Passkeys and Security Keys

To my current understanding, passkeys are just a cloud version of physical security keys because passkeys are discoverable and syncable. Does this mean passkeys are subjected to the same concern of a cloud storage breach? For accounts that offer both passkey and security key sign in options, should I choose security key for maximum security and privacy? I’ve heard one approach is to use passkeys as the first-factor authentication and security keys for second factor. But if passkeys are already protected with 2FA using biometrics, what of use is the security key?

P.S. I’m a noob that just learned about passkeys and security keys. I’m still reading and researching these technologies but in the mean time, if someone is kind enough to answer my questions, I’d be most appreciative.

Passkeys rely on FIDO2 (Web Authentication/WebAuthn). Most security keys should support both FIDO (Universal 2nd Factor) and FIDO2 (e.g. YubiKeys). FIDO2 enables passwordless login, but not all sites support that. Google supports passkeys (and passwordless login) and you can create them either on iCloud Keychain, Bitwarden, 1Password, YubiKeys or Titan Security Keys. So it looks like passkeys are not simply a cloud version, but can also be stored on hardware security keys making them device-bound credentials, which would be a lot more secure than syncing them to the cloud.

Also, Google puts passkeys and security keys together, reaffirming that.

Thank you! I didn’t really get what U2F is and its relation to FIDO2. It seems like passkeys are merely authentication method using FIDO2 . But physical security keys are much more than that. Talking specifically about Yubikeys, they are a tamper-resistant hardware device not only capable of storing passkeys, but also support other protocols, including Yubico OTP, OATH-TOTP, OATH-HOTP, Smart card (PIV) and OpenPGP.

After further research, below is my conclusion on the approach of using passkeys.

There are essentially two types of passkeys.

  1. Discoverable credentials (resident credentials)

  2. Non-discoverable credentials (non-resident credentials)

    • Cannot be copied or exported, and therefore, cannot be backed-up, shared, or synced across multiple devices, aka aka Single-Device Passkeys.
      • Making it device-bound, unique to a single (usually tamper resistant) hardware device.

For maximum security and privacy, I should use non-discoverable passkeys on security keys for authentication since they have minimal attack surface. Further advantages include needing less storage and being able to create unlimited number of non-discoverable credential passkeys because they are tied to the hardware’s unique id/secret.

Are discoverable credential passkeys more fingerprintable than non-discoverable ones, making it less private?

FIDO/U2F (Universal 2nd Factor) is the predecessor to FIDO2/Web Authentication. I don’t know the technical differences other than FIDO2 is better and enables passwordless authentication.

Yes, physical security keys can store much more than only FIDO/FIDO2 but not all do. the YubiKey 5 Series supports more protocols than just the YubiKey Security Keys Series which only support FIDO and FIDO2.

When you add a security key for your Google Account in your account’s settings, it will create a passkey on it. When you add a security key when you enable Advanced Protection Program (APP) as it will make you when you first enable it, it instead creates a non-passkey credential. What’s the difference? A passkey is only a passkey when it is discoverable. A non-discoverable credential is NOT a passkey. The other difference is as you mentioned: passkeys have a limit as to how many can be stored.

It’s important in our context of passkeys to focus primarily on discoverable credentials; a WebAuthn credential is not considered a passkey unless it’s discoverable.


Option 1: Creating a passkey for a Google Account.

Google Account > Security > Passkeys and security keys

Option 2: Creating a non-passkey credential.

Enroll in Advanced Protection Program > add you YubiKeys to your account then

Very weird that Google does it that way. I don’t see a reason why as passkeys can also be used to log into your Google Account when you are enrolled in APP. However, it does require at least one security key to be set up as it is in option 2. You can delete all the passkeys, but Google won’t allow you to delete the last non-passkey credential from your Google Account unless you disable APP first.

I do not believe passkeys or non-passkey credentials are fingerprintable, but I am not certain

May I ask how you get to this conclusion? FIDO2 credentials on Yubikeys cannot be extracted, and sites cannot see your private keys. I can’t see how “non-discoverable” keys increases any privacy, nor how they inherently decrease attack surface.

Perhaps by attack surface you are referring to using FIDO2 for MFA. In other words, are you saying that authenticating with a password + FIDO2 security keys are more secure? If so, it’s arguably correct.

I can see the possibility that a local attacker can observe you entering the PIN of your security key, then steal it and use it to sign in to all of your accounts where you’ve registered a passkey. (They wouldn’t need to know the usernames of your accounts in advance, as they are stored on the key as well, and can be viewed with Yubico’s desktop apps, and probably other manufacturers’ apps, if they have the PIN and the key).

If the thief in addition needs to know your account passwords, then it gets harder in this scenario.

The Fido Alliance’s intention behind password-less FIDO2 authentication (“passkeys”) is that it’s just that more convenient for users. FIDO2 will not achieve broad adoption if it’s just as cumbersome or more cumbersome to use than passwords. There are sensitive auth scenarios where I think it makes especially sense to enforce both passwords and FIDO2 instead of password-less sign-in, such as signing in to your bank account and financial services. (Although I don’t see my bank offering me this option any time soon).