If I use a passkey aren't I making my login less secure?

I understand a lot of the benefits that passkeys offer such as domain spoofing etc but it seems to me that if I migrate to them that I am making things less secure.

If I currently log in to somesite.com, 1Password auto-fills my email and password. I then have the site set up to prompt me for a time-based token from the authenticator app on my phone.

So I have 2 layers of security that are separated from each other. If my 1Password account was ever compromised my 2FA would still afford me some level of protection.

With a passkey, I lose the second part of this as everything is handled by 1Password in the browser. Anyone gaining access to my 1Password account would have everything they needed.

Or is the idea with a passkey that we should still retain traditional 2FA procedures? I haven't really seen this discussed anywhere.

What would seem ideal is 1Password in the browser signs me in using a passkey but the 1Password app on my iPhone asks me to confirm it too, much like Google does with the Youtube app.

Am I missing something here?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • Hi @richardwarriner, thanks for your question!

    Passkeys can provide the same level of security as a password plus two-factor authentication, with a lot less friction as they are two factors of authentication built into one. Passkeys cannot be remotely phished, socially engineered, or leaked. Those are the threats that two-factor authentication was designed to protect against.

    In testing, I've found that accounts have continued to support an MFA option in addition to passkey sign in. So, you can sign in with your passkey saved in 1Password then use MFA to complete the flow. If you prefer to use both, you can likely continue doing so for the foreseeable future.

    While I anticipate migrating away from MFA where passkeys are available, I can personally think of a few situation where I might want to keep MFA. For example, when visiting, younger members of my family often play games on my personal computer. Perhaps not the textbook definition of a "malicious actor" but if I forget to lock 1Password, having that extra layer of protection for banking or similar websites would certainly be appreciated if someone gets curious.

    Let us know if you have any questions or if there's anything we can help with!

  • Dave Toth
    Dave Toth
    Community Member

    I've been reading about passkeys and how they work in general and also how IPW will handle them. Still unclear to me how they work, how 1PW will handle them, and especially the implications of them vs what we have now.

    I see some of the advantages of passkeys for security issues (caused especially by lazy users) but it seems like what this really amounts to is offloading the responsibility and liability of security from companies to users. This may be an improvement for lazy users (and for companies) but seems to cause some issues for the rest of us long-time users.

    There is a lot of discussion about the security of biometrics. I have some concerns about that too. I even tried to make my iPhone recognize a photo of myself. It didn't work, but more sophisticated means might.. Even if biometrics can't be spoofed, there are other issues I've not seen mentioned elsewhere. Here is a common scenario I've seen in public. Someone unlocks their phone, say with friends at a restaurant, and lays it on the table. A thief could walk by and grab the phone off the table or even out of your hand. If this scenario means the thief can now change your device lock scheme and then access all your banking, we've got a problem and will see a lot more of this happening!

    Using a PIN instead of biometrics won't help either. I use a complex 21 character PW to unlock 1PW when I need to use it. I don't want to have to enter that PIN every time I want to use my device. So having a 4 or 6 digit pin to get to all passkeys won't work for me.

    What I want is a two-tier systems where a short pin can access my phone and low security passwords/passkeys that I use a lot with a more secure level for banking and other high risk passcodes. And I need a way to archive them online so if I'm in Europe and loose all my devices, I can buy a new one and get my passcodes back. Currently this is conveniently provided by putting low risk often used PWs into Safari PWs and the rest into 1PW with face recognition on the iPhone and a shorter but still robust PW for my laptop.

    It's unclear to me at the moment if passkeys (and 1PW) will provide my desired use cases.

This discussion has been closed.