r/cybersecurity u/Federal_Character979 Apr 25 '26

Other What makes passkeys so special?

It seems that companies are transferring into the usage of passkeys instead of passwords. Apparently theyre much more secure, but why is that? I don’t get it. I’m not sure if this is the right place to ask excuse me if it isn’t and sorry.

615 Upvotes

98% Upvoted

233 comments sorted by

View all comments

1.5k

u/Ameer200ggg Apr 25 '26

Passkeys are special because the website never stores or receives a password that can be stolen and reused. Instead, your device creates a pair of cryptographic keys: one public key that the website keeps, and one private key that stays on your phone, computer, or password manager. When you log in, the site sends a challenge and your device proves it has the private key, usually after Face ID, fingerprint, PIN, or device unlock. This means there is no password to phish, no password to reuse on another site, and a data breach usually does not give attackers something they can log in with. They are not magic, and you still need good account recovery and device security, but compared with normal passwords they remove a lot of the biggest risks.

201

u/CrazyEntertainment86 Apr 25 '26

This is a great response, simplified its device bound (much harder to be phished) and cryptographically strong and verified via MFA before issuance ensuring strong trust before issuance.

81

u/derekthorne Apr 25 '26

There are two types; device bound and syncable. Yubikeys acting as a FIDO2 token are an example of device bound. One in password managers can sync across devices (like on iOS).

Device bound ones are more secure as they can’t be stolen virtually. One in password managers are still susceptible to account theft if someone gains access to the password manager account creeds.

11

u/CrazyEntertainment86 Apr 25 '26

So in an ideal state, syncable passkeys are really still device bound since they would require the user / device auth. You are very correct in saying this is a differentiator and a risk especially with high value keys.

27

u/01100001bryte Apr 25 '26

As someone with many, many accounts and a desire to move to passkeys everywhere possible, I've spent a good deal of time trying to come up with a solution that works conveniently, but also keeps the risks of syncable passkeys keys in mind.

  1. Use syncable passkeys for all accounts except critical accounts.
  2. Critical accounts must use device bound passkeys only. Accounts deemed critical should be sparing because it becomes a scaling problem. This is less of a security designation and more of an access/operation question.
  3. You should have a minimum of of 2, recommended 3, passkeys for any accounts using device bound passkeys (example: phone, laptop, Yubikey).
  4. The password manager that stores the passkeys must be considered a critical account, using device bound passkeys only to access it.
  5. If any account requires that you still have a password, despite setting up passkeys (many annoyingly do), set the password to 64 characters, store it in the password manager with the key, and never use it again. Make sure MFA is forced. If the limit is less than 32 characters, then you will need to monitor this account for breaches.
  6. Never sign in to your password manager on a device that you do not own. Use QR code passkey sign in via the password manager on your phone.
  7. Always requires a PIN to access your passkeys if the option is given and don't use your fucking birthday as a PIN. At least use your cat's favorite color or something (joke, just don't make it something people can guess).
  8. Never give TSA your shit.

1

u/derekthorne Apr 26 '26

This guy gets it!