Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Solved
Why are passkeys so great?
I don’t get it. Passkeys don’t make the existence of user/passwords obsolete. Companies still have to save and protect my password. Hackers can still use my user/password to login. Companies don’t require passkeys….but they do require passwords. Passwords are not going away, right? (although the way people talk about passkeys, they act like they are).
Why is it so painful for people to enter their username and password when they have tools like 1Password that make it so easy to autofill and manage “Fantastic” 20-30 character complex generated passwords that are unique for every web site you visit so no password is reused? (not to mention the excellent one-time password integration by 1Password that more and more sites are also automatically pulling the codes out of 1P and populating them when configured as the authenticator app)
Why do I need a passkey if I am perfectly happy and secure with these 1Password’s autofill capabilities? Tonight, I signed into a site using a passkey and I still had to get a code from my phone since 2FA was enabled. So, passkeys didn’t save me the 2FA step. So why bother?
Is it because of man-in-the-middle attack and the password is more easily captured and used as opposed to a passkey? I thought that would be mostly mitigated via https encryption over the wire.
My point is that someone can still login with the user/password…so u/p does not go away.
Can someone please make the case for me to abandon my 1Password password autofill and use passkeys instead?
Hi snoringelephant,
Can you confirm for everyone reading this that you are not a 1Password employee and we didn't pay you to write this so we could start ranting about passkeys? 😄
We have this great FAQ about passkeys that answers some of your questions, though it's a couple years old and 1Password has more robust passkey capabilities these days. I also want to call out this helpful comment on the 1Password subreddit from a user giving a great overview of passkeys and their advantages.
To add my own two cents:
From the sites that I've seen offering passkeys, you're right that they're still almost always offering a username/password option to authenticate, which reduces the benefits. If we get to the stage where passkeys are the only option, though, we'll see some significant advantages:- No more having to change passwords because of a data breach.
- Today's social engineering and phishing attacks to get passwords won't be a threat.
I appreciate your kind words about how 1Password makes it easy to log in even with long, complex passwords and we try and make that as easy as possible. We know passwords will be around for a long time, but there's a lot of excitement about what passkeys offer for security.
3 Replies
During these early days of inconsistent implementations of passkeys on both client and server sides, these are all legitimate questions, none of which I plan to answer directly.
If we only consider 1Password on the client side and passkeys handled as a first and only identification and authentication method on the server side - as some good sites and services do - then the entire process of logging in is clicking the button on the modal to log in. That - by any standard - is easy and the technical details of the process make it categorically more "secure" than all the other methods.
If you want a picture of the future, imagine a boot... I mean this process, but without all the passwords and second factors.Then your session cookie gets stolen by the automatically updated browser extension which went rogue.
- 1P_SimonH
Community Manager
Hi snoringelephant,
Can you confirm for everyone reading this that you are not a 1Password employee and we didn't pay you to write this so we could start ranting about passkeys? 😄
We have this great FAQ about passkeys that answers some of your questions, though it's a couple years old and 1Password has more robust passkey capabilities these days. I also want to call out this helpful comment on the 1Password subreddit from a user giving a great overview of passkeys and their advantages.
To add my own two cents:
From the sites that I've seen offering passkeys, you're right that they're still almost always offering a username/password option to authenticate, which reduces the benefits. If we get to the stage where passkeys are the only option, though, we'll see some significant advantages:- No more having to change passwords because of a data breach.
- Today's social engineering and phishing attacks to get passwords won't be a threat.
I appreciate your kind words about how 1Password makes it easy to log in even with long, complex passwords and we try and make that as easy as possible. We know passwords will be around for a long time, but there's a lot of excitement about what passkeys offer for security.
Hello 1P_SimonH ... Thank you so much for your response (and AJCxZ0 ). I took a few days off, so I am just getting back to replying to this thread -- although I did see, read and appreciate the replies when they were first written.
Yes, I can confirm I am not a 1Password employee and I am not a paid actor 🕶️
Both articles were helpful and corrected my misunderstanding about the authentication flow (specifically that passkeys are authenticated at the client and, therefore, are not subject to a 'man-in-the-middle' attack during the authentication flow).
Both articles, however, claim that passkeys never leave the device which is not exactly true. "Passkey Managers" (like 1Password) save and sync the passkey (generated on Device 'A') using their own central storage and synchronization methods for the purposes of being able to use the passkey during the authentication flow on Device 'B'.
I'm not saying storing & syncing passkeys is a bad thing. I think it is fundamental in a world where people own so many different devices. This is where statements like "The private key is stored securely on your device" throw me off. When using passkey managers like 1Password, I would expect the passkey to ONLY be stored in 1Password. Storing the passkey on the actual device it was generated on isn't required and, arguably, should NOT exist on the device.
I would be curious to know if 1Password leaves the passkey as some type of 'breadcrumb' on the original device that generated it or not. Do you know, 1P_SimonH ? (or am I supposed to be asking ChatGPT these days 🤦♂️ ).
As always, thanks for sharing your human thoughts.
