Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
And there is the problem I have with passkeys. With a password it is me authenticating to the service I’m using. Pretty straight forward (if you ignore the operating system, web browser, network protocols, etc., but that’s part of using the tech).
With passkeys you’ve got this third party storing your keys that increases your attack surface. It could be your web browser, your OS, or some cloud provider that you’re now relying on to keep your data safe. I get that for people whose password is “password123” or who aren’t savvy enough to avoid phishing maybe this helps. But with decent opsec this overly complicates authentication, IMO.
To my point, later in the article:
What’s that now? The weak point is the user’s ability to implement MFA and biometrics? The same users who couldn’t be bothered to create different passwords for different sites? You see how we’ve just inserted another layer into the authentication process without solving for the major weakness?
With my tinfoil hat on I suspect this push toward passkeys is just another corporate data and/or money grab – snake oil for companies to get their tentacles tighter around your digital existence.
Happy to be proven wrong.
Passkeys can’t be phished.
That’s the main point.
Phishing is a reeeeal pain. And something that needs to be solved. Not through training but with technology.