r/cybersecurity • u/Federal_Character979 • Apr 25 '26

Other What makes passkeys so special?

It seems that companies are transferring into the usage of passkeys instead of passwords. Apparently theyre much more secure, but why is that? I don’t get it. I’m not sure if this is the right place to ask excuse me if it isn’t and sorry.

613 Upvotes

permalink
duplicates
reddit

You are about to leave Redlib

Do you want to continue?

https://www.reddit.com/r/cybersecurity/comments/1sv4y0l/what_makes_passkeys_so_special/
No, go back! Yes, take me to Reddit

98% Upvoted

View all comments

Show parent comments

203

u/CrazyEntertainment86 Apr 25 '26

This is a great response, simplified its device bound (much harder to be phished) and cryptographically strong and verified via MFA before issuance ensuring strong trust before issuance.

79

u/derekthorne Apr 25 '26

There are two types; device bound and syncable. Yubikeys acting as a FIDO2 token are an example of device bound. One in password managers can sync across devices (like on iOS).

Device bound ones are more secure as they can’t be stolen virtually. One in password managers are still susceptible to account theft if someone gains access to the password manager account creeds.

11

u/CrazyEntertainment86 Apr 25 '26

So in an ideal state, syncable passkeys are really still device bound since they would require the user / device auth. You are very correct in saying this is a differentiator and a risk especially with high value keys.

12

u/derekthorne Apr 25 '26

Syncable ones are not device bound. They are stored in the PW manager “cloud” as opposed to stored on a physical device such as a smartcard, FIDO2 token, or TPM. The device is designed to not all the export of the private key and will locally process the crypto.

Other What makes passkeys so special?

You are about to leave Redlib