Yubikey vs Passkeys

Options
Mork
Mork
Community Member
edited August 2023 in Browsers (Edge, Chrome, Firefox, etc.)

Since Yuibkeys seem inherently more secure, shouldn't we continue to use those over the upcoming "passkeys"? It's confusing to me how both coexist and whether one might work where the other wouldn't.

1Password Version: 7
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • hollabit
    hollabit
    Community Member
    Options

    Yubikeys are tied to the physical key that you must have with you on your person to be authenticated. Yubikeys are less convenient than passkeys but they can be more secure only if you need the security of a single air-gapped physical key. Typically, you register multiple yubikeys for each account in case you lose one.

    My understanding is passkeys are similar to yubikeys except they are software based and can be synced to all your devices via the cloud. A passkey is much harder to lose than a yubikey, so you don’t have to set up multiple passkeys for a single account.

    One example of where the physical security of a yubikey might be more useful than a passkey is ICANN’s 7 keys to the internet, which are used in a yearly ceremony and involves building an air-gapped PC from scratch. The security measures are super stringent for good reason, because those keys can be used to reboot the internet in an emergency.

    So unless you’re storing nuclear codes or trade secrets, a passkey is probably more appropriate than a yubikey for most people.

  • Dave_1P
    Dave_1P
    Options

    Hello @Mork! 👋

    Great question! Today, security keys like YubiKeys are used for two-factor authentication where you need to enter your password and then provide the security key as a second factor before you can authenticate to a service. The utility of security keys is that they can help prevent two big problems with passwords: phishing and password theft.

    Passkeys are different from passwords in that they address those problems directly without the need for a security key. Unlike passwords, passkeys are always strong and unique. Passkeys use public-key cryptography to achieve their high level of security, which makes them highly resistant to phishing and theft. Based on the same underlying technology as USB security keys, passkeys are entirely software-based, stored on your devices, and accessed using biometrics.

    You can read more about passkeys on our blog: Passkeys: the future of authentication in 1Password

    I hope that helps! 🙂

    -Dave

  • Mork
    Mork
    Community Member
    Options

    So, if I just ordered two Yubikeys, should I return them and wait for Passkeys?

  • Dave_1P
    Dave_1P
    Options

    @Mork

    It will be some time before every website on the internet builds support for passkeys. If your threat model is such that a security key is needed to protect yourself then I suggest that you continue using the Yubikeys that you ordered.

    -Dave

  • Mork
    Mork
    Community Member
    Options

    How will you change 1Password so that passkeys replace the hundreds of passwords? Do you describe that transition in your link above? Thanks

  • Ben
    Ben
    Options

    @Mork That isn't a change that 1Password itself can make. The websites you have accounts with will have to add support for Passkeys and offer a method for changing from password-based authentication to Passkey-based authentication. Passkeys and passwords will likely continue to co-exist for a long time to come. And there may be sites/services/systems that never adopt Passkeys. It isn't as though January 1 everybody is going to drop passwords and start using Passkeys, as nice as that might be. 😉

    Whether you have Passkeys, passwords, or a mix of both, 1Password will be able to store them for you.

    Ben

  • Skyfay
    Skyfay
    Community Member
    Options

    I also have a question about this topic.

    Namely, I just enabled 2FA with Security Keys on a website. Now I could also create a passkey from 1Password instead of a security key to authenticate myself like with a security key.

    Passkeys are intended for authentication with the passkey only and not with a username or any other 2FA means.

    So my question, couldn't you then also use a security key for this login instead of a passkey. So that you can use the security key to log in without username etc.?

    Doesn't a security key do exactly the same as a passkey, only a passkey is digital and a security key is physical?

    This would then mean that this type of authentication with a passkey could also be realized with a Yubikey, for example, right?

  • XIII
    XIII
    Community Member
    Options

    So my question, couldn't you then also use a security key for this login instead of a passkey. So that you can use the security key to log in without username etc.?

    Yes, but only if the security key supports Discoverable Credentials / Resident Keys:

    https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Resident_Keys.html

  • Skyfay
    Skyfay
    Community Member
    Options

    The question is also, does it make more sense to store all 2FA tokens in the password manager and then use passkeys as 2FA instead of security keys and use the security key exclusively for the authentication of 1Password, or should you rather have 2FA on the Yubikey, because if someone has access to the 1Password via the PC he still can not log in without Yubikey 2FA?

This discussion has been closed.