A lot of services support passkeys. Microsoft even has an option to make my account "passwordless". Since they are more secure than passwords, will you be switching some / most of your accounts to passkeys any time soon? Interested to hear everyone's thoughts on passkeys. ๐
Passwords can be leaked, mostly by bad security on server side.
Passkeys use secure keys, it checks public keys on both sides and send private key to authenticate, without both keys can't login or if the server is compromised.
It sends information encrypted via your public key to your client, then your client proves that it's the real owner of the key by decrypting the message, and then sending a new message back encrypted by the private key that the server can then verify.
This is what's better than a password, the information for providing authentication (the private key) never leaves your computer (where as you almost in all implementations of password based auth, send the password itself to the server).
Passkeys as password replacements reduce the total factors required to login to a service. If you use 2fa for all your services anyway then passkeys are a downgrade. That's why so many people are angry theys re having security options removed.
For people who use the same username and password everywhere, then passkeys are a upgrade.
So normal people get a benefit from passkeys in exchange for getting locked into a ecosystem.
For security minded people I hate passkeys.
Less factors to login
Discoverable
Unlike fido2 webauthn the service the credentials attach to have to be known, so if anyone steals your hardware key, or gets access to your phone they can see all the passkeys and accounts you have
I WANT my logins to be something I know, something I have, and something I am. Password, hardware key, biometric unlock of key.
I don't mind passkeys existing, but I HATE that services are replacing hardware key flows with passkey flows. I want to use my hardware key as fido2 not as a passkey. I don't want to downgrade my security! Microsoft makes it impossible to use a 2fa hardware key as a second factor now, only as a passkey, that's strictly worse then before.
To be fair, there is a "something you know" factor - the passphrase for the database containing the passkeys. But I kinda do wish they were more easily password-protected individually, like how you do with SSH keys. You can have a separate database for each passkey I guess... But yea, inconvenient.
They are more secure than password authentication, though how much more secure depends on how the user manages their passwords.
If a user never reuses passwords across different services and maintains long complex passwords, preferably randomized strings; the security upgrade of Passkeys is quite marginal. Arguably marginal enough to not even bother. The farther a user gets from 'ideal' password security practices though, the more of a security upgrade Passkeys would be for them; though convincing them of that is another story...
Switching to Passkeys does take a lot of responsibility off of both the user and service provider. The user no longer needs to ensure passwords aren't reused, insufficiently complex, or already compromised; and the service provider doesn't need to worry about leaking your passkey as they only have the public key portion which can't be used to login as you.
In some ways they can be more inconvenient though. With a password, even long unique complex passwords stored in my password manager; I can open the password manager on my phone, read the password I want, and manually enter it into an unfamiliar or shared device without having to load my entire password/key vault onto that device. Passkeys make that impossible; essentially forcing you provide the whole vault to the device or give up.
It is also a big step for people that aren't familiar with password managers and are used to just remembering their passwords, to then switch to a passkey manager where they can't use their memory to login anymore.
There's good sides and bad sides to everything really. Some people will prefer one way, some will want the other way.
Ultimately I think we'll get pushed into using Passkeys by most companies, just so they can shed some of the responsibility of keeping your credentials secure. A stolen passkey database, unlike a password database, would not allow you to pose as users, which leads to less claims of fraudulent activity.
Passkeys (depending on implementation) are more resistant to info stealer viruses.
The private key portion can be in your OSโs credential store and can be used to sign the challenge without being revealed to the calling application.
Of course this doesnโt work if you got rooted, but a lot of viruses of this kind try to steal what they can get as a regular user, and you can get a lot, ie AWS credentials, saved browser passwords etc.
I highly dislike the idea of a passkey replacing a password as it means you've lost the something you know and replace it only with something you have.
Very enlightening read. That service lock-in is so real. I had some passkeys in Google Password manager (Android) just to try them out, and then wanted to move them to Bitwarden. I had already disabled Google Password manager on my phone to use Bitwarden. Imagine the headache I had to deal with to move a single passkey over to Bitwarden (really, I deleted one and added one, while dealing with UI hurdles). Until this improves (if ever), I'll probably stick to my passwords and normal 2FA.
Since I use a good password manager. And use TOTP on everything I can. Which admittedly I do store in my password manager as well. I don't think passkey really improves security very much in my case.
That being said though I'm a big fan of passkeys and use them everywhere I can. But I don't store them on devices only in my password manager. So I don't have to worry about if I lose a device.
I think where passkeys really shine though is for people who still aren't using a password manager. While I've tried to get everyone I know using bitwarden most still don't. And the ones that do still don't have half of there accounts in it. They are still reusing passwords across multiple sites. So I think passkeys will massively increase security for the majority of ppl. And for those of us using password managers I still think its a slight improvement to convenience.
They're better than passwords in that they really are phishing proof and well they are basically RSA key pairs that are generated, so they are naturally brute force resistant. Great for the majority because most people reuse their crappy password over and over again, ignorant of the fact that password managers exist just because they have to spend 10 seconds more to press buttons to generate a password and store them in the db. The tech is great as long as the user knows how to keep them safe.
HOWEVER: Since third party password managers (like Bitwarden, 1Pass, etc.) just recently started to provide support for passkeys, alot of people who wanted to use passkey on first release were locked into big tech bros like Google on Android and Apple on iOS' solutions. And well that's not good at all.
The tech is great though, I'm all for it. You just need to know where to store them. Ideally, I'd store them offline on my device and that exists already but not on Linux (afaik) nor on Android are they a reality yet.
^They definitely are not more than secure than my yubikey though.^
@bilbobaggins The good part: my self-hosted VaultWarden supports passkeys, so I've added them to everything I can. The bad part: Android does not support third-party passkeys on Android 13 and lower, and guess whose phone is stuck with 13 being the latest official release for his smartphone - that means that the websites that completely substitute the password with a passkey, such as PlayStation and Microsoft, are currently off-limits for me because I'll end up locked outside.
Yeah, I noticed incomplete support as well even though I do have Android 14. I opened an incognito tab on my phone to log in to Google with my passkey and it kept asking for my device fingerprint. Not the passkey I saved in Bitwarden. It still logged me in but it wasn't quite right. Feels like Android really wants me to use Google's passkey manager ๐ hopefully this all changes in the future
I would very much prefer to use passkeys wherever possible. My password manager of choice Bitwarden also supports them. Unfortunately, Android 13 which I am running does not support setting a default app to handle passkeys. So I cannot access that functionality on my phone yet. I think in a few years I will be authenticating with passkeys for a lot of services. However there will be a lot of services that lag behind in terms of offering passkey authentication.
passkeys were invented for vendor lockin and will be used to add friction to migration, say if you wanted to move from apple to bitwarden well sorry you can't. fido originally made the protocol to sell their dongles and fought like hell to keep them off smart phones, platform vendors are only interested in this to lock you into their system too. there is absolutely nothing wrong with normal passwords.
I would like to use it (or any biometric authentication at all) on Linux with my USB fingerprint reader (DigitalPersona 4500), but it seems broken in libfprint and the devs are unresponsive to their gitlab issues. Using a Windows VM just for fingerprint support is not something I want to do either.
Was about to post the great blog post from my bookmarks, but another commenter beat me to it (t y !). Here's comments on that blog post on Lobsters and HN :
FIDO2 wasn't really adopted, so now they are marketing it under a new name (while also allowing more liberal ways of storing the keys, no "normal" user would keep a FIDO2 stick with them all the time). So, you can still use your FIDO2 stick (as long as it is not too old I guess) or a password manager like KeePassXC. No need to switch to the Apple/Google/Microsoft stuff.
Security is a spectrum and not everyone has the same threat model. Also weaknesses that target passkeys might be useless for those who use passwords, and vice versa. And as another commenter said, you kinda lose the "something you know" when you're only using a passkey. Or you could use both if a service allows it.