Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Solved
Why are passkeys so great?
I don’t get it. Passkeys don’t make the existence of user/passwords obsolete. Companies still have to save and protect my password. Hackers can still use my user/password to login. Companies d...
Hi snoringelephant,
Can you confirm for everyone reading this that you are not a 1Password employee and we didn't pay you to write this so we could start ranting about passkeys? 😄
We have this great FAQ about passkeys that answers some of your questions, though it's a couple years old and 1Password has more robust passkey capabilities these days. I also want to call out this helpful comment on the 1Password subreddit from a user giving a great overview of passkeys and their advantages.
To add my own two cents:
From the sites that I've seen offering passkeys, you're right that they're still almost always offering a username/password option to authenticate, which reduces the benefits. If we get to the stage where passkeys are the only option, though, we'll see some significant advantages:- No more having to change passwords because of a data breach.
- Today's social engineering and phishing attacks to get passwords won't be a threat.
I appreciate your kind words about how 1Password makes it easy to log in even with long, complex passwords and we try and make that as easy as possible. We know passwords will be around for a long time, but there's a lot of excitement about what passkeys offer for security.
During these early days of inconsistent implementations of passkeys on both client and server sides, these are all legitimate questions, none of which I plan to answer directly.
If we only consider 1Password on the client side and passkeys handled as a first and only identification and authentication method on the server side - as some good sites and services do - then the entire process of logging in is clicking the button on the modal to log in. That - by any standard - is easy and the technical details of the process make it categorically more "secure" than all the other methods.
If you want a picture of the future, imagine a boot... I mean this process, but without all the passwords and second factors.
Then your session cookie gets stolen by the automatically updated browser extension which went rogue.
