So, I just read the announcement 1Password made about implementing passkeys not only to save them on their service, but to use them to log into the password manager itself as well. That left me wondering: Passkeys are being touted practically as a win-win situation of being more secure AND more convenient at the same time thanks to relying on open standards for the cryptography and biometrics for user authentication.
But… then I remembered that AFAIK, biometrics are considered a considerably less secure method of autentication than a good password or PIN (fingerprint could be retrieved from any object you’ve touched, face scanning could be fooled with pictures or look-a-likes, is easier to unlock the device without your knowledge or consent, say like when you’re sleeping or if you’re forced by either criminals or law enforcement, etc).
I can understand how passkeys are actually better when it comes to remote attacks, like phishing or data breaches, but when it comes to local scenarios, like if your device gets stolen, wouldn’t passkeys be actually a disadvantage? Your device would be the hardware token itself, and your biometrics could easily be taken by the attacker at the moment. I don’t know, maybe I’m completely misinterpreting how the entire thing works, but tell me, what do you think?
If we take the average person then they see the password as an inconvenience and will either set the timeout to never (so the password database is always open) or they will use a very short and hence weak password or PIN ( also easily shoulder surfed). In this case biometrics with a short timeout improves security.
For the more security conscious it comes down to the risk of someone getting your password vs. getting your biometric. Each has its pros and cons. You need to work out the risks for your use case/threat model.
In my case the change would make no difference. My passwords are on my computer which has no biometric sensors. The phone is for 2FA.
Remember there are 2 factors here: trusted device + hardware. Personally I’d still hold a password too, but for average human that doesn’t create secure passwords this is a huge improvement.
Your interpretation of the local threats is correct. I also see it as con of using only passkeys for auth , or otherwise referred as passwordless logins.
But i think the goal of promoting passkeys on wider level would be to only solve the remote attacks problem as they are most common ones and dangerous too.
( you come to know about data breaches every now and then)
If i do my own assessment of how many people around me reuse a password or don’t use a password manager , then that number looks to be atleast more than 50%.
So in present time not using a strong password seems much bigger problem than individuals facing threats of getting robbed. (not to mention people care about their personal smartphones more than they ever did for whatsover reasons).
So i think its a step in the right direction to solve the bigger problem at hand.
Ofcourse tech geeks like us would still prefer to keep passkeys as 2fa option only in addition to passwords.
Passkeys are like a physical security key (yubikey) but its just built inside your smartphone. Even with physical security keys you have an option to go completely passwordless or use it as a 2fa.
( though for some reason physical security key are rated as more secure than passkeys)
Americans have a 5th amendment protection against self-incrimination, which is generally understood to mean protection from being compelled to make testimonies against yourself.
Courts have consistently ruled that defendants are not required to disclose their passwords or passkeys. Some courts have applied the same to biometrics, but there is less precedent and protection for it. Furthermore, they may already have collected a fingerprint or could get one trivially by simply following you around.
Well it’s not required to use biometrics with passkeys, you can use your phone passcode or PIN instead. The idea is you’re using your secure device’s authentication to log in, whatever that may be.
I also don’t agree that biometrics are inherently less secure than a passcode. For one thing, a password can be stolen much more easily than a fingerprint. All someone needs to do is shoulder surf you when you put you password in, or phish you, or catch you putting in your password on camera, or even brute force it. Passwords have proven to be the wrong solution and, similar to email, we’ve had to bolt on solutions to make them less terrible. Password managers to generate random long passwords, totp or hardware key 2FA in case one of the multitude of ways a password can be stolen happens, default email/sms 2FA basically making your email into an easy way to get into all your accounts. The situation with passwords is truly horrible.
As far as fooling biometrics, it depends on the implementation. Apples Face ID uses a combination of 2D infrared images and a dot projector that takes a 3D scan of your face so it won’t be fooled by 2D images, however some android phones rely only on 2D images which is significantly less secure. For fingerprint sensors, optical ones are less ideal since they can potentially be fooled by an image. More secure are the capacitive and ultrasonic ones which won’t be fooled by an image of a fingerprint bc they’re not optical. The capacitive ones won’t even work if you’re dead since the electrical conductivity of your finger changes. So no it’s not really possible for an attacker to easily just take your biometrics and use them to unlock. I’m not sure about android but Face ID has an option to require you to be looking at the screen before it will unlock, so it won’t work for someone trying to unlock your phone when you’re sleeping or unaware. I’d also argue that any situation where you’d be forced by criminals you’d also likely give up your password as well but sure that’s why these devices have modes to disable the biometrics. Simply hold the power and volume buttons on iOS and now you’re safe. Android’s version is called lockdown mode you’d have to look up how to use it.
I’m going to go to a different path, a little bit like @anon66890361.
We, people of this community forum, lives in a technology bubble. Most people are not good with technologies. They are very bad.
they will reuse the same password across 200 websites
add 1 or 2 at the end of the password when password change is mandatory.
will never use a password manager. Heck even colleague good with does not use password manager
they will share their passwords
they will be phished, their account will be hacked and password cracked, then reused to login to other websites
The main advantage of passkey is convenience while still providing security.
When they uses passkeys,
they dont reuse password
they cannot share password
… Cannot be phished by email or phone, cause there is no password to share. This is a great security ! Mister from the bank, how do I give you my password, normally my phone ask my finger peint to auto-connect
… Cannot be fished my fake website, cause the url is checked. Nor sure, but I think the cryptographic keys of the website are checked too
when (not if) a website is breached, there is no password to crack, and this also prevent hacking other account with the same password.
they going to get used to auto login across devices, wich will reinforce the use of passkey.
Its secure convenience that can bring everyone not tech knowledgeable to a more secure state.
It help improve everything by improving the worst secure aspect of login : the human
