I love passkeys so much

I am unreasonably excited about passkeys, I’ve long been looking for a better/more convenient way than passwords to do authentication, and I think passkeys are finally it.

However, whenever I see passkeys mentioned (for example on the recent Tailscale post about them), there are always a lot of misconceptions that surface in the debate. I’d like to clear some of them here, and hopefully explain a bit better what passkeys are.

A bit of backstory

Passkeys are a user-friendly name for, and an implementation of WebAuthn, which in turn is part of the FIDO2 project. All that is basically a way to say that passkeys are an open standard, developed by a consortium of companies that want to make authentication more secure and more usable. My personal opinion is that passkeys are a great solution to that problem, and that’s why I’m so excited about them.

At their core, passkeys are just a way for a website to ask your browser for authentication. That’s it, they aren’t tied to a specific piece of hardware or a way for that hardware to work. I’ll expound more on this further on.

I want to lay out some common misconceptions about passkeys that I’ve been seeing, and why they’re not accurate. If I’ve made a mistake somewhere, or have an inaccuracy, please let me know.

They’re proprietary/owned by Google/Apple/Microsoft

Obligatory random borderline-relevant MidJourney image.

Passkeys are an open standard. They aren’t tied to a single company, and don’t rely on a single company’s implementation. I’ve implemented passkeys on my sites for a while now, and I didn’t need anyone’s permission to do so.

Conversely, I have lots of passkeys-compatible physical devices (USB keys, phone, laptop, etc), and they didn’t have to get any company’s permission to implement that standard either.

In fact, if you want, you can write your own passkeys-authenticating device, with whatever security parameters you want to use, and it will work on all passkeys-supporting sites.

They require connectivity

Passkeys are strictly offline. They don’t require an internet connection, a phone, SMS, or anything else. Obviously, you need an internet connection if you’re authenticating to a site (so you can talk to the site itself), but the authentication itself doesn’t need any kind of connectivity.

They’re hardware-backed

They can be hardware-backed, but they don’t have to be. Using a hardware key as your passkeys authenticator is the most secure option, as nobody can steal the key from the device, but it is less convenient than alternatives (e.g. you can’t back it up).

The passkeys standard (WebAuthn) doesn’t mandate what you can use, it’s just a way to request some credentials. You can use your Apple device’s FaceID, or your phone’s secure chip, or just your password manager, to hold your passkeys, and it will work with every compatible site.

If someone steals my USB key, they get access to everything

Passkeys doesn’t mandate how the USB key secures the keys. Yubikeys use a PIN that wipes the key after ten wrong attempts, so someone stealing your USB key will still need to know the PIN, or have ten tries to guess it.

That makes it very unlikely that someone can authenticate as you, and it’s certainly much harder to steal a physical USB key from someone than to just find out/steal their password.

They can’t be shared/backed up

Please stop staring at my hands, I'm just the gatekeeper.

That depends on what you choose to use as your authenticator. If you use a password manager, or some other software-based authenticator, there’s no reason why they can’t be shared/backed up. Keep in mind that making the keys readable reduces security (e.g. someone might steal your backup, and then they can log in everywhere), but that’s a choice you will need to make for yourself. Passkeys don’t enforce anything one way or the other.

Passkeys are less secure than X

Passkeys are at least equally as secure as anything else we’ve had, in the sense that the standard has taken care to make the protocol as secure as possible, against as many attacks as possible. Your authenticator can be as secure as you like it, it can be more secure than anything (in the case of hardware authenticators) or less secure than anything (in the case where you write your private key on a PostIt note on your screen).

Passkeys don’t enforce anything one way or the other, it’s up to you to make your personal tradeoffs regarding your authenticator device.

And yes, you can literally write your passkeys private key down on a PostIt note and stick it to your screen. It’ll still work, if your authenticator supports it and you don’t mind typing the long key in every time.

I can’t recover the keys if I lose the hardware

Who knows what this is? Looks cool, though.

That is a risk you’ll need to take if you’re using hardware authenticators. The fact that the key isn’t copiable means you only have one of it, so you should probably be enrolling multiple hardware authenticators on each account, or just switching to a software authenticator if you don’t care about the decreased security.

Passkeys don’t care one way or the other, it’s up to you what security/usability tradeoffs you make. Passkeys are flexible enough to support either.

They require extra software, passwords don’t

Do you not use a password manager?

They’re more complicated than passwords

This one is actually true, passwords are very simple to use. However, the increased complexity comes with orders of magnitude increased security. Essentially, passkeys are two authentication factors in one.

They can’t be phished, they can’t be lost in website breaches, they can’t be compromised by reading your network requests, an attacker can’t make a fake website and use it to steal your credentials. If you care about your security, and don’t just want something like “password123” that you can remember easily, passkeys are a no-brainer.

What about attestation?

Attestation is a way for a website to mandate that you can only authenticate to it with authenticators of a specific brand. It’s useful for, say, companies that want to restrict their employees to log in with a specific, company-vetted brand of device.

There are some concerns that websites will restrict authentication to specific brands of authenticators, but I don’t think that will happen for the same reason that we don’t see sites that don’t let you visit them in a browser other than Chrome. It’s just not good business to be restricting your customers’ options for no benefit to you.

Epilogue

I hope that’s cleared up some of the questions you had around passkeys, and shown you why they’re a much better idea for security than the traditional password/2FA authentication we’ve been using so far.

If you’ve noticed anything wrong, or have any input on the above, please Tweet or toot at me, or email me directly.