individual legal document or as part of our website bundle via our Legal Documents Portal.

Both Privacy Policies are designed to exceed your legal needs.

iubenda (in our view) does a better job at creating a Privacy Policy which provides a more visual + interactive client experience.

How does iubenda's Privacy Policy solution help you to comply with the specifics of Australian Law?

Click this link to access our original article which is published on iubenda's website.

The original article includes a table created by Blue Ocean Law Group℠ listing the relevant Australian Privacy Principle (APP) requirements, the related iubenda feature and comments on how it applies.

warning: a privacy policy is not a set and forget document!

Keeping you Privacy Policy up to date and compliant with the latest changes in global privacy law is only the first part of the process.

As your business or NFP's circumstances change, your Privacy Policy needs to be audited against your Internal Business Processes (practices, procedures and documents – as well as what is actually done, in other words, your Privacy Culture).

As Australia moves towards the standards set by the EU, including potentially larger fines + regular audits, legal reviews will become even more important.

Please contact us to discuss a legal review of your Privacy Policy v. Internal Business Processes + Privacy Culture.

consequences of non-compliance with Australian Privacy Law

There are significant potential penalties that can be imposed for non-compliance, and for repeat breaches, including enforceable undertakings and fines of up to $1.7 million per violation.

Credits:

This FAQ was written by James D. Ford Esq., GAICD CIPP/US | Principal Solicitor, Blue Ocean Law Group℠.

Important Notice:

This FAQ is intended for general interest + information only.

It is not legal advice, nor should it be relied upon or used as such.

We recommend you always consult a lawyer for legal advice specifically tailored to your needs & circumstances.