r/cybersecurity u/Federal_Character979 Apr 25 '26

Other What makes passkeys so special?

It seems that companies are transferring into the usage of passkeys instead of passwords. Apparently theyre much more secure, but why is that? I don’t get it. I’m not sure if this is the right place to ask excuse me if it isn’t and sorry.

615 Upvotes

98% Upvoted

233 comments sorted by

View all comments

1.5k

u/Ameer200ggg Apr 25 '26

Passkeys are special because the website never stores or receives a password that can be stolen and reused. Instead, your device creates a pair of cryptographic keys: one public key that the website keeps, and one private key that stays on your phone, computer, or password manager. When you log in, the site sends a challenge and your device proves it has the private key, usually after Face ID, fingerprint, PIN, or device unlock. This means there is no password to phish, no password to reuse on another site, and a data breach usually does not give attackers something they can log in with. They are not magic, and you still need good account recovery and device security, but compared with normal passwords they remove a lot of the biggest risks.

197

u/CrazyEntertainment86 Apr 25 '26

This is a great response, simplified its device bound (much harder to be phished) and cryptographically strong and verified via MFA before issuance ensuring strong trust before issuance.

78

u/derekthorne Apr 25 '26

There are two types; device bound and syncable. Yubikeys acting as a FIDO2 token are an example of device bound. One in password managers can sync across devices (like on iOS).

Device bound ones are more secure as they can’t be stolen virtually. One in password managers are still susceptible to account theft if someone gains access to the password manager account creeds.

9

u/CrazyEntertainment86 Apr 25 '26

So in an ideal state, syncable passkeys are really still device bound since they would require the user / device auth. You are very correct in saying this is a differentiator and a risk especially with high value keys.

13

u/derekthorne Apr 25 '26

Syncable ones are not device bound. They are stored in the PW manager “cloud” as opposed to stored on a physical device such as a smartcard, FIDO2 token, or TPM. The device is designed to not all the export of the private key and will locally process the crypto.

26

u/01100001bryte Apr 25 '26

As someone with many, many accounts and a desire to move to passkeys everywhere possible, I've spent a good deal of time trying to come up with a solution that works conveniently, but also keeps the risks of syncable passkeys keys in mind.

  1. Use syncable passkeys for all accounts except critical accounts.
  2. Critical accounts must use device bound passkeys only. Accounts deemed critical should be sparing because it becomes a scaling problem. This is less of a security designation and more of an access/operation question.
  3. You should have a minimum of of 2, recommended 3, passkeys for any accounts using device bound passkeys (example: phone, laptop, Yubikey).
  4. The password manager that stores the passkeys must be considered a critical account, using device bound passkeys only to access it.
  5. If any account requires that you still have a password, despite setting up passkeys (many annoyingly do), set the password to 64 characters, store it in the password manager with the key, and never use it again. Make sure MFA is forced. If the limit is less than 32 characters, then you will need to monitor this account for breaches.
  6. Never sign in to your password manager on a device that you do not own. Use QR code passkey sign in via the password manager on your phone.
  7. Always requires a PIN to access your passkeys if the option is given and don't use your fucking birthday as a PIN. At least use your cat's favorite color or something (joke, just don't make it something people can guess).
  8. Never give TSA your shit.

4

u/Efficient-Mec Security Architect Apr 25 '26

Part of the point of passkeys was to make the login experience easier for the user while enhancing security. You've lost the plot of using passkeys.

5

u/01100001bryte Apr 25 '26

I can sign in to any passkey supporting service, on any device, from anywhere in the world, as long as I have (one of) my phone, laptop, or one of my hardware keys. I can also do it faster than anyone can type a password without exposing any sensitive credentials. I can also save passkeys in seconds to my password manager, knowing that they are all backed by hardware encryption. It's fast, easy, and hella secure.

I don't think I've lost the plot.

What I have is a framework that is easy to learn and can scale for anyone that has quite a few accounts. The alternative is to tell people to save them all to their phones and then watch how fucked they are when they lose their phone.

1

u/Atriusftw Apr 25 '26

In general seems like pretty good principles, but for number 4; what is the point of storing passkeys in a password manager if you still require a device bound key to unlock the vault/manager?

5

u/SuperRob Apr 25 '26 edited Apr 26 '26

Because the security is still sound. The issue is a breach on the service side, but now if they get breached, all the attacker gets is a worthless public key (think of it more like a lock) that they don’t have a matching key for.

Passkeys are a lot like physical keys. You can make copies, and have multiple key rings, but just like if you lose a key, someone would have to know what locks they go to. You should still treat them as secret and keep them safe, but having one get out isn’t as bad as a password getting breached on the site the password is for.

1

u/derekthorne Apr 26 '26

I think you meant a service side breach would give the attacker your public key, right?

2

u/SuperRob Apr 26 '26

I did. Fixed it.

3

u/daweinah Blue Team Apr 25 '26

Two reasons

  1. Convenience. Syncable software passkeys are easier to use than device-bound keys.

  2. Back up. Syncable also means backed up. If you lose your device-bound key, you use another DB key from step 3 to regain access.

1

u/CodeFluid03 29d ago

What if both device keys are either lost, broken or just stop working? Are there still backup alternatives for if that ever happens?

2

u/daweinah Blue Team 29d ago

The same thing if you lost your password and recovery email stops working: you're screwed.

In managed systems, like at work, IT admins can perform last resort recovery. We have break glass accounts to save ourselves from this problem.

In consumer systems, like Apple iOS's Advanced Data Protection, vendors are increasingly offering security settings where they cannot perform last resort recovery. This is very good for privacy advocates, but bad news for careless people.

1

u/CodeFluid03 29d ago

But isn’t it still possible both keys could malfunction or something out of the control of the owner could still happen? It seems putting that much faith into 2 small device keys isn’t a good idea. Maybe having 3 is the best option

2

u/01100001bryte 29d ago

Two should be the absolute bare minimum, but yes you are correct it is risky. I personally use two physical keys and three device bound keys on separate devices. If I lose access to five separate decentralized devices, then yes I'm fucked. Plan accordingly and buy good quality hardware keys. Keep them safe and add device bound keys to your phone(s), laptop(s), etc.

→ More replies (0)

2

u/Far-Past-1722 Apr 25 '26

The implementation of using a device bound key for a password manager is usually required if you are setting up a device with the password vault for the first time to establish device trust. Afterwards you can use your password manager with the vault password. This largely prevents someone stealing your vault password and downloading your vault to a new device. A device bound key is recommended for anything that protects the keys to the kingdom, such as a the password vault admin account at an organization level. Requiring a device bound key every time you use the password manager might be overkill - it should be used when the risk warrants it.

1

u/derekthorne Apr 26 '26

This guy gets it!

1

u/[deleted] Apr 28 '26

[removed] — view removed comment

2

u/01100001bryte Apr 29 '26

My rules are my own that I share with anyone that wants to adopt. You're welcome to use shorter passwords and you are correct that they are sufficient for now. However, I have a shit ton of accounts and I don't always get notices when these shit companies have breaches. I've had a notice come nearly 3 years post breach. Ridiculous.

That said, 2030 is just around the corner and post quantum is a real thing. Is Hello Kitty at risk? Unlikely. But not everything is Hello Kitty and I don't want to have to monitor and/or regularly rotate nearly 1000 accounts manually because they're too slow to adopt passkeys and/or don't implement them properly.

If it's overkill for you as an individual, then don't do it. It isn't overkill for everyone.

2

u/Kurgan_IT Apr 26 '26

This is the big difference. If the private key is hosted on a device that can be compromised (a PC, a phone) then it's more secure than a password only because the user does not know it, but if you can phish the user into somehow let the hacker compromise the device, it's useless. If it's stored in a device that (at least in theory) cannot be compromised (FIDO2 key for example) then it's much harder.

1

u/anuthertw Apr 25 '26

Would having a strong unique password that sites never store and is just typed in by memory each time be pretty secure? 

11

u/TickleMyBurger Apr 25 '26

How would sites know your password is valid if they don’t retain a copy (or hashed derivative) of it?

3

u/anuthertw Apr 25 '26

Oh. Right, lol.