How Can Passkeys Possibly Be Safe?

Another thing of note regarding passkeys is that the process of using them to sign in *_never_* involves transmitting the passkey itself. This means that unlike a password, your “secret” cannot be intercepted because it never leaves your computer (or hardware security key, etc)! It is simply used to cryptographically sign a “challenge” message sent by the service which is then sent back to the service, where it is decrypted by the other half of the key pair and compared to the original, thus proving that you are in possession of the correct key. Just like public key cryptography, it’s ingenious in its simplicity and strength.

Not all services support multiple passkeys, or provide a comprehensible means of managing multiple passkeys if they do.
You can avoid that problem by using something like Bitwarden (you mention password vaults, but didn’t really get into all the other benefits they have, and unless this has changed recently, Bitwarden is the only one with full passkey support on all devices).

TallinuTV

As your normal stupid users, I just went through this with my son. He factory reset his phone which wiped his passkeys making it impossible to get into his google account (which he used for all of his college communication). Until learning about this technology about 2 days ago, I had no clue this is what happened. Safe maybe, but not "fool" proof if you have no idea that a passkey is automatically being set on your phone or that you are even setting up a passkey or what a passkey is. Nor would I call it less frustrating.

jeannehallock

I always learn something from your videos Leo. Your full explanations and gentle pacing really help in communicating your knowledge. Thank you.
Steve (in UK)

newlynsteve

I think public key cryptography using your face or fingerprint for the private key is pretty close to perfection, Leo.

mitchellsmith

You forgot that also with passkeys, no more Phishing as the key will not work on a fake website.

pbrigham

Hello Leo,
I liked your video explaining passkeys. You explained it very clearly.
I have some questions concerning passkeys left, e, g,
1. Google may know that its definitely me, but how do I know that it's Google asking ? This is even worse with you saying passkeys might work in the background without me even knowing. Let's assume someone breaks into Google and steals my public key. Computers are able to ask my number thousands of times in seconds. With enough returned numbers they might be able to "assemble" my private key.
2. If a passkey is stored in my device: What happens if I change hardware or have a major operating system update or change my operating system on this device? After a major OS-update my husband was in trouble. To what part of my device is this passkey linked? Hardware or software or both?
3. I use a password management tool and they do a lot of advertising for passkeys. I think it is a good idea concerning websites, but I won't change my master password to a passkey. If someone breaks into one of my devices, he will have access to my password management. My master password is only in my head.
4. I have a friend who is a mathematician. He told me, encryption is all based on large prime numbers. Of course there are infinite prime numbers, but the larger the more diffcult to identify they are. So there might be "doubles" in the known and frequently used range of prime numbers. This is another gateway a backentrance not mathematicians never know and think about.
What do you think about these questions, especially No 1?
Kind Regards
Sparkle_phoenix

sparklephoenix

Great video Leo. Explaining the situation really well. I like that you also welcome challenges and it made it perfectly clear that there is no perfect system. Like risk in general, you can't get rid of it completely but you can try to reduce it.

justinlloyd-jones

Great video. I like how you talk about different attack vectors to have different levels of relevance and mitigations. It's crucial for people to understand the efficacy of security features like passkey.

protectyourbusiness

If you use password/passphrase vault (be it an extension for browser or desktop), it makes password less of a headache and can combo easily with passkeys. Setting it to clear clipboard after pasting where needed and combining with passkeys makes for solid security. Passkeys alone with traditional password usage (typing it) is very strong already.

DavidPereiraLima

Wow Leo, you've just opened a new door for me to check out and see what's in there for me. This sounds very intriguing. Thanks Leo!

KarlBeeThree

You make really good points, but Microsoft's system glitches now and again and they prompt you to sign in. It happens too often for me and I don't know why. It is possible for Microsoft themselves to fail and you might have to work a little to get signed in. If the time arrived when their system didn't work, I would be unable to sign in, The break down of systems you described is not very likely, but Microsoft itself is subject to frequent glitches that leave you stuck until they are satisfied you are who you say you are.

BrotherMichaeloftheCross

Thank you. The role of passkeys in the security ecosystem had never been really clear to me.

verdedoodleduck

I would like to see sensitive data such as banking apps & websites protected by 2 factor biometrics, face ID plus fingerprint, making sure that it can only be me accessing these accounts.

olrdplt

Thank you for your explanation. Now I'm confident enough to use a passkey.

luckymapache

Thank you for this Leo. You have a new sub here ❤ I so far have 2 passkey protected accounts. I was prompted to activate the passing so I think the platform you're using has to implement it. Maybe Meta should think about introducing a passkey log on for users.

thecatlady-nn

Thanks for your explanation, Sir. 💟💟🎀🎀

VanNguyen-bskw

If I understand, the real advantage I see, is just that passkey’s are device specific. Is that always the case by definition? Also can they really replace passwords? Doesn’t the account need it anyways for the scenario of not having the original device anymore? Can’t malware get device info to allow it to be spoofed?

Ultrajamz

Question. First, nice job explaining things. You provide a lot helpful information. Don’t you need/have a username and password to create an an account on a website? So, even if you have a passkey, couldn’t someone use your username and password to sign in? Even if you set the default sign in to be a passkey? Or, if you don’t have your phone handy and want to sign in on a friends computer to check your email. What happens in that case? I think passkeys are a great idea but before I start using them I want to know the “what if” scenarios. And what do you do when you get a new phone? Thanks.

chrisluke

Can't the malware steal the cookies and get into the account even with passkeys?

davdw

What I don't understand is why discussions about Passkeys never seem to compare them with Password + second factor authentication. It seems to me that passkeys mainly remove one factor: the password. How is that safer?

RC-