What am I missing with passkeys?
I am finally getting around to putting passkeys into action.. but something isn't adding up.
As a low risk test, I added a passkey to a bestbuy account. Started up an incognito session, and logged back in with my PASSWORD. Uhhh...?
Soooooo - passkeys are great (who doesn't like public key cryptography?!).. but if you can continue to log in with a password (didn't see a way to disable it), then what good are passkeys?
Shouldn't it be a password OR passkey - but not both? Or, at a minimum, the ability to disable the password? What am I missing? Do most passkey enabled sites allow the password fallback?
Thanks!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
We are in the early staged of Passkey implementation by services. Most services will fall back to the password you picked if no Passkey is available. Most services will also allow you to reset your passkey/password via an email sent to you.
Passkeys themselves do not solve such issues. In time, as adoption grows higher, there will be a consensus in the industry on how to deal with this. But once again, we are very early right now.
Even so, a password as a fallback is not really an issue. If you are concerned about a service that handles it in this way, simply pick a new very secure password and then never use it again. A secure and strong password that's not being used is still very secure.
Be sure to write in to any service where you feel their account security could use a boost. Feedback is important. Also never forget that many services give back account access by mere customer support interaction, meaning social engineering into accounts is still the most problematic thing out there.
Passkeys are a better implementation for account logins, but they do not solve all the problems of account security.
0 -
Thanks for the thoughtful response. I don't disagree with anything that you are saying.
However, the general marketing push (I think) in advocating for passkeys is the user is controlling their fate by switching from insecure (passwords) to secure (passkeys). Let's assume passwords are still allowed, and security is ultimately out of the user's hands (e.g., customer service rep changing password). In that case, I think it is incumbent on the arbitrators of the passkey "push" (developers, security folks, websites adopting passkeys, etc) to document that if the user was not secure before passkeys (e.g., simple passwords) they aren't any safer after (without additional steps). A working bad password is still a bad password.
So far (and my review is LIMITED), I haven't seen anything saying, "change your old password to something complex and never use it again." I also have not seen an option to disable (permanently or temporarily) when a passkey has been enabled. Companies seem to be more excited about what passkeys can do (and those benefits) versus what it is doing at the moment (in combination with the previous weaknesses that aren't being addressed).
I guess my point is - if you are switching to passkeys, make sure you understand what it is (and is not) doing (on each site/app) and what steps you should be taking to increase their effectiveness (which I'm afraid isn't so evident to the typical user).
two_cents
0 -
As @ianto mentioned in their very good comment, we're currently at the beginning of a long transition period and passkeys will become more intuitive and standardized across the industry as time goes on.
For the moment, many websites don't offer the ability to fully remove your password after adding a passkey so you'll be able to sign in using either your passkey or your password in most places. Continue to follow best practices and make sure that all of your passwords are strong and unique: Use the password generator to change and strengthen your passwords
Part of the reason why many services leave passwords as a fallback option is because passkeys are not yet supported across all devices yet.
1Password warns folks when a password has been reused or should be made stronger, whether you're using a passkey or not: Use Watchtower to find account details you need to change
-Dave
1 -
Thank you for the great links, @Dave_1P
And @datx — we all believe in an ideal world that we do not yet live. You mention the average user a lot, and I don't think the average user will be ultimately involved in a decision with passkey vs. password.
In the end, the average user will be signing up for an account and logging into an account with just a biometric verification. They ultimately don't care if your browser sends a password over that then the server hopefully only checks against a hash and discards. Or if they do passkey authentication against a public key. The average user just doesn't care. They do their Touch ID or Face ID and are happy they are in the account. That's it.
Technically a password manager filling in password fields has always been a hack. And the filling in and sending of the actual password was never ideal in a technical sense. Passkeys now allow for this process to be smoother and more streamlined. You could say modern.
iCloud Keychain as well as more sophisticated solutions like 1Password are right on track to fulfill this journey with us. But the road ahead is bumpy and very long. Mostly in terms of how to steer the average user in the way of least friction, while retaining maximum security.
0 -
Note that I am just an average joe, who's a bit security conscious -- i.e. just about 0 technical knowledge about any of this but only what I've been able to read what's on the Internet.
The way that I understood passkeys has been that it will improve security for average users, who, again on average, tend to think that "P@55w0rd" is a difficult password to break. I think attempt was made to help these folks with (first with SMS, email, etc.) authenticators and what not. For these folks, passkeys provide exponentially more secure way to interact online while also making it easy to do so.
For those that are a bit more security conscious (which I think most of us are, seeing how we are all here), I am not convinced that passkeys are necessarily more secure. For instance, if someone has a 30-char password (using 1Password) with Yubikey as a multi-factor, is that not more secure?
Lastly, again I blame my lack of technical knowledge on this subject matter, but if passkeys are sync'd (e.g. through 1Password), if a threat actor gains access to someone's 1Pasword vaults, I am assuming the TA will be able to fully use that, correct?
0 -
Thanks for the reply. Security is definitely an iterative process and passkeys are a step forward for the industry as a whole with the aim of protecting everyone, regardless of their technical skill level.
Unlike passwords, you can’t create a weak passkey. Passkeys are generated by your device using a public-private key pair, which makes them strong and unique by default. Passkeys can’t be phished like a traditional password because the underlying private key never leaves 1Password – this also makes them resistant to social engineering scams.
Passwords, even those supplemented by a TOTP authenticator app, can still be phished. You can still be tricked into entering your password and TOTP into a fake website that masquerades as the real website. A passkey solves this problem since it can only be used with the original website that you created it for.
Security keys are great, I own several myself, but two-factor authentication was designed to add an additional layer of protection to passwords against phishing. As mentioned, passkeys are already resistant to phishing and can be considered to have the same level of security as a password plus two-factor authentication, with a lot less friction.
-Dave
0 -
For those that are a bit more security conscious (which I think most of us are, seeing how we are all here), I am not convinced that passkeys are necessarily more secure. For instance, if someone has a 30-char password (using 1Password) with Yubikey as a multi-factor, is that not more secure?
There is, in fact, one huge difference between passkeys and a 30-char password. Traditional passwords are symmetric -- both sides have to store/know the original password. Technically the server can and should store just a hash of the password, however 1) this (sadly) doesn't always happen and 2) there are potential issues with that as well, such as a hash search. Passkeys on the other hand are asymmetric. The server stores the matching public key to your private key. And the login process doesn't even exchange the actual keys. If somehow a hacker is able to get their hands on your public key because of a hack on the company side, there is zero chance that they can use that to login as you there or anywhere else. (Of course if they hacked into the entire company's back-end, it doesn't even matter. But it is often the case that databases of password data are hacked or leaked without a full corporate compromise.)
0 -
@jonpw Yes, I agree with everything you said -- I am also familiar with public key cryptography as a concept. Note that I didn't equate the two methods; I was referring to the security strength of each method. The second (and potentially more critical) part of my sentence refers to MFA with a hardware key, which would operate on public key cryptography at least for Webauthn-based systems. It seems to me that an added layer of 30-char password would add to the mix, not take away.
0 -
@lodaka Fair point, I did ignore the part about a hardware key. Personally I think that passwords are simply meaningless now. The modern lore of 2FA is "something you know and something you have". But "something you know" is no longer realistic because no reasonably high entropy password per account can be remembered by a human, and it is vital with passwords that they be unique across all accounts given how often password databases are compromised. So 2FA only makes sense if you assume the bad practice of a manually remembered, reused password across all accounts. Once you start talking about 30 character passwords, 2FA is just theater because you already have to have something in your possession ("something you have") that can unlock the stored 30 character password that is impossible to remember. So in your example the password on top of the yubikey serves no purpose, other than the fact that it's required by the current login infrastructure for the password to exist. In other words the yubikey by itself would be fine. Passkeys solve the problem by formalizing the agreement that "something you have" is now a requirement, and that's the end of it, no more 2FA. Trying to do all this via the current password infrastructure (as we all obviously are doing since we are here in the 1password forums) is fine, but it doesn't enforce good behavior by everyone since one can still just use a bad password.
0 -
Passkeys solve the problem by formalizing the agreement that "something you have" is now a requirement, and that's the end of it, no more 2FA.
Actually passkeys can still be 2FA, if the RP (relying party) requires User Verification (biometric or PIN):
Passkeys are kept on a user’s devices (something the user “has”) and — if the RP requests User Verification — can only be exercised by the user with a biometric or PIN (something the user “is” or ”knows”). Thus, authentication with passkeys embodies the core principle of multi-factor security.
Source: FIDO Alliance FAQ on passkeys.
0 -
@jonpw I will slightly (and only slightly) disagree there. I am making some assumptions here (because I think the idea is to combine PIN or biometrics with the passkey), but if Yubikey is the sole method of unlocking whatever account you want to access, then someone stealing the physical possession of it would potentially introduce a slightly elevated risk -- again I am making assumptions here as this would be somewhat targeted. My post of course also assumes that there is a separate method of authentication other than the same Yubikey to access the password (e.g. 1Password) in the first place.
0 -
@XIII said: Actually passkeys can still be 2FA, if the RP (relying party) requires User Verification (biometric or PIN)
That type of second factor is great and I'm all for it, but it's just a question of semantics -- that second factor is simply some additional protection on the private key so that it can't be easily reused like a lost house key found lying on the ground. It's not the same as the legacy password system where the "something you know" part has no connection to the "something you have" part.
My point is still the same: using something like 1password with high entropy site passwords, a high entropy One Password, and traditional 2FA is great, and (IMO) equally secure as passkeys. But it's no more secure, and suffers from the flaw that it can easily be less secure.
@lodaka The problem is that using 1password plus yubikey is no longer "something you know + something you have", it's two "something you haves" since 1password is "something you have". So at that point we're just talking about redudancy, which is a burden on most people and comes with its own flaws. (Like easily being able to lock yourself out.) But sure, if FIDO wants to add formal, optional support for requiring two separate passkeys to log into a site, so that a user would require two "something you haves" like the double-keyed missile launcher in War Games, then maybe that will become a thing one day.
0