stealing a device is harder and more risky than phishing for passwords or buying them online, and it will be immediately noticed by the victim.

These methods use public-private key cryptography.

These methods are commonly used for encrypting data. Basically, you have a number (called the public key) that anyone can use to encrypt a message. You also have another number (the private key) that you need to decrypt any message encrypted using your public key. You can give the public key out to anyone to send you encrypted messages with, but only you (with your private key) can decrypt them.

Passkeys use this principle for authentication. You give someone your public key. They encrypt a message and ask you to decode it. If you can decode the message they encrypted using your public key, you’ve proved you’re you.

This is different from a password because, with a password, both you and the person authenticating you needs to know the “secret” information (your password). Piggybacking on public key cryptography means that only you need to have “secret” information (your private key).

A passkey is not more secure than a password, especially not one with 2FA enabled.

A passkey could eliminate the risk of social engineering or phishing attacks since there is no password to trick the user into revealing. Lowering or removing this risk is where the extra security would come from.

most passwords are gotten from either:

phishing, so sending out fake links, hoping you input your name and password into the “dank of america dot xyz”

or buying them from leaks (shitty webserver has shitty security, hackers steal millions of username — password (hash) combos, and chances are they will be using the same password everywhere, may aswell try them

None of these methods work with a physical device

Information security manager here. It’s due to one simple fact. People can’t write down passwordless authentication. People can’t text it to someone or email it either. People don’t have to come up with their own secure version of it. This addresses MANY of the primary security issues with passwords.

Someone can steal your device yes. However the device can’t be duplicated, so you notice it’s missing pretty quick, and can use a backup access method to revoke the key.

Additionally the devices should have a short pin that is required to use the key, and will lock itself permanently after a few bad guesses which mitigates the risk of a stolen key being successfully used.

For the record, unless your hard drives are fully encrypted, if a hacker has your physical device, you can basically consider it gone. At that point there is very little to nothing you can do without pretty hardcore security features that 99% of the public won’t use.

When the device is just a rotating token generator, you don’t have to worry too much because once the device is marked as stolen, those tokens won’t work anymore. Just like how if your credit card gets stolen, you can cancel it and not have to worry.

* People are bad at passwords but are good at not giving strangers their phone.
* In a perfect world passwords would work really well, but lots of research has shown that people just won’t use passwords properly.
* Also consider how most people get their accounts hacked….it’s be people far away who can interact with them remotely either through an email scam, or social media, or just hacking a website where they have an account.
* Those same people are not sneaking into people’s houses at night and stealing their phone off the beside table.