I’ve avoided “passkeys” like the plague, but with Google [promising a password-less future](https://safety.google/authentication/passkey/) and Apple [forcefully moving people to passkeys going forward](https://developer.apple.com/videos/play/wwdc2024/10125/?time=258), I guess it’s time to figure out what they are.
I consider myself a tech person, but the more I hear about these *passkeys*, the less I understand. Apple’s [overview](https://developer.apple.com/passkeys/) says that they’ll be used “alongside” passwords, so I don’t get what’s being **replaced**, and why the hell we need them. Fido Alliance (the folks that apparently invented the damn thing) says that [passwords are a problem](https://fidoalliance.org/passkeys/), but reading this, it doesn’t seem like it’s **my** problem they talk about.
What I **do** understand though, is that one day I’ve had someone walk into my hotel room in Poland, and walk out with my laptop and cell phone while I was asleep^1.
**So, overnight, I ended up without access to any of my devices or phone number abroad**.
Luckily, because I was still in the password-ful past, I could log into my email and Skype from hotel’s computer, and let my wife know that I need some help.
what this scenario wood look like in the future when everything gets switched to passkeys.
____
^(**[1]:**) ^(I have forgotten to lock the door – learn from my mistake. To Krakow police’s credit, they *actually caught the thief* several months later.)
In: Technology
A passkey is an encrypted file that serves as your credentials.
The problem is: users get hacked all the time because they have bad password discipline. The vast majority of hacked accounts are from phishing and social engineering, and people reuse passwords so a minor compromise can turn into a big deal.
The solution: make your login info something that you can’t give away. You literally can’t give a hacker or scammer your passkey.
Password fallback is the necessary solution to losing the device storing your passkeys. But you don’t have to make your password memorable or actively use or manage it, write it down and store it somewhere safe, and never touch it unless you lose your phone. Greatly reduces the attack vector.
Stolen phone can’t be used for passkeys unless you keep it unlocked, and even if you do you can still track and disable it remotely if they actually try to use it.
>ELI5 what this scenario wood look like in the future when everything gets switched to passkeys.
If you lose your passkey you do exactly what you did and use a password as a backup
The difference is that your backup password can be complex and stored somewhere safe in case you need it and you use your passkey for everyday authentication (which is much more secure than a password) . The password is never entered into sites until you need it so it can’t be captured by a keylogger or phished from you
If only a password is used, most people would use something easy to remember, or even worse, reuse the same password .
Almost all “hacks” are people being phished for their credentials by clicking a link to login (much harder to capture the login details with a passkey) or their reused password is in a data breach for a site somewhere so all other logins are compromised
A passkey is a complicated password that’s generated on your phone and shared to the website when you authenticate yourself to it (the phone, that is). A regular password has to be remembered by humans and is thus easy to guess. A passkey, on the other hand, is remembered by your device (a small computer) and is thus much more secure. With fingerprint and face detection used on the device, it’s vastly more secure than a regular password, assuming you don’t lock your phone with a four-digit code.
What is unclear to me is if you’re already using a password manager like 1Password and (at least everywhere that allows this) use an incredibly long and complex password that is unique for each place a password is used… how is a passkey any more secure? I understand if you’re the kind of person that uses “password1” as your password to everything you use that passkeys are an enormous upgrade, but if you already have very good password opsec what is the net benefit?
A passkey is basically an automated login method, where instead of a password, your computer stores a very long, very hard to guess number, and on a login attempt, it solves a puzzle that demonstrates that it knows that very long number. Your computer is supposed to only do this after verifying that the website’s domain is correct, which prevents phishing, and also only after doing some check such as Face ID demonstrating that you are the actual owner, preventing a thief from walking off with your passkey.
They, by design, cannot be keylogged/phished and users don’t have to worry about setting or managing secure passwords.
Passkeys take 2 forms: they can either be a physical USB key (Google “Yubikey” for an example) or they can be stored in a password manager.
If your passkey is a physical USB key, you are supposed to have a backup mechanism stored somewhere (normally a second passkey you keep safe at home or in a password manager, so if you lose your primary one you have a way to recover). If your passkey is in a password manager, then every password manager has its own way to help you recover. For example, Apple lets you set recovery contacts, so you can set your wife as your recovery contact and should you get locked out of your account, your wife can generate a code to allow you to get back in.
All security is a series of trade-offs. Ease of use, cost, likelihood of attacks succeeding, etc. – and further sub-trade-offs in terms of which scenarios have which set of optimizations.
To directly answer your question: in the future version of that scenario, you log into your primary account (e.g. Google account, Apple account) from another device. If you have multiple devices on hand, this is easy. If not, it might be harder than it is right now. You might have to go through a special verification / account recovery process.
In eli5 terms – passkeys reduce the risk of *digital* crime or accidents across multiple vectors, while increasing the risk of *physical* crime or accidents across some vectors.
This is widely considered a good trade-off right now because the average person is subject to digital risk at a much greater rate than physical risk.
Passkeys are similar to passwords in that they are a secret thing that you have, which is supposed to provide access to your accounts. There are some differences though:
* The Passkey is accessed by typing in the login for the user account on the computer (or with biometrics), not by any webservice-specific login. This means that the user only has to remember one strong password, without taking on the massive security risk of using the same password everywhere.
* Seamless two-factor authentication is built in, without any additional step. Because only your computer has the Passkey stored to be decrypted by a TPM or similar technology when you type your password, the login can only be made from your devices. You need both your device and your password/biometrics to log in, but the process in seamless in that the two-factor confirmation does not require a separate interaction.
* Due to some clever use of public/private key cryptography, websites do not even have sufficient information to leak your Passkey, so that others can gain access. They only have enough to make queries that confirm that yours is real. This means that the risk of websites with improper password security is gone.
As for how you’d recover if your devices gets stolen, it really depends on what your backup strategy is. The big three in operating systems (Google, Apple, Microsoft) are all happy to do a cloud backup of your Passkeys by default, so most users would just need to use the traditional recovery options for those accounts, but if you opt out of that or use Linux, then the decrypted passkeys can just be treated as any other file when you make a backup strategy.
For a self-declared tech person, your willingness/ability to read simple facts properly seems to be limited, so this is probably the right sub.
I’m saying this because the first or second result from Google search about FIDO2 will tell you your assumption is just plain wrong, that is compounded with highly dismissive tone of your question.
PassKey is a 2FA by nature, when you lost your laptop/phone (what you have) no one can use your passkey unless they know your PIN (what you know) or access to your biometrics (what you are).
Also PassKey is not limited to your nice shiny Apple devices, there is in fact cross platform hardware authenticator like Yubikey, in form of USB stick , and password manager app, like Bitwarden can also store your Passkey.
Password is a problem for almost everyone, even if you pretend you’re immune. One usual thing is Phishing, where fake website asks you to enter, well, password. PassKey solves this because it verify with cryptography that the website is real before you can use passkey with it.
Second is of course password reuse, one leak then it can be used to login to other services. Passkey solve this by issuing new credential on every registration,.
Third is the use of 2FA, complex password is secure only as long as it is not leaked, so complex password should be combined with a 2FA. People usually skip using 2FA that is separate to password because it is inconvenient (too bothersome to use Google authenticator, or to setup security key).
By the way the fact you are “passwordful” enough to be able to Skype your wife usually a good indicator that you reuse your password and/or your password is as easy it is to remember as it is to crack.
In addition, also the fact you can just Skype with your phone being stolen indicates you have no 2FA active.
So not only you can _easily_, login to your Skype and talk with your wife, a skilled hacker can also so do 😉
You have a security problem. Passkey can help you solve that by not requiring you to remember complex password and setting a separate 2FA.
a lot of close answers, but not ELI5…
consider your credit card (the chip and pin card), the card itself donesnot contain any information about the account, but an encrypted reference to where it should be found. when you enter your pin, this reference is decrypted and your actual account is then located to be used. This way even if your card gets stolen, the stealer cannot get any useful information from the card itself. you need both pieces of information (the card and the pin) to make it useful.
passkeys do the same function:
the issuer (apple or google or something else) stores your “actual credentials”. these are your “identities” in a encrypted format. the issuer ,in perfect world, should not have any way of decrypting this information by themselves. your biometric/pin/password is the only way to decrypt this information. The identity contains the username and passwords (usually system generated)
every time i want to login to a website, i use my biometrics to get back this credential from the issuer (there is complex tokenisation and access management process but i wont go into that for sake of ELI5).
I use “master” password only to log into new devices and register it with the issuer. which i keep in a safe.
This means, that i cannot provide a “hacker” with a password to a website because i dont know what that password is (thus removing that attack vector).
If the issuer gets hacked , the encrypted credentials is useless without a way to decode it (this removing this attack vector as well).
physical seperation of the biometrics and the encrypted file itself means that a hacker will find it difficult to get both pieces of information quickly, and this discourage all but “very high value” attacks.
Hopefully, this helps?
Latest Answers