To be honest, it's still a bit confusing to me. But I suppose 1Password will manage these Passkeys in the future, I guess this is what they are trying to say?
similar for me. my current understanding its like key and token, similar to PGP. pages send a public key to my device where it is rejected or approved from me with my private key, biometric options or whatever. image Code: https://image.futurezone.at/images/cfs_616w/7203084/graphic_login.png
And there goes the privacy. Another way to easily identify users. Not much different from using ID to login to xxx.
Quite some time ago 1Password already announced that they would support storing passkeys for websites/services (that support them) in a 1Password vault: https://blog.1password.com/passkeys-are-coming-to-1password/ Recently, they additionally announced that they will also support them for unlocking the 1Password vault itself (instead of username, Secret Key and optional 2FA factor): https://blog.1password.com/unlock-1password-with-passkeys/
It's probably better to compare passkeys to physical security keys, like the YubiKey, as they both are based on WebAuthn: https://webauthn.guide/
How so? I thought that due to the scoped nature (a separate keypair for every website/service) they would be better for privacy?
based on which facts? In case service still got your personal details there is exactly no difference. the other point that you missed that passkey is 2FA but without numbers, service do not really know from what device with which phone number you answer. there exist also the option to run smartphones without any number, only with net access and no google account. in case of a yubikey put onto usb on a fone there is more difference. chill a lot. i already had a look on yubikey, but did not investigate further. 5 NFC would fit my needs. is the price yearly or lifetime?
It is not about the key, but where it is gonna be stored/generated, it will have to be a supported app, like Google Authenticator. No wonder GAFAM wholeheartedly supports it. Passwords are anonymous, not linked, unlike passkeys.
I’m in the Apple ecosystem. On those devices you don’t need an App; the OS supports passkeys natively: https://support.apple.com/guide/iphone/sign-in-with-passkeys-iphf538ea8d0/ios Important detail: “It’s end-to-end encrypted in iCloud Keychain, so no one—not even Apple—can read it.”
BTW, lately I have been reading about passkeys, but I was a bit surprised that at the moment you can't import/export passkeys. And I still wonder if this syncing stuff is truly safe. Also, what if someone steals your passkeys, do they still need physical access to your devices? With stolen passwords you will at least still have 2FA ''one time codes'' that the attacker needs to be able to generate. This is a quite comprehensive article, and I believe passkeys are probably better than passwords in many ways, but I'm still not completey convinced. It also seems that not a lot of websites have added support for passkeys and the question is what will happen if you need to recover your account. https://passkeys.directory https://arstechnica.com/information...for-you-but-they-are-safe-and-easy-heres-why/
So clearly not for me, I made this mistake once, using Google login for everything, after losing access to it, I lost about 100 accounts permanently. Passwords are safer, private and trouble free, passkeys are just another hype.
Passwords have always been "safe" if they've been given the opportunity. How often have you tried to create a strong 14 digit password using symbols and have been denied that option? Minimum password requirements ranging from any 8 keystrokes you want to "you must include a capital/number". That's the biggest problem - not forcing users to take responsibility. The often quoted "security aspect" of password strength is often misguided. How often has a user been hacked on a personal device compared to the number of times that providers holding my password details have been hacked? There goes your password strength argument.
Password strength does not matter, passwords are 2FA, passkeys are 1FA, so password will be always safer.
This might raise passkey adoption: https://www.youtube.com/watch?v=uKfQrqMS9s8 (Using a passkey to log in to PlayStation Network)
Thanks, very interesting. So basically, with passkeys the 2FA part is sort of like baked-in. But another interesting discussion is about if passkeys should be exportable or not, see links. Some say that if you give this option to export and import, they aren't any better than passwords, so it's a bit confusing. But you need a way to back up your passkeys to your other devices and external drives, for people who don't want to use the cloud, no? I don't want to rely on a cloudbased passkey manager. Also, what's the difference between a passkey manager storing passkeys in the cloud, and the user itself storing it on some external drive? https://community.bitwarden.com/t/passkey-portability/59177 https://1password.community/discussion/142594/how-do-i-export-and-backup-my-passkeys https://www.reddit.com/r/1Password/comments/16p35ud/can_passkeys_be_imported_or_exported/
I did, and they clearly demonstrate one of the main fallacies of passkeys - IMHO: I don't want my passwords on a device, which can be lost, stolen or destroyed. I want the option to set up a minimum 15 digit password using all four character options.
I have invented a fantastic way of storing these - in your head. https://www.google.com.au/search?q=how to remember a long password
I can remember a few very long passwords, but how are you able to do this for dozens/hundreds of passwords?
Yes but that's why you should always back up your passwords to either cloud or external drive. And every important account should be protected with 2FA. This way it doesn't even matter if someone stole your passwords. What about my other comment, about that passkeys should be exportable? I still don't understand the part about that only password managers should sync/back up your passkeys. Then what if your passkey vault gets hacked, I guess it's game over? I still can't visualize it entirely, because if someone steals your passkeys from your device or passkey vault (in cloud), then there is no 2FA code that could still protect you, so how is this better than passwords + 2FA?
Good question! Don't know the answer. On the other hand, for how many people is 2FA really 2FA? Who is generating 2FA codes on a device where (s)he never logs in to the service (so entering credentials as well)?
I have watched a lot of YouTube videos about passkeys in the last few weeks, and strangely enough nobody addressed these questions. I assume that if passkeys are stored by password managers they can still be stolen, just like with your passwords. So that's why 2FA codes were invented. Without the 2FA code, the hacker can't do nothing, except for if he/she brute forces or guesses your 2FA code. And because apps that generate these 2FA codes (authenticators) don't directly communicate with the legitimate website, these 2FA codes can be phished, which is another drawback. This is only a problem if malware is present on the device. For example, I also use a desktop 2FA app instead of a mobile device for convenience. As long as my system is malware free, there is no problem. Passkeys sound good in theory, but you can not only store them on one device for obvious reasons. And I rather not store them in the cloud either. So these means they should be exportable, but in case of malware on my device, I'm still toast. But with password + 2FA code (or secret key), hackers need to steal them both.