Albert Einstein – “If you can’t explain it to a 6-year-old, you don’t understand it yourself.”
I have been interested in Passkeys, but I haven’t yet used them as I don’t fully understand the system. Moreover, when I search online, the explanations are as clear as mud. This lack of clarity suggests a lack of complete understanding – as per Albert Einstein. YES – I admit that I am not as smart as a 6 year old!
By what I can understand, Passkeys seem as though they are confined to an individual device and, if you want to use the system on multiple devices, you have to set up a per device Passkey.
But I stress, I do not fully understand it.
My very limited understanding:
A passkey is a public/private key cryptographic system that is stored on your computer/device and is used instead of a username/password to sign into various web sites. In other words, code that identifies the device and, since you have signed into that device, you.
The passkey is said to be more secure than a password even when the password is combined with 2FA.
The thing that is putting me off using Passkeys is that the system seems to be confined to a single device/computer that contains the private key. If you want to use it on different devices, you need to set up a new Passkey for that device. You do this by usual sign in with a password and/or use your phone (using the camera to take an image of a QR code) and/or authorisation on the first device to confirm your identity. There are advances being made to address this issue e.g. Using a device like YubiKey or a Password Manager.
This YouTube video contains a far better explanation and details how Public Key Encryption works. He also confirms that the Passkey is linked to a specific device (10-minute mark) and that you need to set up device specific Passkeys:
https://www.youtube.com/watch?v=6lBixL_qpro
More and more sites are accepting Passkeys and the big Tech companies (Google/Apple/Microsoft etc) are supporting the system. Clearer explanations are starting to become available, but I still have gaps in my understanding.
My Password Manager is now said to support Passkeys. However I am not sure whether the Password Manager stores the private/public code or if it is still stored on the device.
I still have many questions. I don’t want to commit to Passkeys and then find out that I have issues using another computer.
My Password Manager has taken the pain out of long and unique passwords and I want to avoid it being like when I sign into iCloud on my Window’s computer and the sign in requires both a code sent to my iPhone and a tap to “allow” also on my iPhone.
If you have not cancelled password sign in (and without this, the advantages of Passkeys are largely negated), what is the point. The only way I can see is if you store the private key on say a YubiKey or a Password Manager.
I just don’t know. I did think of starting with Password Manager sign-in on one of my computers. BUT, if I do this, and someone borrows or even steals the computer and knows my PIN then the point of having a 30+ character Password Manager sign-in password is negated. My Surface Pro has Windows Hello face recognition but if that fails, the PIN will get you in.
There may also be potential issues when you upgrade a device. I have authenticator apps on my iPhone. In the past, when I upgraded my phone, I had to be sure to keep the old phone until I had transferred the log in 2FA to the same app on the new phone.
However, I note that when I last upgraded to the latest iPhone, I did not have to do this. I want any problems like these to be sorted out before I make the move. I don’t remember the aforementioned authenticator app issue being talked about when we were being encouraged to use authenticator apps instead of SMS for 2FA.
I will wait.