Passkey Vs MFA/2FA
Okay. First off I'll say that I don't fully comprehend the technical capabilities of the two technologies. I get the gist but that's about it, so I'd appreciate as much of a definitive suggestion as possible.
I've been using 1 Password for a couple months. I went through all of the accounts and updated everything to strong passwords and 2FA/MFA using the authenticator option where possible.
I also tried a yubikeys. My general feeling was that without high stakes accounts, and most of the accounts not even having the option it was a bit overkill and so I since quit using them.
Now 1Password is pointing out the passkey option. In situations where previous accounts did not allow 2FA/MFA that's a no-brainer as a good move. However in situations where I already was using the authenticator option inside 1 password, is it a better option to switch to the passkey instead?
I apologize if I missed a previous good post on this, or if this should have been posted somewhere else.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hello @roguesandpiper! 👋
Thank you for the question! Passkeys can provide the same level of security as password + two-factor authentication, with a lot less friction. Passkeys cannot be remotely phished, socially engineered, or leaked. Those are the threats that two-factor authentication was designed to protect against.
One benefit of using a passkey over a password + one-time password, is that you don't have to worry about filling multiple fields each time that you login. 1Password will automatically suggest your passkey when a website requests it and you can sign in with a single click.
Let me know if you have any other questions. 🙂
-Dave
1 -
Thanks for your response. @Dave_1P
If I'm understanding this correctly, There is not a significant security difference between passkeys and MFA, if MFA is executed properly. Passkeys just innately prevent improper usage/User error through phishing and erroneous misspasting while generally being more "convenient" particularly where 1password isn't able to autofill single-use passwords.
0 -
Thank for the reply. You wrote:
There is not a significant security difference between passkeys and MFA, if MFA is executed properly.
I wouldn't say that. Two-factor authentication that uses TOTP (the one-time passwords that you get from an authenticator app) can still be phished because you can be tricked into typing your one-time password into a malicious app or website that is pretending to be a legitimate website.
Beyond that, passkeys are generated by your device using a public-private key pair, which makes them strong and unique by default. Your private key is only ever stored in 1Password, protected by end-to-end encryption, and even the website itself never has access to your private key which means that it can't be breached even if the website is breached.
A passkey will only ever work for the website that it has been generated for and you can't export passkeys in plain text like you can with passwords and TOTP seeds. This reduces the attack surface of passkeys far below passwords + TOTP 2FA.
If you're interested, you can read more about passkeys here: What are Passkeys?
-Dave
0 -
@roguesandpiper In my experience, most websites that allow passkeys do not let you remove passwords at this time, presumably because we are in transition of sorts. This in turn means that, in my personal (and very non-expert) opinion, password + MFA with a hardware security key may, currently, be a better option as it forces the use of the security key (or passkey). In comparison, using a passkey as an authentication method will make it more convenient but, because this still lets you login in using only your password, I am not sure if this is more secure, as long password only login remains an option.
EDIT: Of course, right after I posted this, I found something interesting. I am experimenting on Google with a passkey. I previously created a passkey for login on Google, which then made a passkey named "1Password".
Even after that, for some reason, Google defaults to password when I try to log in -- I have to click on a link to login using a different method to use the passkey. On a whim, I decided to create a passkey as a 2FA (on Google) instead of "just creating it" for login.
What happened was: Google created another passkey named "1Password 2" in addition to the previously created passkey. However, on 1Password App, this second passkey replaced the first one strangely enough. However, now when I try to login, Google defaults to just using the passkey without prompting me for a password. When I do click on using other method, it lets me enter the password but once entered, it then prompts me (along with the 1Password Passkey prompt) for a passkey (presumably because now it's a 2FA) and then it works. I am this point assuming that I can remove the first passkey "1Password" from my Google without repercussions.
Some of the behaviours that I am experiencing are a bit unexpected. I am guessing that other websites will provide me with a different experience. A bit scared to try. Lol.
0 -
Thanks for the response @lodaka
From what I can tell at the moment there is not enough of a difference that I feel I need to update the accounts that I have from strong Password and MFA to passkey. I'll set up new accounts with Passkey, but otherwise, I'll wait until the ecosystem has matured a bit more before making the transition.And I agree that the hardware key is the right answer... Unfortunately, most of the time mine required an additional passcode to use the hardware key and I forgot that so now I have to reset them to use them anyway :/
0 -
When you're ready to update your logins to use passkeys in the future, 1Password will be there to help. 🙂
-Dave
0
