Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
I really don’t want to turn my devices into hardware keys. I can’t imagine how difficult it would be to recover if, say, there was a fire or flood. Hardware breaks, gets lost, stolen. How about people who can’t afford multiple devices? What about the unhoused? How about if you get arrested and your one device gets confiscated- you can’t even give anyone else access to your data. What if you’re a good witness recording something and the police decide to make your device into evidence (or destroy it).
MFA? Absofuckinglutely. I’ll pass on passkeys, sorry.
Yeah this is my situation. My personal computer is really infrequently used and as such I’m already in a dangerous situation when it comes to sign-in risk detection kicking off and asking for further authn proofs. I’ve had my phone die (and come to life when its replacement arrived) and that was a harrowing situation because all the MFA is stored there. Passkeys seem to make it worse, unless I subscribe to a sync service, which I need to infallibly trust (and I’m iffy on that; 1Password has a good security model and all that but passkeys are a different level of trust).
Think of passkeys like they’re backups.
If you have one, you have none. If you have two, you have one. If you have three, at least one of them has to live offsite.
There are a ton of people who can’t reliably meet the “three” threshold, and plenty who can’t meet the two.
Good way of putting it. How many people have three devices they can use for storing passkeys? I don’t and I’m a nerd.
I do; or at least I can. But really, Device #2 should be in a fire safe, and Device #3 should be in a safe deposit box. These should be “set and forget” devices, not just “the laptop that I use and the phone that I use”. Those are additional costs, additional planning, additional effort, additional administration (because you need to also be checking that these cold devices still work on a scheduled basis), maybe additional required skill (depending on what you want these set and forget devices to be). You need to have an appropriate place to keep that fire safe. And when one of those cold devices doesn’t work anymore, you have to figure out why and likely replace it.
To do it right, you really have to have your shit together. That I don’t.