What am I missing with passkeys?

We are in the early staged of Passkey implementation by services. Most services will fall back to the password you picked if no Passkey is available. Most services will also allow you to reset your passkey/password via an email sent to you.

Passkeys themselves do not solve such issues. In time, as adoption grows higher, there will be a consensus in the industry on how to deal with this. But once again, we are very early right now.

Even so, a password as a fallback is not really an issue. If you are concerned about a service that handles it in this way, simply pick a new very secure password and then never use it again. A secure and strong password that's not being used is still very secure.

Be sure to write in to any service where you feel their account security could use a boost. Feedback is important. Also never forget that many services give back account access by mere customer support interaction, meaning social engineering into accounts is still the most problematic thing out there.

Passkeys are a better implementation for account logins, but they do not solve all the problems of account security.

Note that I am just an average joe, who's a bit security conscious -- i.e. just about 0 technical knowledge about any of this but only what I've been able to read what's on the Internet.

The way that I understood passkeys has been that it will improve security for average users, who, again on average, tend to think that "P@55w0rd" is a difficult password to break. I think attempt was made to help these folks with (first with SMS, email, etc.) authenticators and what not. For these folks, passkeys provide exponentially more secure way to interact online while also making it easy to do so.

For those that are a bit more security conscious (which I think most of us are, seeing how we are all here), I am not convinced that passkeys are necessarily more secure. For instance, if someone has a 30-char password (using 1Password) with Yubikey as a multi-factor, is that not more secure?

Lastly, again I blame my lack of technical knowledge on this subject matter, but if passkeys are sync'd (e.g. through 1Password), if a threat actor gains access to someone's 1Pasword vaults, I am assuming the TA will be able to fully use that, correct?

For those that are a bit more security conscious (which I think most of us are, seeing how we are all here), I am not convinced that passkeys are necessarily more secure. For instance, if someone has a 30-char password (using 1Password) with Yubikey as a multi-factor, is that not more secure?

There is, in fact, one huge difference between passkeys and a 30-char password. Traditional passwords are symmetric -- both sides have to store/know the original password. Technically the server can and should store just a hash of the password, however 1) this (sadly) doesn't always happen and 2) there are potential issues with that as well, such as a hash search. Passkeys on the other hand are asymmetric. The server stores the matching public key to your private key. And the login process doesn't even exchange the actual keys. If somehow a hacker is able to get their hands on your public key because of a hack on the company side, there is zero chance that they can use that to login as you there or anywhere else. (Of course if they hacked into the entire company's back-end, it doesn't even matter. But it is often the case that databases of password data are hacked or leaked without a full corporate compromise.)

@lodaka Fair point, I did ignore the part about a hardware key. Personally I think that passwords are simply meaningless now. The modern lore of 2FA is "something you know and something you have". But "something you know" is no longer realistic because no reasonably high entropy password per account can be remembered by a human, and it is vital with passwords that they be unique across all accounts given how often password databases are compromised. So 2FA only makes sense if you assume the bad practice of a manually remembered, reused password across all accounts. Once you start talking about 30 character passwords, 2FA is just theater because you already have to have something in your possession ("something you have") that can unlock the stored 30 character password that is impossible to remember. So in your example the password on top of the yubikey serves no purpose, other than the fact that it's required by the current login infrastructure for the password to exist. In other words the yubikey by itself would be fine. Passkeys solve the problem by formalizing the agreement that "something you have" is now a requirement, and that's the end of it, no more 2FA. Trying to do all this via the current password infrastructure (as we all obviously are doing since we are here in the 1password forums) is fine, but it doesn't enforce good behavior by everyone since one can still just use a bad password.

@jonpw I will slightly (and only slightly) disagree there. I am making some assumptions here (because I think the idea is to combine PIN or biometrics with the passkey), but if Yubikey is the sole method of unlocking whatever account you want to access, then someone stealing the physical possession of it would potentially introduce a slightly elevated risk -- again I am making assumptions here as this would be somewhat targeted. My post of course also assumes that there is a separate method of authentication other than the same Yubikey to access the password (e.g. 1Password) in the first place.