General discussion: How are Passkeys logins really more secure?

Philipp

Hello,
I understand Passkeys login are more secure. Maybe this is the case for logins on different websites in the internet because for example no man in the middle can rob your password and so on.

But on the other hand you have to use your finger or face to unlock, right? When somebody forces me physically to unlock my device/login, then it seems much more easy for him.
With the password he can torture me and maybe I will reveal my password or not.
But with passkeys he must only be physical stronger than me and hold my face or my finger on the right position. Or he can abuse my phone while I'm sleeping by holding my finger on the sensor.

So I don't see only benefits for Passkeys. How can I prevent such abuse?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Dave_1P

Hello @Philipp! 👋

Thanks for the question. Passkeys stored in 1Password are protected using the same security that protects your passwords and other items. If you currently use your face or fingerprint to unlock 1Password and access your passwords then you'll be able to do the same to save and sign in with passkeys.

But if you use your account password to unlock 1Password then you'll be able to use that for passkeys as well. Biometrics are not required.

When somebody forces me physically to unlock my device/login, then it seems much more easy for him.

The important consideration here is something called a threat model. Your threat model is the threats that you're likely to face and the effective countermeasures that you enact to protect yourself from those threats.

A service like 1Password protects you against certain threats and not others and it's important to understand that 1Password cannot protect you from a physical threat to your life. The strongest encryption in the world can't protect you when someone is willing to use violence or blackmail to get to your data. In that scenario your protection is always reduced to your own ability and willingness to withstand the violence or blackmail before giving in and giving the attacker access to 1Password.

That being said you can read more about the security of biometric unlock here:

• About the security of using Touch ID or Apple Watch to unlock 1Password for Mac
• About Face ID security in 1Password for iOS
• About Touch ID security in 1Password for iOS

Most people are more likely to be at risk from phishing, or the leak of passwords from the websites that they use, than they are from targeted violence against them. This is where passkeys offer more protection than passwords. Unlike passwords, you can’t create a weak passkey. Passkeys are generated by your device using a public-private key pair, which makes them strong and unique by default. Passkeys can't be phished like traditional passwords because the underlying private key never leaves 1Password – this also makes them resistant to social engineering scams.

-Dave