Protect what matters – even after you're gone. Make a plan for your digital legacy today.
Forum Discussion
Why do sites that I’ve enabled passkey on still hold my asterisked password?
Ok, I’ve set up passkey on a couple of sites, Adobe and Google. Both show registered passkeys. I get the little 1Password dialogue asking me to sign in and it all seems to work ok…however on looking at my account details on these sites, although it shows a passkey is registered for each it also shows and asterisks in a field next to ‘password’ Maybe I don’t understand this fully, but I though the whole idea of passkeys was to use a PKI model where the traditional (legacy) password was no longer stored anywhere in the site you’re logging in to, hence there would be no credential to hack or steal?only a public key which would be useless to anyone.
My assumption is that these passwords shouldn’t exist or be required one on that site you’ve moved to passkey on that site. Can some one explain how passkeys increase your security IF the website still has a record of your password?
Regards,
DBS.
1Password Version: 8.10.18
Extension Version: 2.15.1
OS Version: Ios 17.0.3
Browser: Safari
4 Replies
- 1P_Dave
Moderator
I'm happy to help. 🙂
-Dave
- 1P_Dave
Hello @deltabravosierra! 👋
Thanks for the question! Passkeys are still very early days and different websites have decided on different implementations. Some websites will allow you to completely replace your password with a passkey and then forget your password, most websites currently seem to allow you to add a passkey as an alternative sign in method but still keep the password option.
Since not all devices support passkeys you might need your password to sign in to your account on those devices.
Let me know if you have any other questions. 🙂
-Dave
I may be corrected by support.
I agree with you exactly that passkeys should replace the password.
You would expect once you create a passkey it would replace your password and 2fa codes, but there still might be a need for hardware security keys in some cases.
Does not look like that is gonna happen for sometime.
So I just add the passkey where I can, but leaving everything as is for now (like we have a choice).Explained
On some websites you can turn off 2fa after creating a passkey, but I would still keep that stuff enabled for now, because until the website says your passkey can replace that stuff you might be lowering your security, because of too many options!
This means a person might have the same options at a public library etc.
.
Besides the private vs public key term, using your passkey to sign in is going to be secure from your device, because it can recognize a phishing website just like a hardware security key, but if you disable 2fa a person still has the option to try just your password it seems.
I do agree with your thoughts 100%.
