Are Passkeys a Potential Risk?
Hey there, fellow deep thinkers! I wanted to share something that's been on my mind lately. I'm pretty excited about passkeys and how they're being adopted. But, I've started to wonder if they come with their own set of issues. You see, if I decide to go all-in and use passkeys for everything online, I'll have to rely on my biometrics to access everything. And here's the thing: it might not be as secure as we think. Our biometric data isn't as private as we assume. Just think about it—border control already collects our fingerprints and scans our faces. Even the police (and maybe just about anyone) can now scan faces in public. I've even come across gyms that use fingerprint scans for access. Take, for example, Ursula von der Leyen, a German politician, whose fingerprints were captured in 2014. Plus, there's the risk of someone taking my biometrics while I'm asleep or against my will. It's surprisingly easy to do! And let's not forget that leaving fingerprints behind could be like leaving breadcrumbs for a savvy attacker to follow wherever I go. On the flip side, a strong password keeps all these risks at bay because it's something only I know and control.
Now, don't get me wrong. Passkeys are generally better and more secure overall. But I'm just curious, what do you guys think about the increased risk we face by relying so heavily on biometrics? I'd love to hear your thoughts!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
As far as I know those “stolen” biometrics won’t unlock Apple devices, so passkeys are still safe in their Secure Enclave.
0 -
New technology always comes with its own set of issues. Passkeys solve some issues, and open other issues. When the solved issues are more severe than the new ones, I'm fine.
No security measure is perfect and the final solution, ever. The fingerprint stealing you talk about is an individual, customized hack. Highly elaborate and sophisticated, time intensive. Not feasible for mass stealing biometrics. In contrast, passwords can be mass stolen - just steal a website database with millions of accounts, crack the hashes (websites tend to use obsolete hash algorithms), and you have million accounts for a few hours work. This is what Passkeys are made for and what they are protecting. Your action got you one account for hours of work, and this is not what Passkeys is targeting. A valuable account, but only one account.
However, it's required that passkeys are stored in a way so they cannot be mass stolen. Any cloud sync needs to be engineered very carefully.
It's vastly more difficult to steal a passkey than it is to steal a password. For passkeys to steal, you need to attack every individual account. You cannot pick some least protected website to get a million accounts with one single hack - you need to hack every individual account. The effort to get a million passkeys is a million times higher than to get a million passwords.If passkeys get more widespread, I guess we will see different attack figures. Less website hacking with password stealing, more individually targeted credential (and passkeys) stealing. More trojans to fool you into authorizing malware-started account actions. More phishing, more social engineering. More malware that tries to crack the passkeys storage of any individual person. More targeted attacks, less mass attacks. More value of the known financial situation of persons - if you know how rich someone is, you know whom you target first.
What I see you need to be aware of after more widespread Passkeys usage is increased awareness of malware and phishing. And generally any information about your personal situation that can be exploited. Much more education about what probably should not be shared on social media.
0 -
More phishing
Luckily, passkeys are resistant to phishing (because the URL of a website is used in the cryptographic process).
0 -
What I mean with phishing if it comes to Passkeys, is tricking someone to send money on his own to the criminal. Not to phish credentials, but just making the victim send money to the criminal. Social engineering in the end. I don't assume the criminals will vanish from the internet, if their income decreases due to better credential security. They will try and invent new things to exploit their victims. Probably things that worked in the physical world before the internet, but are slightly forgotten because with the internet it was so much easier - until now.
0 -
Another risk that i see that somebody could loose biometrics through a condition or an accident and loose access to their data forever. An accident where somebody looses a hand or gets a burnt face and that would be it with no other access to their vault.
Sure you could argue that the same thing goes for forgetting a password due to trauma or a medical condition. But a password can be kept at a safe physical location as a backup. Biometrics don't really work that way.
0 -
It can always happen I hurt the finger I use for fingerprinting, so it temporarily cannot be used on a scanner. I don't know how sensitive these scanners are, but this might even be the case if I just cut myself seriously right through the fingertip while dish washing. Because of this, I filled all 3 possible fingerprint slots on my Android phone: right thumb, right index finger, left thumb (the other hand!). And biometrics can never be the sole authenticator, you always need alternative methods.
0 -
Well as i understand those Passkeys - Biometrics WOULD be the sole authenticator. At least the blog (https://blog.1password.com/unlock-1password-with-passkeys/) doesn't mention anything else.
If you keep Recovery Keys as a Backup then it's not truly password-less - you just have a number of one-time passcodes that you need to keep safely somewhere (not in your vault if it's for the vault itself) if your biometrics fail.
If it's not something that i am (biometrics) because I've lost it and not something i know (patterns, passwords, be that one time or normal ones) then the only thing left is something that only i posses a physical token like a yubi key or something. Not really something everybody has just lying around.
So i would not put my full trust in a biometrics-only system.
0 -
Hello @mike48397289! 👋
Others have voiced some pretty good comments here but I wanted to weigh in on your specific concerns as well. When using passkeys your biometric data won't leave your device. When you create a passkey for a website you're actually creating two different keys:
- A public key that is kept by the website that you're using.
- A private key that remains on your device and is never exposed to the outside world.
The website will never have access to your private key or to your biometric data. The passkey standard being developed by FIDO and companies like 1Password allows a website to verify your identity by confirming that the private key that you hold (in a secure and trusted location such as 1Password) corresponds to the public key that they hold. Once this confirmation takes place you're authenticated and able to login to the website.
With passkeys, when you use biometrics to sign into a website you're actually using your face or fingerprint to unlock the passkey that is used to prove your identity to that website. Your biometric data will never leave your device and websites never get access to your biometric data.
Aside from biometrics you can use your device PIN to unlock your passkeys. And passkey authentication services such as Passage Complete allow for fallbacks to different recovery methods if a user loses their device or access to their passkey.
I hope that helps! 🙂
-Dave
0 -
Did you see my comment that you'll be able to secure passkeys using a device PIN rather than using biometrics if you wish? Do you use biometric unlock to unlock your device and unlock 1Password today?
Can you clarify what you mean by "a copy of my fingerprint"? Are you referring to a specific attack or vulnerability with a fingerprint scanner on a specific device? I'm mostly an Apple user and, as a far as I'm aware, Touch ID is resistant to someone stealing a copy of your fingerprint and trying to use it to unlock your iPhone or Mac. In addition to other security measures, Touch ID has a limit of 5 unlock attempts before Touch ID is disabled and a user is forced to enter their device PIN or password to enable Touch ID again.
-Dave
0 -
For someone to unlock a passkey using your fingerprint or face they would need:
- Access to your original fingerprint or face scan from a specific source. So, as an example, they would need to compromise or have access to border control systems in order to extract your biometric data from those systems.
- Physical access to your device itself since your biometric data does not leave your device.
- Knowledge of some method to use the biometric data taken from border control systems to trick the biometric scanner on your device.
This particular threat model is already something to consider when using biometric unlock on your device today. If this is a threat model that you are concerned about then you'll be able to unlock 1Password using the same non-biometric methods that you use today. You can read more about biometric unlock security on Android devices here: About biometric unlock security in 1Password for Android
-Dave
0 -
If you're already using biometrics to unlock 1Password today then the potential risk of someone tricking biometric unlock on your device remains the same whether you store a password or a passkey in 1Password.
-Dave
0 -
Another threat vector - government can force you to give up biometric data (getting fingerprints from a person for identification is perfectly legal - it has already been mentioned for travel documents etc.) and could do so with physical force if necessary.
There is cases left and right where biometrics were collected and then sent to a contractor for processing the data or certain social networks coughmetacough are collecting faceID data in big fashion which they then just posess. so if rules and law change to all of a sudden make it possible to use / sell this data to other entities, safety goes down the drain fast.
Impossible for a password that only you know and could have plainly forgotten.
I seem to remember a court case where a Device was encrypted and locked but accessible via Fingerprint. Court ruled that it is legal to force the Defendant to unlock the Device in that specific case as they gained access to parts of the device before where they already found incriminating content. So while they could already incriminate the Defendant they were able to force him to give up his biometrics (fingerprint) to unlock the rest for a full search as well. Not gonna happen with a password.
Sure it's the persons fault for violating the law and doing something unlawful - passwords would have prevented any further access to the device though.For those reasons i myself am unlikely to use a system with biometrics for things that are actually critical and private.
Edit:
found some (granted rather old) links to such cases:
https://www.biometricupdate.com/202007/another-federal-court-says-biometrics-can-be-used-to-open-devices-if-a-warrant-has-been-issued
https://www.dailymail.co.uk/news/article-3573275/Woman-forced-unlock-iPhone-using-fingerprint-unprecedented-divided-legal-experts.html
not sure about the current situation with the law. but this stuff more than scares me away from using biometrics for anything sensitive.0 -
Hey @bp23
Passkeys (and all other data) stored in 1Password are encrypted using secrets only you have before it is synced.
About the 1Password security model
Ben
0 -
If you're not currently using biometrics to unlock 1Password then that doesn't change with passkeys. You'll be able to use the same methods that you currently use to unlock 1Password and use the passkeys that you've saved in your vault.
I see that my colleague replied to you in the other thread back in April. I recommend that you keep the discussion about that issue in the other thread so that we don't derail this one from the original topic. 🙂
-Dave
0
