Passkeys

PASSKEYS

TOPICS BELOW
Why Not To Use Passkeys, Passkeys Bad, Passkeys Good, FYI

A passkey is a password that you are not allowed to know. Your phone knows it, but you do not.

WHY NOT TO USE PASSKEYS

Do not use passkeys. Here are some (not all) reasons why:

The passkey ecosystem is complicated. I have read articles and listened to podcasts from techies, people that normally understand these things, and they all have questions about how passkeys work. Using a system that you do not fully understand is like diving into a pool where you don't know how deep the water is.
If something goes wrong with passkeys, you will still need a password as a fallback mechanism.
In December 2024, Dan Goodin described the current state of things: "Of the hundreds of sites supporting passkeys, there isn't one I know of that allows users to ditch their password completely. The password is still mandatory. And with the exception of Google's Advanced Protection Program, I know of no sites that won't allow logins to fall back on passwords, often without any additional factor. This fallback on phishable, stealable credentials undoes some of the key selling points of passkeys."
Unlocking an account using passkeys on a phone, increases the reliance on our phones for security. Phones inevitably get lost, stolen or broken, so passkeys makes the loss of a phone that much worse. I suspect that many people who jumped on passkeys initially, live in low crime areas.
Passkeys are built on the assumption everyone has a smartphone. People who don't, who get Internet access at a Library, are not allowed to play the passkey game.
Why are passkeys being pushed by Google, Apple and Microsoft? Really, why? Some have said the real reason is to lock you into their ecosystems. This makes all the sense in the world to me. Even in a year or two (I am writing this in May 2023), when passkeys are more widely available, I doubt that an Apple user will be able to use their passkey on an Android device or Windows PC. Time will tell.
For passkeys to catch on, the vast majority of websites that now accept passwords, will need to be updated to also accept passkeys and then, eventually, to only accept passkeys. And, there are many computer systems that are not websites and they too need to be upgraded to support passkeys. To me, this seems impossible.
Even if passkeys are the future, the ecosystem for them will not mature for many years (as of May 2023). Maybe it will never mature.

PASSKEYS BAD top

January 15, 2025: Passkeys: they're not perfect but they are getting better from the British National Cyber Security Centre. This is an excellent article from an organization that is in favor of passkeys, yet they point out many current problems. Quoting: "... the NCSC believes they are the future of modern authentication. However, there are still some significant bumps in the road ahead. Here we set out the case for mass adoption of passkeys and outline the remaining issues which are hindering their widespread implementation."
- They argue that passkeys are both more secure and more convenient. This is not true. Nothing can ever be both more secure and convenient. The two concepts have always been at odds and always will be.
- There are two major flavors of passkeys (came as news to me): device-bound (that never leave the device) and "synced" passkeys that live in a Password Manager which backs them up and syncs them across multiple devices. Some websites support synced passkeys, while others only support device-bound passkeys.
- Saving a passkey in a Password Manager sounds great, until you decide to use different Password Manager software. "This is currently challenging to do..."
- Different software companies use different terminology for the same thing. Quite confusing, espectially to a newbie.
- Quoting: "To trust passkeys as a replacement for the password, users need to be prepared and know what to do in the event of losing one – or all – of their devices." This one of a number of problems/issues with passkeys where the NCSC points out that users need to be educated. This is fatal. User education will never happen. Anything that requires user education is doomed to fail.
December 30, 2024: Excellent article: Passkey technology is elegant, but it's most definitely not usable security. by Dan Goodin for Ars Technica. The author sums up his own long article: "In short, there are too many cooks in the kitchen, and each one thinks they know the proper way to make pie." Some other quotes from the article;

When I wrote about passkeys two years ago, I was a big believer. I remain convinced that passkeys mount the steepest hurdle yet for phishers, SIM swappers, database plunderers, and other adversaries trying to hijack accounts ... Unfortunately, as support has become ubiquitous in browsers, operating systems, password managers, and other third-party offerings, the ease and simplicity envisioned have been undone - so much so that they can't be considered usable security

Passkeys are now supported on hundreds of sites and roughly a dozen operating systems and browsers. The diverse ecosystem ... has also fostered a jumble of competing workflows, appearances, and capabilities that can vary greatly depending on the particular site, OS, and browser (or browser agents such as native iOS or Android apps). Rather than help users understand the dizzying number of options and choose the right one, each implementation strong-arms the user into choosing the vendor's preferred choice The experience of logging into PayPal with a passkey on Windows will be different from logging into the same site on iOS or even logging into it with Edge on Android. And forget about trying to use a passkey to log into PayPal on Firefox. The payment site doesn't support that browser on any OS.
October 14, 2024: Can Passkeys Replace Passwords by Bruce Davie. An excellent article that sees both pros and cons of passkeys. Mr. Davie does not expect passkeys to succeed. Quoting: "... if a website adopts passkeys without disallowing subsequent login attempts by password, then the system remains roughly as vulnerable to phishing attacks as it was before. A savvy user might detect that they are being phished if they are suddenly being asked for passwords after using passkeys for a long time, but any time we rely on the judgment of users to detect security attacks we are bound for disappointment. It bothers me to read blog posts from seemingly credible sources that don't address the fact that passkeys are being added in addition to passwords but not (yet) replacing them ... My last concern about passkeys is that the implementation seems to have failed the 'make it easy for users' test, which in my view is the whole point of passkeys. I have been using public key cryptography for 30+ years ... Surely the reason for yet another technology based on public key cryptography is to simplify its use. If I find passkeys confusing to use, it doesn’t bode well for more typical users."
September 9, 2024: Passwords have problems, but passkeys have more by David Heinemeier Hansson, CTO of software development firm 37signals. Quoting: "The problem with passkeys is that they're essentially a halfway house to a password manager, but tied to a specific platform in ways that aren't obvious to a user at all, and liable to easily leave them unable to access their accounts ... Much the same way that two-factor authentication can do, but worse, since you're not even aware of it ... Even in the best case scenario, where you're using an iPhone and a Mac that are synced with Keychain Access via iCloud, you're still going to be stuck, if you need to access a service on a friend's computer in a pinch. Or if you're not using Keychain Access at all .... If you're going to teach someone how to deal with all of this, and all the potential pitfalls that might lock them out of your service, you almost might as well teach them how to use a cross-platform password manager like 1Password ... Yes, passwords have problems ... But just because we have a real problem doesn't mean that all proposed solutions are actually going to be better. And at the moment, I don't see how passkeys are actually better ... Passkeys seemed promising, but not all good intentions result in good solutions."
April 8, 2024: Big Tech passkey implementations are a trap by Son Nguyen Kim of Proton. Quoting: "This article looks at passkeys' initial promise, how Big Tech has tried to hijack them to serve their own purposes, and how we can ensure passkeys fulfill their potential for everyone ... We recently announced that Proton Pass now supports passkeys for everyone across all devices. Universal compatibility is a unique approach to implementing passkeys, unfortunately. Even though passkeys were developed ... to replace passwords and are meant to provide 'faster, easier, and more secure sign-ins to websites and apps across a user’s devices', their rollout hasn't lived up to these lofty ideals. Instead, the first organizations to offer passkeys, Apple and Google, prioritized using the technology to lock people into their walled gardens ... This closed approach diminishes the value of passkeys for everyone and makes it less likely that they’ll be universally adopted ..."
This May 2023 article by Jared Newman is one that I mostly agree with: Passwordless logins are a confusing mess. The article says that a goal of passkeys is to make account logins easier. But, by definition, this means less security. In the article, the issue of not having your phone assumes it was lost. But, what if the phone was stolen? Bad guys may unlock your phone by forcing you to look at it or force you to press your finger on it. Or, if the phone unlock code is all that it takes to access the passkeys, they may just watch you unlock the phone, note the code, then steal your phone. Some quotes:
1. Getting rid of passwords will be a long, messy, and occasionally maddening process, especially without clearer documentation and guidance from the companies involved.
2. All of this falls apart when you try to start using passkeys in earnest. The technology is so new that every website handles it differently, and things that are supposed to just work often don’t.
3. I have a pretty solid handle on technology, and I still find this to be overwhelming.
4. As of now, none of the systems' biggest backers have provided clear documentation on what happens if you phone goes missing. ... In Google’s latest post about adding passkey support, the possibility of losing your phone doesn't even come up, and its support page offers no guidance for users who've lost all their devices.
5. All of this, by the way, is separate from the 'Sign in with Google' and 'Sign in with Apple' buttons that are already ubiquitous around the web. While those options are also passwordless, they're separate from this new passkey system that's now being created.

PASSKEYS GOOD top

January 15, 2024: Passkeys: the promise of a simpler and safer alternative to passwords from the UK National Cyber Security Centre (NCSC). Just the upside, none of the downside.
This May 2023 article in Ars Technica Google passkeys are a no-brainer. You’ve turned them on, right? by Dan Goodin is supposed to argue that passkeys are great. I think Goodin is completely wrong. As I read this article, I ended up with a many questions. Rather than being a good thing, the article, in my opinion, shows passkeys as a bad thing.
Update: In December 2024, Goodin wrote a follow-up article (linked to above) that was quite negative about passkeys.
This May 2023 article in the Wall Street Journal by Nicole Nguyen also argues for passkeys. Hate Passwords? It’s Time to Try Passkeys. But, to me, the case is weak. Moreso, the article reminds me of something I have said for decades: "Don't take computing advice from the Wall Street Journal any more than you would take investing advice from Computerworld magazine." And, the article makes many factual mistakes, such as:
1. Even the title of the article is false. It is absolutely not the time to try passkeys. Far far from it. This is not a matter of opinion, it is a fact.
2. Nguyen claims passkeys are both easier and safer. Nothing that is easy is either safe or secure. Never has been, never will be. The two concepts are always at odds.
3. Nguyen says that a passkey is "an encrypted bit of software code". It is not. A passkey is a number, not software code.
4. The article says that a passkey lives in a password manager. This is literally true, for now, but they do not live in what most people know as password managers. KeePass, for example, can not handle passkeys.
5. The article says "the key only lives on your device (a phone or laptop, for instance)". This assumes we only have one computing device. If you have both an iPhone and an iPad they should end up on both devices. This also shows a lack of understanding of the technology. The passkey on your device is part of a pair of numbers. One stays on the server for the system you are trying to deal with, the other stays on your devices. This is a big contrast with passwords.
6. The article says passkeys are easier than 2FA. Again, anything easier is less secure. And is it really easier? That is a matter of opinion.
7. The article suggests testing passkeys on the webauthn.io website. I did, on a Windows PC. The site failed to load at all using the Mullvad web browser. Using Brave, it wanted me to turn on Bluetooth which it said is required to use my passkey on a different device. What different device? Using Chrome, it said Bluetooth was required and stopped. Again, the issue of passkeys being easier to use is a matter of opinion.
8. The article says "Passkeys already work with the password managers built into ... Google Chrome ... desktop web browsers". It did not for me. At least not without Bluetooth enabled. Why is Bluetooth needed? Neither browser said why.

FYI top

The Security Now podcast of May 9, 2023 raised an interesting issue. Someone who does not own a computer or smartphone and uses the Library for their Internet access, can not use passkeys.