Passkeys and An Advanced User
For average individuals who fail to use complex random passwords, the advantages of passkeys are clear. But, consider a more advanced user and assume:
- A robust password manager is used (preferably 1Password, of course).
- Randomly generated passwords for login credentials are used (e.g., the default 20-character random password generated by 1Password).
- The websites visited by the user that are sophisticated enough to support passkeys are also sophisticated enough to hash passwords before storing them (see What is a Hashed Password?).
- The password manager protects against fraudulent websites, by verifying a URL before auto filling the login credentials (see What Is Phishing?).
Under these assumptions, what benefits do passkeys provide for a more advanced user?
Thank you.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hello @Pleonasm! 👋
Thanks for the question! Unlike passwords, you can’t create a weak passkey. Passkeys are generated by your device using a public-private key pair, which makes them strong and unique by default. Passkeys can't be phished like traditional passwords because the underlying private key never leaves 1Password – this also makes them resistant to social engineering scams.
Even if you're an advanced user, it's not possible to make sure that every website that you use properly hashes and stores your password. With passkeys, the website never gets your private key so you can be certain that a breach on the website's end won't expose your passkey.
Regarding phishing: since passwords can be viewed in plain text they can be phished. Perhaps you'll encounter a website or app where 1Password's filling doesn't work and you'll need to copy and paste your password into the website. This opens the potential for phishing since you can be tricked into pasting your password into a fake website/app. Passkeys can only be used to sign in to the website that you created them for and they can't be viewed in plain text.
In addition to those security concerns, passkeys are much more convenient to use as you won't run into the same "filling" issues that you might with usernames/passwords where a website might be doing something strange with the fields on their page that requires our developers to update our filling brain for.
I hope that helps. 🙂
-Dave
0 -
@Dave_1P, your observations are most helpful. To summarize, passkeys are strong by default, may be more convenient to use, and are more resistant to phishing and social engineering scams.
Yet, if an individual is using 1Password together with ‘best practices,’ passwords will also be strong by default, will be convenient to use (most commonly), and will resist the disclosure of login credentials on fake websites. Additionally, it seems reasonable to assume that any website that is sophisticated enough to implement passkeys is also sophisticated enough to implement passwords in a highly secure manner (e.g., retaining only a hash of passwords on their servers).
On balance, I agree that passkeys do provide some benefits in each of these three areas referenced, but overall those benefits seem (from my own perspective) to be very modest. And, those benefits are mitigated by websites that allow passwords to be used in addition to passkeys, so that in practice the disadvantages of passwords will (typically) remain in force even if a user adopts the use of a passkey. Presumably, this will change over time – but, at present, it seems to bypass the benefits of passkeys.
For myself, I see no compelling reason to adopt passkeys at this time. However, I am confident that others will disagree, and I look forward to hearing alternative points-of-views on this subject from the community.
0 -
@Pleonasm I had a similar discussion in this thread: https://1password.community/discussion/comment/699706#Comment_699706
I am on the same page as you except that I am more in an uncertain state rather than having strong feelings about any of it. I am currently experimenting with two services using passkeys... and you are right: they both require that I have passwords in addition to passkeys.
0 -
@lodaka, to clarify, I see the value of passkeys for the majority of users who are 'average:' i.e., those who do not use a password manager and may not use complex and unique random passwords across online accounts.
In contrast, however, the value of passkeys appears to be small for the minority of users who are 'advanced:' i.e., those who do use a robust password manager and do use complex and unique random passwords across online accounts.
1 -
I agree with most statements here. I've been extremely reluctant to use a password manager that does NOT allow me to have local access to my passwords/passkeys. Especially a company outside the originating client's country.
0 -
Thank you for adding your voice. Can you clarify your post a little further? When you use the 1Password app, all of your passwords and passkeys are stored locally on your device. They can be accessed and viewed by you even without an internet connection.
I look forward to hearing from you.
-Dave
0
