I am finally getting around to putting passkeys into action.. but something isn't adding up. As a low risk test, I added a passkey to a bestbuy account. Started up an incognito session, and logged back in with my PASSWORD. Uhhh...? Soooooo - passkeys are great (who doesn't like public key cryptography?!).. but if you can continue to log in with a password (didn't see a way to disable it), then what good are passkeys? Shouldn't it be a password OR passkey - but not both? Or, at a minimum, the ability to disable the password? What am I missing? Do most passkey enabled sites allow the password fallback? Thanks! 1Password Version: Not Provided Extension Version: Not Provided OS Version: Not Provided Browser: Not Provided

datx As ianto mentioned in their very good comment, we're currently at the beginning of a long transition period and passkeys will become more intuitive and standardized across the industry as time goes on. For the moment, many websites don't offer the ability to fully remove your password after adding a passkey so you'll be able to sign in using either your passkey or your password in most places. Continue to follow best practices and make sure that all of your passwords are strong and unique: Use the password generator to change and strengthen your passwords Part of the reason why many services leave passwords as a fallback option is because passkeys are not yet supported across all devices yet. 1Password warns folks when a password has been reused or should be made stronger, whether you're using a passkey or not: Use Watchtower to find account details you need to change -Dave

lodaka Fair point, I did ignore the part about a hardware key. Personally I think that passwords are simply meaningless now. The modern lore of 2FA is "something you know and something you have". But "something you know" is no longer realistic because no reasonably high entropy password per account can be remembered by a human, and it is vital with passwords that they be unique across all accounts given how often password databases are compromised. So 2FA only makes sense if you assume the bad practice of a manually remembered, reused password across all accounts. Once you start talking about 30 character passwords, 2FA is just theater because you already have to have something in your possession ("something you have") that can unlock the stored 30 character password that is impossible to remember. So in your example the password on top of the yubikey serves no purpose, other than the fact that it's required by the current login infrastructure for the password to exist. In other words the yubikey by itself would be fine. Passkeys solve the problem by formalizing the agreement that "something you have" is now a requirement, and that's the end of it, no more 2FA. Trying to do all this via the current password infrastructure (as we all obviously are doing since we are here in the 1password forums) is fine, but it doesn't enforce good behavior by everyone since one can still just use a bad password.

We are in the early staged of Passkey implementation by services. Most services will fall back to the password you picked if no Passkey is available. Most services will also allow you to reset your passkey/password via an email sent to you. Passkeys themselves do not solve such issues. In time, as adoption grows higher, there will be a consensus in the industry on how to deal with this. But once again, we are very early right now. Even so, a password as a fallback is not really an issue. If you are concerned about a service that handles it in this way, simply pick a new very secure password and then never use it again. A secure and strong password that's not being used is still very secure. Be sure to write in to any service where you feel their account security could use a boost. Feedback is important. Also never forget that many services give back account access by mere customer support interaction, meaning social engineering into accounts is still the most problematic thing out there. Passkeys are a better implementation for account logins, but they do not solve all the problems of account security.

Thanks for the thoughtful response. I don't disagree with anything that you are saying. However, the general marketing push (I think) in advocating for passkeys is the user is controlling their fate by switching from insecure (passwords) to secure (passkeys). Let's assume passwords are still allowed, and security is ultimately out of the user's hands (e.g., customer service rep changing password). In that case, I think it is incumbent on the arbitrators of the passkey "push" (developers, security folks, websites adopting passkeys, etc) to document that if the user was not secure before passkeys (e.g., simple passwords) they aren't any safer after (without additional steps). A working bad password is still a bad password. So far (and my review is LIMITED), I haven't seen anything saying, "change your old password to something complex and never use it again." I also have not seen an option to disable (permanently or temporarily) when a passkey has been enabled. Companies seem to be more excited about what passkeys can do (and those benefits) versus what it is doing at the moment (in combination with the previous weaknesses that aren't being addressed). I guess my point is - if you are switching to passkeys, make sure you understand what it is (and is not) doing (on each site/app) and what steps you should be taking to increase their effectiveness (which I'm afraid isn't so evident to the typical user). two_cents

Thank you for the great links, 1P_Dave And datx — we all believe in an ideal world that we do not yet live. You mention the average user a lot, and I don't think the average user will be ultimately involved in a decision with passkey vs. password. In the end, the average user will be signing up for an account and logging into an account with just a biometric verification. They ultimately don't care if your browser sends a password over that then the server hopefully only checks against a hash and discards. Or if they do passkey authentication against a public key. The average user just doesn't care. They do their Touch ID or Face ID and are happy they are in the account. That's it. Technically a password manager filling in password fields has always been a hack. And the filling in and sending of the actual password was never ideal in a technical sense. Passkeys now allow for this process to be smoother and more streamlined. You could say modern. iCloud Keychain as well as more sophisticated solutions like 1Password are right on track to fulfill this journey with us. But the road ahead is bumpy and very long. Mostly in terms of how to steer the average user in the way of least friction, while retaining maximum security.

What am I missing with passkeys? | 1Password Community

12 Replies

datx
New Contributor
3 years ago
Thanks for the thoughtful response. I don't disagree with anything that you are saying.

However, the general marketing push (I think) in advocating for passkeys is the user is controlling their fate by switching from insecure (passwords) to secure (passkeys). Let's assume passwords are still allowed, and security is ultimately out of the user's hands (e.g., customer service rep changing password). In that case, I think it is incumbent on the arbitrators of the passkey "push" (developers, security folks, websites adopting passkeys, etc) to document that if the user was not secure before passkeys (e.g., simple passwords) they aren't any safer after (without additional steps). A working bad password is still a bad password.

So far (and my review is LIMITED), I haven't seen anything saying, "change your old password to something complex and never use it again." I also have not seen an option to disable (permanently or temporarily) when a passkey has been enabled. Companies seem to be more excited about what passkeys can do (and those benefits) versus what it is doing at the moment (in combination with the previous weaknesses that aren't being addressed).

I guess my point is - if you are switching to passkeys, make sure you understand what it is (and is not) doing (on each site/app) and what steps you should be taking to increase their effectiveness (which I'm afraid isn't so evident to the typical user).

two_cents
ianto
Occasional Contributor
3 years ago
We are in the early staged of Passkey implementation by services. Most services will fall back to the password you picked if no Passkey is available. Most services will also allow you to reset your passkey/password via an email sent to you.

Passkeys themselves do not solve such issues. In time, as adoption grows higher, there will be a consensus in the industry on how to deal with this. But once again, we are very early right now.

Even so, a password as a fallback is not really an issue. If you are concerned about a service that handles it in this way, simply pick a new very secure password and then never use it again. A secure and strong password that's not being used is still very secure.

Be sure to write in to any service where you feel their account security could use a boost. Feedback is important. Also never forget that many services give back account access by mere customer support interaction, meaning social engineering into accounts is still the most problematic thing out there.

Passkeys are a better implementation for account logins, but they do not solve all the problems of account security.

Forum Discussion

What am I missing with passkeys?

12 Replies

Featured discussions

November at 1Password: the Access-Trust gap, planning your estate, and an updated unlock experience

Recent discussions

1Password using wrong accent color on Windows 10

Feature Request: Show Original Contributor of Items in Shared Family Vaults

Chrome extension breaks client side code snippet rendering

1Password Access after Death, Legacy Contacts

I don't see the 1password icon in form fields of internal http websites?