What is from software perspective difference between passkey and Physical FIDO2 Hardware Key?
Hey guys, what is the difference between a passkey and a HW key. Some websites like Facebook or even 1Password.com already offers to add FIDO2 compatible HW keys as 2nd Factor (not for primary login, but 2nd factor) With the shiny 1PW Extension with passkey also offers to use a passkey instead of a physical token. So im wondering about the technical difference between a passkey token and HW token? It seems both behave equal? Are there some insights why passkeys can be used where HW keys are supposed to be used? (but its not working everywhere - I'd like to understand the background)
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
- in common: they both use FIDO2/WebAuthN
- difference: 1Password/Apple passkeys are copyable, security keys are hardware bound
1 -
While the article from Yubico is very comprehensive and contains great information, it is strongly biased towards the use of hardware keys. Most certainly because their business is the selling of hardware keys, and if people realize they can just start using passkeys without a hardware token, they lose their business.
I'd like to comment to slightly bias to the software side of things. From a security point of view, the use of software passkeys is slightly less secure than the use of hardware keys. However, not prohibitively less. The use of a hardware key is more inconvenient than the use of software passkeys. There's more to it than just touch that button of a hardware key. If you lose the hardware key, you have a problem. With cloud synced software passkeys, you cannot lose the cloud. It's also not very probably your software passkeys get compromised/stolen. That requires a direct attack (hack) to you. The same can happen to your hardware token. A thief could steal the token from your USB port while you're looking away. That's different. What type of key is more or less secure or more or less convenient for you depends on your personal environment and use cases. They are both equally valid alternatives.
0 -
@Tertius3 so the reason is that Passkeys and HW keys are acting similar (from pure software/interface perspective) as this is based on FIDO2? Passkey is just kind of a new framework to handle the keys in a software vault instead of a HW key?
0 -
@telephoneman2 This is my understanding, yes.
0 -
I'm very curious about this topic, but not from the hardware key vs software key debate.
Would it be possible to generate your own passkey and then pretend it was a hardware key to submit through webauthn for website that don't support passkey, but support hardware keys? How do websites know you are using a passkey vs a hardware key?
0
