What am I missing with passkeys?

XIII said: Actually passkeys can still be 2FA, if the RP (relying party) requires User Verification (biometric or PIN)

That type of second factor is great and I'm all for it, but it's just a question of semantics -- that second factor is simply some additional protection on the private key so that it can't be easily reused like a lost house key found lying on the ground. It's not the same as the legacy password system where the "something you know" part has no connection to the "something you have" part.

My point is still the same: using something like 1password with high entropy site passwords, a high entropy One Password, and traditional 2FA is great, and (IMO) equally secure as passkeys. But it's no more secure, and suffers from the flaw that it can easily be less secure.

lodaka The problem is that using 1password plus yubikey is no longer "something you know + something you have", it's two "something you haves" since 1password is "something you have". So at that point we're just talking about redudancy, which is a burden on most people and comes with its own flaws. (Like easily being able to lock yourself out.) But sure, if FIDO wants to add formal, optional support for requiring two separate passkeys to log into a site, so that a user would require two "something you haves" like the double-keyed missile launcher in War Games, then maybe that will become a thing one day.

@jonpw I will slightly (and only slightly) disagree there. I am making some assumptions here (because I think the idea is to combine PIN or biometrics with the passkey), but if Yubikey is the sole method of unlocking whatever account you want to access, then someone stealing the physical possession of it would potentially introduce a slightly elevated risk -- again I am making assumptions here as this would be somewhat targeted. My post of course also assumes that there is a separate method of authentication other than the same Yubikey to access the password (e.g. 1Password) in the first place.

Passkeys solve the problem by formalizing the agreement that "something you have" is now a requirement, and that's the end of it, no more 2FA.

Actually passkeys can still be 2FA, if the RP (relying party) requires User Verification (biometric or PIN):

Passkeys are kept on a user’s devices (something the user “has”) and — if the RP requests User Verification — can only be exercised by the user with a biometric or PIN (something the user “is” or ”knows”). Thus, authentication with passkeys embodies the core principle of multi-factor security.

Source: FIDO Alliance FAQ on passkeys.

lodaka Fair point, I did ignore the part about a hardware key. Personally I think that passwords are simply meaningless now. The modern lore of 2FA is "something you know and something you have". But "something you know" is no longer realistic because no reasonably high entropy password per account can be remembered by a human, and it is vital with passwords that they be unique across all accounts given how often password databases are compromised. So 2FA only makes sense if you assume the bad practice of a manually remembered, reused password across all accounts. Once you start talking about 30 character passwords, 2FA is just theater because you already have to have something in your possession ("something you have") that can unlock the stored 30 character password that is impossible to remember. So in your example the password on top of the yubikey serves no purpose, other than the fact that it's required by the current login infrastructure for the password to exist. In other words the yubikey by itself would be fine. Passkeys solve the problem by formalizing the agreement that "something you have" is now a requirement, and that's the end of it, no more 2FA. Trying to do all this via the current password infrastructure (as we all obviously are doing since we are here in the 1password forums) is fine, but it doesn't enforce good behavior by everyone since one can still just use a bad password.

@jonpw Yes, I agree with everything you said -- I am also familiar with public key cryptography as a concept. Note that I didn't equate the two methods; I was referring to the security strength of each method. The second (and potentially more critical) part of my sentence refers to MFA with a hardware key, which would operate on public key cryptography at least for Webauthn-based systems. It seems to me that an added layer of 30-char password would add to the mix, not take away.

For those that are a bit more security conscious (which I think most of us are, seeing how we are all here), I am not convinced that passkeys are necessarily more secure. For instance, if someone has a 30-char password (using 1Password) with Yubikey as a multi-factor, is that not more secure?

There is, in fact, one huge difference between passkeys and a 30-char password. Traditional passwords are symmetric -- both sides have to store/know the original password. Technically the server can and should store just a hash of the password, however 1) this (sadly) doesn't always happen and 2) there are potential issues with that as well, such as a hash search. Passkeys on the other hand are asymmetric. The server stores the matching public key to your private key. And the login process doesn't even exchange the actual keys. If somehow a hacker is able to get their hands on your public key because of a hack on the company side, there is zero chance that they can use that to login as you there or anywhere else. (Of course if they hacked into the entire company's back-end, it doesn't even matter. But it is often the case that databases of password data are hacked or leaked without a full corporate compromise.)

lodaka

Thanks for the reply. Security is definitely an iterative process and passkeys are a step forward for the industry as a whole with the aim of protecting everyone, regardless of their technical skill level.

Unlike passwords, you can’t create a weak passkey. Passkeys are generated by your device using a public-private key pair, which makes them strong and unique by default. Passkeys can’t be phished like a traditional password because the underlying private key never leaves 1Password – this also makes them resistant to social engineering scams.

Passwords, even those supplemented by a TOTP authenticator app, can still be phished. You can still be tricked into entering your password and TOTP into a fake website that masquerades as the real website. A passkey solves this problem since it can only be used with the original website that you created it for.

Security keys are great, I own several myself, but two-factor authentication was designed to add an additional layer of protection to passwords against phishing. As mentioned, passkeys are already resistant to phishing and can be considered to have the same level of security as a password plus two-factor authentication, with a lot less friction.

-Dave

Note that I am just an average joe, who's a bit security conscious -- i.e. just about 0 technical knowledge about any of this but only what I've been able to read what's on the Internet.

The way that I understood passkeys has been that it will improve security for average users, who, again on average, tend to think that "P@55w0rd" is a difficult password to break. I think attempt was made to help these folks with (first with SMS, email, etc.) authenticators and what not. For these folks, passkeys provide exponentially more secure way to interact online while also making it easy to do so.

For those that are a bit more security conscious (which I think most of us are, seeing how we are all here), I am not convinced that passkeys are necessarily more secure. For instance, if someone has a 30-char password (using 1Password) with Yubikey as a multi-factor, is that not more secure?

Lastly, again I blame my lack of technical knowledge on this subject matter, but if passkeys are sync'd (e.g. through 1Password), if a threat actor gains access to someone's 1Pasword vaults, I am assuming the TA will be able to fully use that, correct?

Thank you for the great links, 1P_Dave

And datx — we all believe in an ideal world that we do not yet live. You mention the average user a lot, and I don't think the average user will be ultimately involved in a decision with passkey vs. password.

In the end, the average user will be signing up for an account and logging into an account with just a biometric verification. They ultimately don't care if your browser sends a password over that then the server hopefully only checks against a hash and discards. Or if they do passkey authentication against a public key. The average user just doesn't care. They do their Touch ID or Face ID and are happy they are in the account. That's it.

Technically a password manager filling in password fields has always been a hack. And the filling in and sending of the actual password was never ideal in a technical sense. Passkeys now allow for this process to be smoother and more streamlined. You could say modern.

iCloud Keychain as well as more sophisticated solutions like 1Password are right on track to fulfill this journey with us. But the road ahead is bumpy and very long. Mostly in terms of how to steer the average user in the way of least friction, while retaining maximum security.

datx

As ianto mentioned in their very good comment, we're currently at the beginning of a long transition period and passkeys will become more intuitive and standardized across the industry as time goes on.

For the moment, many websites don't offer the ability to fully remove your password after adding a passkey so you'll be able to sign in using either your passkey or your password in most places. Continue to follow best practices and make sure that all of your passwords are strong and unique: Use the password generator to change and strengthen your passwords

Part of the reason why many services leave passwords as a fallback option is because passkeys are not yet supported across all devices yet.

1Password warns folks when a password has been reused or should be made stronger, whether you're using a passkey or not: Use Watchtower to find account details you need to change

-Dave