Seven Misunderstandings About Passkeys

Nick Hodges
November 16, 2022

Rightfully Resistant to Change

Password management is a thing that many people feel very strongly about.  Many folks don’t like passwords and hope for a better way.  But other folks have a solid system built around their password security and are rightfully very skeptical of systems that claim to improve on what they have.  They have good reasons for liking their current setup and are hesitant to change what works for them.  That’s wise.

Passkeys Enter the Picture

Thus many people are skeptical of passkeys, the new protocol from the FIDO Alliance that purports to drastically improve the safety, security, and user experience of logging in to websites and mobile applications.

Passkeys have been officially announced by Apple and put into developer builds for Chrome and Android by Google.  Microsoft is preparing its version as well.  The reason that these three companies are critical to adoption is that they represent the vast majority of devices, computers, browsers, and operating systems.  If these three all agree on something, then there is probably something to it.

I Read the Comments

Since both Apple and Google have announced support for passkeys, there have been many articles describing passkeys, how they work, and how the tech giants will support them.  Many have been informative, but a few have been, well, confusing.

It is said that you should never read the comments, but I have been.  And to say there is some confusion, trepidation, and misconceptions about passkeys is a bit of an understatement.

I’ve written about why we need passkeys, how they work, and why they are a better solution than passwords.  To continue that theme, I’m going to write about a few of the misconceptions I see out there about passkeys.

“Will there still be a password somewhere?”

People seem to think that there will still be a password backing things up somewhere in the system.  Some say this because they hope it is true as a recovery method, but others are concerned that it is true, recognizing that it wouldn’t really improve the situation.

The WebAuthn protocol does not — and should not — require the use of passwords anywhere in the system.  It should not because requiring a password would defeat the purpose and cause the system to continue to be “phishable” and thus no more secure than what we have today.  There is no password backup because it isn’t necessary.

Now it may be that as websites and applications migrate to passwordless and passkey-based solutions, they may maintain password authentication. Still, it isn’t required, and it is expected that passwords will eventually go away completely.

“Is Bluetooth required to log in?”

Some articles mistakenly implied that a Bluetooth connection was required to complete a passkey login.

This is not true. While Bluetooth plays a role in securing the transfer of passkey-based authentication between the major tech company’s eco-systems, it is not required for the simple process of logging in.  Your phone doesn’t have to be in Bluetooth range to log in on your computer.  Your phone does have to be in range if you want to transfer passkeys to or from another device — and this is a security feature.

“I can register my device once, and it will log me in everywhere.”

Some folks have concluded that you can register your phone or computer with Apple, Microsoft, or Google, and it will work everywhere.  This led to questions like “What happens when I go to a website that asks me for my password?”  It would be nice if that would work that way. However, each website has to implement passwordless technology on its own, and you, as a user, will have to register an account with each site or mobile application just as you do today.

“If a bad guy gets my phone, will they have access to all of my accounts?”

Actually, if a bad actor gets your phone, it is pretty much impossible for them to get much of anything. First, they won’t have your biometric information and thus won’t even be able to unlock your phone.  Second, all the secret passkey information is stored in a Trusted Platform Module, specifically designed to hold your passkey secrets in such a way that it is virtually impenetrable.  (Okay, maybe the NSA or similar organizations might be able to get into it, but I can’t say for sure…)

So you can rest assured that your phone will not cough up your login information to even the most sophisticated hacker.

“If I don’t have my phone, am I out of luck?”

People are concerned that if they don’t have their phone while at a friend’s house or a library computer, they won’t be able to log in.

The passkey protocol doesn’t address this situation, but most vendors will — and should — provide a second secure option for logging in.  Usually, this is a “magic link” — a one-use, expiring link that logs you in — sent to your email address.  Only you have access to your email, so the link will securely log you into any computer worldwide.

“If I lose my phone, am I out of luck?”

This is partially true.  Sort of.

One of the benefits of passkeys is that they are promised to be shared across devices within the given ecosystem of each of the big tech companies. This means that if you lose your phone, your passkeys are securely stored (via end-to-end encryption) in the cloud.  They can be restored when you get a new phone.

However, you can choose not to share your passkeys into the cloud, and if you do that and you only have one device, then yes, the passkeys will be lost, and you’ll have to re-register with every site you visit.

The normal use case here is that users decide to share their passkeys across their devices via the cloud (in a securely encrypted manner), and thus replacing a phone is not an issue.

“What if my biometrics are compromised?”

Some folks seem concerned that they can’t change their biometrics if they were to be compromised. (You can change your password, but you can’t change your fingerprint…)

These folks are right — you can’t change your biometrics.   However, it is not clear what it means exactly for them to be compromised.  Your biometrics data never leaves your phone.  It is converted to a mathematical hash value and encrypted with a key stored in the TPM.  Only your phone with your fingerprint can get the key and verify your fingerprint. Your biometric data can’t be stored and decrypted anywhere except on your phone.

Almost Too Good to be True?

I’m not going to say that passkeys are too good to be true, but I will say that they are a huge step forward in authentication security.  If the threat surface of passwords is a vast lake, then the threat surface of passkeys is a small puddle after a short downpour.  While no system should be considered impregnable, no one seems to be able to conceive of a way passkeys can be compromised short of quantum computing breaking current encryption schemes.

There are a few corner cases where they might not be acceptable to some people.  For instance, biometrics are not protected by America’s Fourth Amendment, but a password is.  Another thing to consider is that while Google/Apple/Microsoft won’t ever be able to read your credentials, there is concern that these companies will be able to track the places you register an account.  This is why third-party companies like 1Password are looking at ways to provide the passkey storage and transfer service.

Bottom Line: For the overwhelming majority, passkeys are safe, convenient, and work great.  While I understand the hesitancy to change things up, this is an instance when change is a win for everyone.