Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Solved
Why are passkeys so great?
I don’t get it. Passkeys don’t make the existence of user/passwords obsolete. Companies still have to save and protect my password. Hackers can still use my user/password to login. Companies d...
Hi snoringelephant,
Can you confirm for everyone reading this that you are not a 1Password employee and we didn't pay you to write this so we could start ranting about passkeys? 😄
We have this great FAQ about passkeys that answers some of your questions, though it's a couple years old and 1Password has more robust passkey capabilities these days. I also want to call out this helpful comment on the 1Password subreddit from a user giving a great overview of passkeys and their advantages.
To add my own two cents:
From the sites that I've seen offering passkeys, you're right that they're still almost always offering a username/password option to authenticate, which reduces the benefits. If we get to the stage where passkeys are the only option, though, we'll see some significant advantages:- No more having to change passwords because of a data breach.
- Today's social engineering and phishing attacks to get passwords won't be a threat.
I appreciate your kind words about how 1Password makes it easy to log in even with long, complex passwords and we try and make that as easy as possible. We know passwords will be around for a long time, but there's a lot of excitement about what passkeys offer for security.
1P_SimonH
Community Manager
Community ManagerHi snoringelephant,
Can you confirm for everyone reading this that you are not a 1Password employee and we didn't pay you to write this so we could start ranting about passkeys? 😄
We have this great FAQ about passkeys that answers some of your questions, though it's a couple years old and 1Password has more robust passkey capabilities these days. I also want to call out this helpful comment on the 1Password subreddit from a user giving a great overview of passkeys and their advantages.
To add my own two cents:
From the sites that I've seen offering passkeys, you're right that they're still almost always offering a username/password option to authenticate, which reduces the benefits. If we get to the stage where passkeys are the only option, though, we'll see some significant advantages:
- No more having to change passwords because of a data breach.
- Today's social engineering and phishing attacks to get passwords won't be a threat.
I appreciate your kind words about how 1Password makes it easy to log in even with long, complex passwords and we try and make that as easy as possible. We know passwords will be around for a long time, but there's a lot of excitement about what passkeys offer for security.
Hello 1P_SimonH ... Thank you so much for your response (and AJCxZ0 ). I took a few days off, so I am just getting back to replying to this thread -- although I did see, read and appreciate the replies when they were first written.
Yes, I can confirm I am not a 1Password employee and I am not a paid actor 🕶️
Both articles were helpful and corrected my misunderstanding about the authentication flow (specifically that passkeys are authenticated at the client and, therefore, are not subject to a 'man-in-the-middle' attack during the authentication flow).
Both articles, however, claim that passkeys never leave the device which is not exactly true. "Passkey Managers" (like 1Password) save and sync the passkey (generated on Device 'A') using their own central storage and synchronization methods for the purposes of being able to use the passkey during the authentication flow on Device 'B'.
I'm not saying storing & syncing passkeys is a bad thing. I think it is fundamental in a world where people own so many different devices. This is where statements like "The private key is stored securely on your device" throw me off. When using passkey managers like 1Password, I would expect the passkey to ONLY be stored in 1Password. Storing the passkey on the actual device it was generated on isn't required and, arguably, should NOT exist on the device.
I would be curious to know if 1Password leaves the passkey as some type of 'breadcrumb' on the original device that generated it or not. Do you know, 1P_SimonH ? (or am I supposed to be asking ChatGPT these days 🤦♂️ ).
As always, thanks for sharing your human thoughts.
