Serious Discussion Passkeys actually useless at this time? Please clarify!!!

[Templar]

Hi folks,

A question for security experts who are knowledgeable about passkeys.

So, Microsoft, Google, Amazon, Ebay all support passkeys, right? They continually tout about going passwordless, and the benefits of a passkey's use against a password.

I'm new to using passkeys, but I'm beginning to think they are useless, at least at the present time, and I'm not talking about the method they use to authenticate in itself, but rather in the way websites implement them by still providing the password method to log-in once you've set up the passkey. To clarify, they say go passwordless, but you're not actually passwordless.

For example, I just created a passkey on my desktop PC for Amazon, yet when I go to sign in, even though the passkey method is provided underneath, the password is still the default sign in!!!! Ebay also offers password log-in alternatives when a passkey has been set up, as does Google. Surely this means in the event that someone did know your password, they could just bypass the whole passkey method?

Is it just a simple case of passwords still being offered by websites because it's still early days for passkeys?

Is there any benefit to using passkeys now, even though the password method is still provided? I've heard there is always a chance at interception when you use a password to validate entry into a website, whereas with a passkey the validation method is more secure. I don't know if that is true or not.

I've heard some people say 2FA via authentication app is not required with passkeys, but surely that would only be valid in a case where it is truly passwordless. Any website that can implement passkeys that still offers passwords as other methods of authentication I would say it is still required.

Thoughts, please.

 

[Bot]

Hi folks,

A question for security experts who are knowledgeable about passkeys.

So, Microsoft, Google, Amazon, Ebay all support passkeys, right? They continually tout about going passwordless, and the benefits of a passkey's use against a password.

I'm new to using passkeys, but I'm beginning to think they are useless, at least at the present time, and I'm not talking about the method they use to authenticate in itself, but rather in the way websites implement them by still providing the password method to log-in once you've set up the passkey. To clarify, they say go passwordless, but you're not actually passwordless.

For example, I just created a passkey on my desktop PC for Amazon, yet when I go to sign in, even though the passkey method is provided underneath, the password is still the default sign in!!!! Ebay also offers password log-in alternatives when a passkey has been set up, as does Google. Surely this means in the event that someone did know your password, they could just bypass the whole passkey method?

Is it just a simple case of passwords still being offered by websites because it's still early days for passkeys?

Is there any benefit to using passkeys now, even though the password method is still provided? I've heard there is always a chance at interception when you use a password to validate entry into a website, whereas with a passkey the validation method is more secure. I don't know if that is true or not.

I've heard some people say 2FA via authentication app is not required with passkeys, but surely that would only be valid in a case where it is truly passwordless. Any website that can implement passkeys that still offers passwords as other methods of authentication I would say it is still required.

Thoughts, please.

Hi there,

I understand your confusion regarding the implementation of passkeys on various websites. While passkeys are indeed promoted as a passwordless authentication method, many websites still offer the traditional password login alongside it. This can create confusion and make passkeys seem redundant.

The reason behind this is that passkeys are still relatively new, and not all websites have fully transitioned to a passwordless system. It's likely that these websites are providing both options to accommodate users who may not be familiar with passkeys or prefer to stick with passwords for now.

However, it's important to note that passkeys do offer some benefits over passwords. Passkeys are typically more secure because they rely on cryptographic keys stored on your device, making them resistant to phishing attacks and password breaches. They also eliminate the need to remember complex passwords or reuse them across multiple sites, which can improve overall security.

Regarding your concern about interception, passkeys are designed to be more secure than passwords. While it's true that passwords can be intercepted, passkeys use cryptographic protocols to authenticate your device without transmitting sensitive information over the network. This adds an extra layer of security to the authentication process.

As for 2FA (two-factor authentication), it's generally recommended to use it in conjunction with passkeys, especially if the website still offers password login options. 2FA adds an additional layer of security by requiring a second form of authentication, such as a code from an authentication app or a biometric factor.

In conclusion, while passkeys may not be fully implemented on all websites yet, they do offer some security advantages over traditional passwords. As more websites adopt passwordless authentication, the benefits of passkeys will become more apparent. In the meantime, using passkeys alongside 2FA can provide an extra level of security for your online accounts.

I hope this clarifies things for you. Let me know if you have any further questions!

 

[Templar]

@Bot Thanks for your reply, I appreciate your answer, Sir.

 

[scorpionv]

Passkeys are built on the WebAuthentication (or "WebAuthn") standard, which uses public key cryptography. During account registration, the operating system creates a unique cryptographic key pair to associate with an account for the app or website. These keys are generated by the device, securely and uniquely, for every account.

One of these keys is public, and is stored on the server. This public key is not a secret. The other key is private, and is what is needed to actually sign in. The server never learns what the private key is. On Apple devices with Touch ID or Face ID available, they can be used to authorize use of the passkey, which then authenticates the user to the app or website. No shared secret is transmitted, and the server does not need to protect the public key. This makes passkeys very strong, easy to use credentials that are highly phishing-resistant. And platform vendors have worked together within the FIDO Alliance to make sure that passkey implementations are compatible cross-platform and can work on as many devices as possible.

The private key part makes the passkey system much more safe than any system with an oldschool password that is actually submitted to and stored on a remote server.


Above quote from a nice article series on Ars Technica about passkeys:
Google passkeys are a no-brainer. You’ve turned them on, right?
Passkeys may not be for you, but they are safe and easy—here’s why


Takeaways, every big provider is just getting started with passkeys, hence the backwards compatibility to passwords. And yes, please continue to use 2FA.

 

[Templar]

The private key part makes the passkey system much more safe than any system with an oldschool password that is actually stored on a remote server.


Above quote from a nice article series on Ars Technica about passkeys:
Google passkeys are a no-brainer. You’ve turned them on, right?
Passkeys may not be for you, but they are safe and easy—here’s why


Takeaways, every big provider is just getting started with passkeys, hence the backwards compatibility to passwords. And yes, please continue to use 2FA.

@scorpionv Thanks for the links, chap!