A lot of services support passkeys. Microsoft even has an option to make my account “passwordless”. Since they are more secure than passwords, will you be switching some / most of your accounts to passkeys any time soon? Interested to hear everyone’s thoughts on passkeys. 🔑
I use a password manager. I don’t care about it. Passwords are reasonably secure.
Passwords can be leaked, mostly by bad security on server side.
Passkeys use secure keys, it checks public keys on both sides and send private key to authenticate, without both keys can’t login or if the server is compromised.
It’s like GPG or SSH works.
Close but private keys don’t get sent.
It sends information encrypted via your public key to your client, then your client proves that it’s the real owner of the key by decrypting the message, and then sending a new message back encrypted by the private key that the server can then verify.
This is what’s better than a password, the information for providing authentication (the private key) never leaves your computer (where as you almost in all implementations of password based auth, send the password itself to the server).
A question, since you sound like you know what you’re talking about. Is this analagous to password-free SSH? I.e., private key used to log in on the basis of a pre-agreed public key?
Passwords can be leaked, mostly by bad security on server side.
Wouldn’t this be solved by storing only hashed passwords?
Let’s assume that hashing passwords falls into the “good security” bucket, and wouldn’t be part of the “bad security” scenario.
Passkeys as password replacements reduce the total factors required to login to a service. If you use 2fa for all your services anyway then passkeys are a downgrade. That’s why so many people are angry they are having security options removed.
For people who use the same username and password everywhere, then passkeys are a upgrade.
So normal people get a benefit from passkeys in exchange for getting locked into a ecosystem.
For security minded people I hate passkeys.
- Less factors to login
- Discoverable
-
- Unlike fido2 webauthn the service the credentials attach to have to be known, so if anyone steals your hardware key, or gets access to your phone they can see all the passkeys and accounts you have
I WANT my logins to be something I know, something I have, and something I am. Password, hardware key, biometric unlock of key.
I don’t mind passkeys existing, but I HATE that services are replacing hardware key flows with passkey flows. I want to use my hardware key as fido2 not as a passkey. I don’t want to downgrade my security! Microsoft makes it impossible to use a 2fa hardware key as a second factor now, only as a passkey, that’s strictly worse then before.
To be fair, there is a “something you know” factor - the passphrase for the database containing the passkeys. But I kinda do wish they were more easily password-protected individually, like how you do with SSH keys. You can have a separate database for each passkey I guess… But yea, inconvenient.
They are more secure than password authentication, though how much more secure depends on how the user manages their passwords.
If a user never reuses passwords across different services and maintains long complex passwords, preferably randomized strings; the security upgrade of Passkeys is quite marginal. Arguably marginal enough to not even bother. The farther a user gets from ‘ideal’ password security practices though, the more of a security upgrade Passkeys would be for them; though convincing them of that is another story…
Switching to Passkeys does take a lot of responsibility off of both the user and service provider. The user no longer needs to ensure passwords aren’t reused, insufficiently complex, or already compromised; and the service provider doesn’t need to worry about leaking your passkey as they only have the public key portion which can’t be used to login as you.
In some ways they can be more inconvenient though. With a password, even long unique complex passwords stored in my password manager; I can open the password manager on my phone, read the password I want, and manually enter it into an unfamiliar or shared device without having to load my entire password/key vault onto that device. Passkeys make that impossible; essentially forcing you provide the whole vault to the device or give up. It is also a big step for people that aren’t familiar with password managers and are used to just remembering their passwords, to then switch to a passkey manager where they can’t use their memory to login anymore.
There’s good sides and bad sides to everything really. Some people will prefer one way, some will want the other way. Ultimately I think we’ll get pushed into using Passkeys by most companies, just so they can shed some of the responsibility of keeping your credentials secure. A stolen passkey database, unlike a password database, would not allow you to pose as users, which leads to less claims of fraudulent activity.
Passkeys (depending on implementation) are more resistant to info stealer viruses.
The private key portion can be in your OS’s credential store and can be used to sign the challenge without being revealed to the calling application.
Of course this doesn’t work if you got rooted, but a lot of viruses of this kind try to steal what they can get as a regular user, and you can get a lot, ie AWS credentials, saved browser passwords etc.
In my view it’s cheap defense in depth.
I’ll use passkeys if and only if they work with my password manager (Proton Pass). If not, I’m sticking with the password (and 2fa if they offer it)
Proton Pass already supports passkeys: https://proton.me/support/pass-use-passkeys
I highly dislike the idea of a passkey replacing a password as it means you’ve lost the something you know and replace it only with something you have.
Passwords AND passkeys together sound great.
To be fair, you cant use the passkeys unless you are logged into your password manager, which requires a password you “know”.
It could be your phone or computer as well, they don’t have to be in a password manager.
And that’s often going to be the default people use.
Now it’s just your face or fingerprint, both of which are easier to bypass if it’s targeted.
