AI written, human edited.
In a recent episode of the popular Security Now podcast, hosts Steve Gibson and Mikah Sargent had an in-depth discussion about the security advantages of passkeys over traditional two-factor authentication (2FA). The conversation was sparked by a listener's question about whether using passkeys in place of 2FA would reduce their account security.
Gibson, a renowned security expert, emphatically stated that in a properly implemented system, passkeys alone provide far more security than even the strongest password combined with any second authentication factor. He proceeded to dissect the fundamental weaknesses of password-based authentication systems that rely on server-side storage of secrets like passwords and 2FA seeds.
The core issue, according to Gibson, is that these systems are inherently vulnerable because websites must store sensitive data that could potentially be stolen in a breach. In contrast, passkeys employ state-of-the-art public key cryptography, where the user's private key never leaves their device. Websites only receive the corresponding public key, which is designed solely for verifying digital signatures and cannot be used to derive the private key.
"Everything about passkeys is superior to everything that has come before it," Gibson asserted. Unlike passwords and 2FA codes generated from shared secrets, passkeys create unique, signed challenges for each authentication attempt, making replay attacks impossible.
Gibson acknowledged that while the cryptography underlying passkeys is vastly more secure, user perception could be a potential stumbling block. Many people might view passkeys as overly convenient and conflate ease-of-use with reduced security. However, he emphasized that this perception is misguided, as the underlying technology is what truly matters.
One concern Gibson raised is that websites implementing passkeys might still allow the use of legacy username/password authentication as a fallback. In such cases, the overall system security would be reduced to the weakest link – the outdated password-based method. He stressed the importance of entirely disabling these less secure options once passkeys are enabled.
The discussion also touched on hardware security keys like YubiKeys, which Gibson confirmed employ similar cryptographic principles as passkeys and the FIDO2 specification they are based on. However, he noted that the widespread adoption of dedicated hardware has been sluggish, hence the industry's push for a more user-friendly, software-based passkey approach.
In summary, this Security Now episode provided a comprehensive explanation of why passkeys represent a significant leap forward in authentication security. As accredited password managers now support passkeys natively, Gibson strongly recommends making the switch whenever possible and taking steps to disable any lingering password-based logins for maximum protection.
FAQs
Unlike passwords and 2FA codes generated from shared secrets, passkeys create unique, signed challenges for each authentication attempt, making replay attacks impossible. Gibson acknowledged that while the cryptography underlying passkeys is vastly more secure, user perception could be a potential stumbling block.
What is the difference between passkey and passkeys? ›
A passkey is a digital credential, tied to a user account and a website or application. Passkeys allow users to authenticate without having to enter a username or password, or provide any additional authentication factor.
Why are passkeys safer? ›
Passkeys use the WebAuthn standard for public-key cryptography, which generates a public-private key pair on user devices. As a result, they can't be stolen or forgotten like a password or physical key.
Do I need 2FA if I have passkey? ›
Do I need 2FA with my passkey? No, because 2FA is built into the passkey that is provided to the website during the login process. Each website may choose to include an additional step for logging in, though most do not.
Does passkey disable 2FA? ›
If you use two-factor authentication (2FA), passkeys satisfy both password and 2FA requirements, so you can complete your sign in with a single step. You can also use passkeys for sudo mode and resetting your password.
Are passkeys better than 2FA? ›
Yes, passkeys are more secure than traditional 2FA methods because they remove passwords, which are susceptible to password-related attacks, are phishing-resistant and support 2FA by design.
What are the disadvantages of passkeys? ›
The disadvantages of using Passkeys include: they are not yet widely adopted, they need extra software and hardware, and they can be costly, and businesses may need to budget for implementation.
Can passkeys be hacked? ›
If someone gets your device, they can't do anything with your passkey. And if you lose your old device containing your passkey, you can easily create a new passkey on your new device.
What happens to passkeys if you lose your phone? ›
What happens if a user loses their device? Passkeys created on Android are backed up and synced with Android devices that are signed in to the same Google Account, in the same way as passwords are backed up to the password manager. That means user's passkeys go with them when they replace their devices.
Can I still use a password if I have a passkey? ›
You can have a passkey and password for the same app or website, and find them both under the same account in Settings > Passwords. You can also save a passkey to a hardware security key.
Multi-Factor Authentication: A Step Beyond
2FA uses two items. Multi-factor authentication uses two or more items for authentication. Using a password and an email address, for instance, is always going to be inherently less secure than using a password, email address, and also a physical device.
Do you still need MFA with passkeys? ›
Multi-factor authentication (MFA) vs Passkey authentication
MFA refers to any authentication mechanism that uses two or more factors for verification. For example, a password and a one-time password (OTP); or a password and a fingerprint scan. Passkey authentication achieves MFA in a single step.
Is a YubiKey a passkey? ›
The YubiKey works as a passkey generator that can create both the public and private keys necessary to begin passkey login with accounts, apps, services and vendors that enable it – a YubiKey serves as a repository for up to 25 unique passkeys.
Can 2FA be bypassed by hackers? ›
Most 2FA methods involve sending temporary codes via SMS or emails, but these can be easily intercepted by hackers through account takeover, SIM swapping, and/or MitM attacks.
Does Apple use passkeys? ›
Since passkeys aren't exclusively the domain of Apple, once it's fully launched, you should be able to generate them on non-Apple devices for passwordless sign-in with your Apple ID, too, using Android or Windows using either the Chrome or Edge browser, which each support passkeys.
Where are passkeys stored? ›
When you use passkeys on your Android device, they're stored in your Google Password Manager. Passkeys are securely backed up and synced between your Android devices. Create a passkey to simplify your sign in. When you sign in to your Google Account, your available passkeys are listed.
How much does passkeys cost? ›
Passkeys Are Free—Security Keys Are Not
Although you'll need to start using a password manager, the free options that come with your device or web browser may support passkeys. Security keys can cost around $25 to $85 each, and you may want to purchase at least two in case one is lost or damaged.
Should I use Google passkeys? ›
Passkeys provide the strongest protection against threats like phishing. Once you create a passkey, you can use it to easily sign in to your Google Account, as well as some third-party apps or services, and to verify it's you when you make sensitive changes.
How do I use passkeys? ›
On the other device, go to the website or app and enter your user name in the account name field on the sign-in screen. Select “Other options,” “Passkey from nearby device,” or similar, then follow the onscreen instructions to display a QR code on the screen. Use your iPhone camera to scan the QR code.
