Passkey folks - can someone explain to me how this makes things more secure?
For example, let’s take Apple. Apple Passkey support is great - I can store a passkey and it syncs through iCloud to all my devices. So my phone can login, my macbook can login. Neat.
But thinking about this a little more, Passkeys on iPhones are secured with FaceID, so to login I have to use FaceID or other biometrics. But on iPhone you can skip the FaceID check if you know the device passcode as fallback. So now, if someone has access to my iPhone and knows my passcode, they have access to ALL my accounts that have Passkeys stored on my iCloud.
Previously, even if an attacker had access to my iPhone, they still wouldn’t be able to login because they don’t know my password. And 1Password itself uses a separate unique password and can’t be skipped with device passphrase.
I’m honestly surprised that we can’t lockdown passkeys on iOS with a separate password/key that’s used to encrypt those. It just seems like I’m giving up on security by switching to passkeys, away from randomly generated passwords. IMHO it should be: FaceID, and if you can’t use biometrics, you HAVE to specify that unique passkey-only encryption phrase to unlock it. Not device passcode.
If not that, then I would have expected passkeys to be factor 1 authentication to directly replace passwords, and then have something else as second factor, such as TOTP/yubikey/SMS auth. But current implementations on any website I’ve seen so far treat Passkey as “ok you’re in”, while going the password route usually triggers a second-factor check.
Your iOS device passcode also gives root access to your entire iCloud account, including the ability to reset your account password. This was highlighted a couple months ago by the Wall Street Journal in relation to a recent wave of thefts & account takeovers which were exploiting this: https://www.wsj.com/articles/apple-iphone-security-theft-pas...
It seems we all need to treat our iOS device passcodes with as much importance & sensitivity as the password to our password manager—essentially root on your digital life.
I think you're misunderstanding the intent of this. It's meant to stop the theft of text authenticators, from breached databases. It shifts from "something you know" to "something you have." The problem with "something you have" to this point is that your average consumer doesn't want to buy and use a Yubikey. It's making PKI (which the DoD still uses for authentication) much more accessible, available, and convenient, for the average user.
> It just seems like I’m giving up on security by switching to passkeys, away from randomly generated passwords.
This is true for you, but the majority of people reuse poor passwords all over the place and do not have mfa setup.
For the average user, the risk of a breach on some poorly secured third party site is significantly higher than someone stealing their phone and cracking their passcode somehow.
If I conceptualise it as "your device unlock code is now also your master password but instead of randomly generated passwords we're using a key system actually designed for what we're doing with it" it makes a lot of sense.
Is it less secure than a Fully Correctly Implemented set of current best practices for sufficiently* paranoid geeks? Arguably, yes.
Is it more secure than what almost everybody was currently doing while also having the absolute bare minimum of friction to get the benefits it does provide? I strongly suspect so.
* I really do mean 'sufficiently' rather than 'excessively' here.
Most attacks are remote, not involving physical access to a specific (compromised) device. Think a compromised website exposing 1000s of peoples passwords, and trying those passwords against other services. For that threat vector, it is more secure.
The way I would look at it is if that threat concerns you, don't use it for high-value accounts (email, bank, etc). Still is probably worth using for all those other low-value accounts; if an attacker has your phone, and has broken in to it, them having access to your Netflix account is probably the least of your worries.
There are hundreds of phones stolen by the youth with hoods and stolen e-bikes in London each day. If they grab your phone in the seconds before it locks your screwed. That’s my biggest concern!
The passkey provider should require either a PIN or biometrics each time it is authenticating you against a service. So it won’t matter if your device was unlocked when it was stolen
Using Apple's Passkeys is just like using Apple's Password Manager. If you were using that you'd already be in that situation where your device unlocks all your passwords and all an attacker may need is your device passphrase. Passkeys from that perspective is no worse than existing iCloud passwords.
You mention 1Password, and 1Password has just released their first steps into Passkey support and being a Passkey provider. You can download updated extensions for a number of browsers and use passkeys stored in 1Password, if you trust 1Password and like that flow of a secondary vault.
The current rub is that you can't yet use passkeys from 1Password on iOS. That's hopefully a gap that Apple will fix soon enough in a similar fashion to how iOS supports multiple password providers.
I’m neither here nor there on passkeys, but I think in this scenario if you stored your passkeys in 1Password at least - then when biometrics fail, it would require your 1…password.
Although I don’t know how the passkey support in 1Password will work, so I may be wrong on that.
The passcode fallback isn't available for passwords, just for unlocking the device. In fact, IIRC I don't think you can set up iCloud Keychain without FaceID being enabled...
For example, let’s take Apple. Apple Passkey support is great - I can store a passkey and it syncs through iCloud to all my devices. So my phone can login, my macbook can login. Neat.
But thinking about this a little more, Passkeys on iPhones are secured with FaceID, so to login I have to use FaceID or other biometrics. But on iPhone you can skip the FaceID check if you know the device passcode as fallback. So now, if someone has access to my iPhone and knows my passcode, they have access to ALL my accounts that have Passkeys stored on my iCloud.
Previously, even if an attacker had access to my iPhone, they still wouldn’t be able to login because they don’t know my password. And 1Password itself uses a separate unique password and can’t be skipped with device passphrase.
I’m honestly surprised that we can’t lockdown passkeys on iOS with a separate password/key that’s used to encrypt those. It just seems like I’m giving up on security by switching to passkeys, away from randomly generated passwords. IMHO it should be: FaceID, and if you can’t use biometrics, you HAVE to specify that unique passkey-only encryption phrase to unlock it. Not device passcode.
If not that, then I would have expected passkeys to be factor 1 authentication to directly replace passwords, and then have something else as second factor, such as TOTP/yubikey/SMS auth. But current implementations on any website I’ve seen so far treat Passkey as “ok you’re in”, while going the password route usually triggers a second-factor check.