Passkeys are safer than passwords, and yet not safer than their storage is. Phones usually (hopefully) employ hardware isolation (TPM/TEE) to protect the passkeys, which makes me feel safe about having them locked away behind biometry/pins in my devices.
But when it comes to storing them in syncing password managers such as 1password, it suddenly feels less secure. Am I being paranoid?
For starters, I usually put passwords and MFAs in separate baskets, so a breach in 1pwd does not put all my data at risk (immediately, at least). It would be a different picture if the passkeys were leaked, since they are usually taken as enough of a factor for authentication in most implementations.
No, you are not being paranoid. I would say that syncing password managers are always an issue of trust.
Most password managers claim that they cannot access the private keys needed to access your passwords. These claims are usually enforceable through their privacy policy, regardless of your level of comfort with syncing.
If you’re interested in self-hosting a password manager, you can always do that and still have these syncing features.
Passkeys are a complicated thing as I’ve heard in a podcast somewhere. I think Bitwarden openly lies to the computer about the status of its FIDO attestation (A topic I pretty much know nothing about) in order to have a functioning syncing passkey implementation. This is well above my paygrade but I know some of you folks can appreciate the nitty gritty of this more than I could.
Anyway I found the link
If you’re syncing the passkeys then they’re not gonna be stored in your secure element. A breach of your password manager would mean a breach of your passkeys as well. Passkey syncing is supposed to always be E2EE so you don’t really have to worry about any servers having access to them.