Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
You must log in or # to comment.
I’ve been mostly too lazy to look into how to use passkeys. If my normal flow is using 1password for 2fa (on mobile and on the computer), is there a way I can still use that with passkeys? It says they’re supported but I’m not sure how that’d work, because aren’t they device specific?
I just don’t want me losing access to my phone for whatever reason mean that I lose access to my accounts.
The promise of passkeys when i first grad about them was that it would be quick and easy - that you wouldn’t need to enter a username or use 2fa. The reality appears to be that this is that it’s used ** as** 2fa
Personally, I found that It works well with Microsoft, Paypal, Google, Shopify and Proton. I was really surprised to find the option on German government sites, worked there as well. Tested in Ungoogled Chromium and Librewolf. The only thing I find dissappointing is adoption
I like passkeys but ONLY as the second factor. Using them as the primary makes no sense in majority of cases.
I store the passkeys in my self hosted vaultwarden, they are a good replacement for auto inserting random passwords via text boxes.
While the lock-in issue is annoying and a good reason not to adopt these, the device failure issue is a tech killer. Especially when I can use a password manager. This means I can remember two passwords (email and password manager), make them secure, and then always recover all my accounts.
Passkeys are a technology that were surpassed 10 years before their introduction and I believe the only reason they are being pushed is because security people think they are cool and tech companies would be delighted to lock you into their system.
I use them with bitwarden and a self hosted vaultwarden. If my phone breaks, no issue. If my server breaks, I got local backups… Keys are stored encrypted in a postgres database for which I have access, if I need to restore it. No lock-in issue or risk of loosing access when one or two devices break.
Passkeys are a technology that were surpassed 10 years before their introduction
Question is by what? I could see an argument that it is an overcomplication of some ill-defined application of x509 certificates or ssh user keys, but roughly they all are comparable fundamental technologies.
The biggest gripe to me is that they are too fussy about when they are allowed and how they are stored rather than leaving it up to the user. You want to use a passkey to a site that you manually trusted? Tough, not allowed. You want to use against an IP address, even if that IP address has a valid certificate? Tough, not allowed.
They were surpassed by password managers and 2fa.
Password managers are a workaround, and broadly speaking the general system is still weak because password managers have relatively low adoption and plenty of people are walking around with poorly managed credentials. Also doesn’t do anything to mitigate a phishing attack, should the user get fooled they will leak a password they care about.
2FA is broad, but I’m wagering you specifically mean TOTP, numbers that change based on a shared secret. Problems there are: -Transcribing the code is a pain -Password managers mitigate that, but the most commonly ‘default’ password managers (e.g. built into the browser) do nothing for them -Still susceptible to phishing, albeit on a shorter time scale
Pub/priv key based tech is the right approach, but passkey does wrap it up with some obnoxious stuff.
Even if you are really careful, your details can always be leaked from a company server during a breach. If the companies adopt passkeys, that issue isn’t there. Because there isn’t a password anyone can randomly use. That’s why I feel big tech companies are moving towards it.
The biggest disadvantage:
Disadvantages of Passkeys
Ecosystem Lock-In – Passkey pairs are synced through each vendor’s respective clouds via end-to-end encryption to facilitate seamless access multiple devices.
More eggs in the American megacorp basket for more people, yay
Currently I use a FOSS (I think?) password manager, BitWarden, that supports passkeys. I use it across Mac, Windows and Android so I’m while my passkeys are locked yo the password manager, I am not locked to any of the aforementioned megacorps.
I use BitWarden too. OS , device and browser agnostic is a win
But I imagine the vast amount of people will use whatever their platform is pushing, so Apple Google or Microsoft. And in 5 years time “3rd party passkeys” are not “secure enough” and blocked by the OS. (Ok that’s a bit tinfoil hat, but Google’s recent Android app developer verification scheme is fresh in mind)
Your password hashes (assuming they even hash them) already live on their servers…
Nope.
My company’s online product uses passkeys (I implemented it) more as a convenience method for login. 2FA is the base standard, and authenticated users can create a passkey for each device they want to use. Subsequent logins can then use the passkey or 2FA. Rather than having to dig out my phone, open the authenticator app, and put in the digits, I can simply use the fingerprint reader and I’m right in.
That doesn’t sound like a TOTP vs passkey situation though. It sounds like the program just releases the passkey when you give it the fingerprint. There wouldn’t be anything stopping the program from generating a OTP and passing that along when you identify with the fingerprint.
I think a big issue is how difficult it can seem to be to get easy access to TOTP codes, like in your example digging up your phone. But that’s more of a browser/operating system failure for not implementing a way to generate those codes like they can already store usernames and passwords.
Okay, so long as a passkey is something I can memorise. Otherwise, it’s significantly worse than a regular password (assuming you use good passwords and don’t reuse passwords etc).
It seems like they want to tie it to a physical computer (like the one in your pocket), which sucks big time. What happens if I don’t have access to that computer at all times, or it breaks, or is lost?
I’m planning on getting rid of my smartphone for something that just does calls and texts for example, because I’m sick of how unhealthily reliant I, and everyone, have become on this thing, and I want to be more connected to the real world. What then?
My brain is the best place to store passkeys, it can’t be hacked, stolen, lost, etc, unlike every other option. It’s easily capable of storing lots of randomised unique passwords for each service (surely I’m not the only one that can do this?). It’s the clear winner.
You just need to memorise the PIN at max. If your device has biometric recognition you could even use your face scan or fingerprint so even remembering a PIN is not needed in that case.
You missed some disadvantages. For example the UX and complexity are terrible.
Aren’t passkeys just passwords but numbers? Like passnumbers?
No. It’s a completely different process. It’s a bad name for what it actually does. (Unless you’re talking about how computers do things, then EVERYTHING is numbers)
Look up public/private key pair encryption. It’s the process that has changed.
The problem with all these “what are passkeys” guides is that it’s difficult to convey the differences between password and passkeys if you don’t have a deep understanding of encryption or authentication systems.
Yup, it’s closer to TOTP than a password/number.
TOTP is based on shared secrets, just like passwords. As such, it’s susceptible to many of the issues passwords are and is much closer to passwords than passkeys. Passkeys on the other hand, don’t have shared secrets and operate completely differently under the hood.
Yeah, the implementation is very different.
I’m just saying that it’s similar from an average user point of view. You set it up once, then your app generates a unique code that the server can associate with you in a way that can’t be broken by a third party watching traffic.
That’s false, TOTP can and has been the target of man in the middle attacks, successfully. The implementation of passkeys makes man in middle attacks more difficult, but it could still happen. So both are susceptible to third parties to some degree.
As far as point of view, I was assuming we were talking about the process, since the goal of passkey UX is to be largely the ‘same as’. Which, to be frank, is way less dedicated since both the implementation of passwords and passkeys can vary widely (2fa, email, id, otp, etc). If we exclude those, the UX is the same - some users might be even using passkeys and not know it.
What am I dependent on to access by stuff if I use a passkey? A smart phone?
