How are passkeys more secure if they rely on biometrics?

So, I just read the announcement 1Password made about implementing passkeys not only to save them on their service, but to use them to log into the password manager itself as well. That left me wondering: Passkeys are being touted practically as a win-win situation of being more secure AND more convenient at the same time thanks to relying on open standards for the cryptography and biometrics for user authentication.

But… then I remembered that AFAIK, biometrics are considered a considerably less secure method of autentication than a good password or PIN (fingerprint could be retrieved from any object you’ve touched, face scanning could be fooled with pictures or look-a-likes, is easier to unlock the device without your knowledge or consent, say like when you’re sleeping or if you’re forced by either criminals or law enforcement, etc).

I can understand how passkeys are actually better when it comes to remote attacks, like phishing or data breaches, but when it comes to local scenarios, like if your device gets stolen, wouldn’t passkeys be actually a disadvantage? Your device would be the hardware token itself, and your biometrics could easily be taken by the attacker at the moment. I don’t know, maybe I’m completely misinterpreting how the entire thing works, but tell me, what do you think?

1 Like

It all depends on the user and the threat model.

If we take the average person then they see the password as an inconvenience and will either set the timeout to never (so the password database is always open) or they will use a very short and hence weak password or PIN ( also easily shoulder surfed). In this case biometrics with a short timeout improves security.

For the more security conscious it comes down to the risk of someone getting your password vs. getting your biometric. Each has its pros and cons. You need to work out the risks for your use case/threat model.

In my case the change would make no difference. My passwords are on my computer which has no biometric sensors. The phone is for 2FA.


Remember there are 2 factors here: trusted device + hardware. Personally I’d still hold a password too, but for average human that doesn’t create secure passwords this is a huge improvement.

1 Like

Your interpretation of the local threats is correct. I also see it as con of using only passkeys for auth , or otherwise referred as passwordless logins.

But i think the goal of promoting passkeys on wider level would be to only solve the remote attacks problem as they are most common ones and dangerous too.
( you come to know about data breaches every now and then)
If i do my own assessment of how many people around me reuse a password or don’t use a password manager , then that number looks to be atleast more than 50%.
So in present time not using a strong password seems much bigger problem than individuals facing threats of getting robbed. (not to mention people care about their personal smartphones more than they ever did for whatsover reasons).
So i think its a step in the right direction to solve the bigger problem at hand.

Ofcourse tech geeks like us would still prefer to keep passkeys as 2fa option only in addition to passwords.
Passkeys are like a physical security key (yubikey) but its just built inside your smartphone. Even with physical security keys you have an option to go completely passwordless or use it as a 2fa.
( though for some reason physical security key are rated as more secure than passkeys)