Is it wise to move to passkeys before public key algorithms are safe against quantum computers?

bsigmon

I finally understand passkeys a bit from this nice article: https://blog.1password.com/passkeys-vs-passwords-differences/

But given that quantum computing may pose a threat to existing public key algorithms, is it safe to move to passkeys before they incorporate algorithms which are deemed safe against quantum computers?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Referrer: forum-search:passkeys quantum

Tertius3

@bsigmon In case quantum computing will really break today's cryptography, it will be broken for everyone in the world. So there will be a global undertaking of updating cryptographic algorithms in ALL software to quantum-safe algorithms - if there are any quantum-safe algorithms.
Before the first capable quantum computer will show a cracking of some current strong algorithm and actually decode encrypted sample text, it will be years or tens of years.
And even then, we have another bunch of years until algorithms and their implementations have been researched that are considered quantum computing safe. There will not pop up some quantum computer that instantly decodes the whole internet including your 1Password vaults. It's more a process over a large number of years where quantum computing gets from vision to experimental (here we are currently) to the first lab to a few global labs to one quantum computer per country to more of them.

Over the course of this time, probably within the next 20-30 years, there is plenty of time to research and test new algorithms until the threat of a quantum computer cracking your password data becomes more than a theoretical possibility.

So it makes sense to release passkeys with current cryptography and add quantum-safe algorithms over the course of these years.

bsigmon

Thanks. I'm also thinking that this only really would matter if the company's password information is hacked. Today, they would have a hash value and could search for a password that hashes to that value. With passkeys, they would have a public key which they could potentially hack with some future quantum computer.

OK. I see lists of places I can try this now (bast buy, google), but I don't see on those sites where to switch. I guess it will come with time.

startcook1e

As far as I can see, neither Passkeys nor 1Password is quantum resistant yet. So obtaining your encrypted passwords would make you vulnerable (in however long quantum takes) anyway.
However, 1Password doesn't transmit your Passwords but rather proves that you know it. I don't know how that works with Passkeys.
So it doesn't really matter if you switch or not. You should change your passwords within the next few years anyway, so you are safe against possible interceptions. Both 1Password and Passkeys make that really easy.

There are algorithms that are quantum resistant but they are pretty new and not yet implemented by 1Password.

XIII

However, 1Password doesn't transmit your Passwords but rather proves that you know it.

That's only true for the 1Password's clients when logging in into the 1Password service itself.

So it doesn't really matter if you switch or not.

I don't know enough about quantum computing, but looking at current/common threads, passkeys definitely have advantages over password (they can't be leaked from hacked sites and they're phishing resistant).