Keeping clients' computers safe and profitable for over 30 years

Passkeys

Preview:

Passkeys are quite the rage. They claim all sorts of wonderful conveniences. Passwordless account entry. Better security, and so forth. What are they really?

They use public-private key encryption to verify your access instead of a username and password. A private key is stored in a secure vault on your computer, phone, or tablet. That safe, secure key is matched to your account and used instead of a password.

So, if that vault is just as secure as your password manager, then you will gain an infinitesimal security benefit. I wrote an article explaining public-private key encryption here. So that's a good thing, right? Well, maybe. You'll still need your password manager to handle the 95% of logins that require a username and password. Furthermore, you need to log into your passkey vault with a password. Sometimes the private key is stored on your device, so logging into your device provides someone with access to all your passkey accounts. If you use your password manager or have a passkey application, then you can use a good password to secure it. But if they store on your device, you'll need a strong password to access your device.

So, what we have is one more application handling 5% of our accounts or requiring us to beef up our device login protection.

There are other downsides:

1. Each place (Microsoft, Amazon, Apple, Android) wants to control your passkeys and lock you into their system. If you use your password manager instead of the device's own secure platform, then you really haven't gained anything.
2. Each device will have its own login, and they aren't exportable. Get a new phone and start over again. Switch from Apple to Android, start again.
3. There are no universal standards to export your passkeys if you switch devices or passkey programs.

I remain entirely unimpressed and recommend sticking to your secure password manager.