Refer previous posts:
Just when I almost weakened and set up a PassKey for at least one account (Google), I heard this on Windows Weekly Ep 944. https://www.youtube.com/watch?v=KcvuD36zQbo
About 1 hr 54 minutes (start of section talking about authenticator Apps –10 minutes approx.) Towards the end of the segment they talk about ongoing problems with PassKeys even when stored in your Password Manager. When I am sure that all issues have been sorted out, I will consider.
Refer previous posts
I have been keeping an eye on PassKeys and even though you can use most password managers for PassKeys, there are still questions remaining mainly about agreed upon standards.
In particular, there and problems with issues like migration and syncing between devices and services.
As stated previously, my password manager affords an easy solution for long and unique passwords and combined with 2FA, provides sufficient security for my needs.
Password Manager support for PassKeys negates the concerns about per device isolation and the ease with which you can log into a particular device using a four number Pin. But problems with standards on migration between password managers and syncing remain troublesome. I am still considering PassKeys but will continue to wait until all the bugs are resolved.
The podcast – Security Now No 972 – contains important information about Passkeys.
It is interesting to note that the host, Steve Gibson, does not use Passkeys. (At about One hour 57 minutes into the Podcast on YouTube – see following link).
This is the YouTube of the podcast – https://www.youtube.com/watch?v=fSNcUKphUtw&list=PLdPwyUeH0mS566Y0YZ7oAGghzMgRlWTBf
The part about Passkeys starts at about One hour 19 mins and continues until the end.
The latest William Brown Blog referred to can be found here https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/
Although, it appears that you can store the Passkeys code on a Password Manager such as Bitwarden, there are other issues apart from the ones I was concerned about (see https://whysun.com/computers-and-the-internet/passkeys/ )
I am glad I decided to wait.
Albert Einstein – “If you can’t explain it to a 6-year-old, you don’t understand it yourself.”
I have been interested in Passkeys, but I haven’t yet used them as I don’t fully understand the system. Moreover, when I search online, the explanations are as clear as mud. This lack of clarity suggests a lack of complete understanding – as per Albert Einstein. YES – I admit that I am not as smart as a 6 year old!
By what I can understand, Passkeys seem as though they are confined to an individual device and, if you want to use the system on multiple devices, you have to set up a per device Passkey.
But I stress, I do not fully understand it.
My very limited understanding:
A passkey is a public/private key cryptographic system that is stored on your computer/device and is used instead of a username/password to sign into various web sites. In other words, code that identifies the device and, since you have signed into that device, you.
The passkey is said to be more secure than a password even when the password is combined with 2FA.
The thing that is putting me off using Passkeys is that the system seems to be confined to a single device/computer that contains the private key. If you want to use it on different devices, you need to set up a new Passkey for that device. You do this by usual sign in with a password and/or use your phone (using the camera to take an image of a QR code) and/or authorisation on the first device to confirm your identity. There are advances being made to address this issue e.g. Using a device like YubiKey or a Password Manager.
This YouTube video contains a far better explanation and details how Public Key Encryption works. He also confirms that the Passkey is linked to a specific device (10-minute mark) and that you need to set up device specific Passkeys:
https://www.youtube.com/watch?v=6lBixL_qpro
More and more sites are accepting Passkeys and the big Tech companies (Google/Apple/Microsoft etc) are supporting the system. Clearer explanations are starting to become available, but I still have gaps in my understanding.
My Password Manager is now said to support Passkeys. However I am not sure whether the Password Manager stores the private/public code or if it is still stored on the device.
I still have many questions. I don’t want to commit to Passkeys and then find out that I have issues using another computer.
My Password Manager has taken the pain out of long and unique passwords and I want to avoid it being like when I sign into iCloud on my Window’s computer and the sign in requires both a code sent to my iPhone and a tap to “allow” also on my iPhone.
If you have not cancelled password sign in (and without this, the advantages of Passkeys are largely negated), what is the point. The only way I can see is if you store the private key on say a YubiKey or a Password Manager.
I just don’t know. I did think of starting with Password Manager sign-in on one of my computers. BUT, if I do this, and someone borrows or even steals the computer and knows my PIN then the point of having a 30+ character Password Manager sign-in password is negated. My Surface Pro has Windows Hello face recognition but if that fails, the PIN will get you in.
There may also be potential issues when you upgrade a device. I have authenticator apps on my iPhone. In the past, when I upgraded my phone, I had to be sure to keep the old phone until I had transferred the log in 2FA to the same app on the new phone.
However, I note that when I last upgraded to the latest iPhone, I did not have to do this. I want any problems like these to be sorted out before I make the move. I don’t remember the aforementioned authenticator app issue being talked about when we were being encouraged to use authenticator apps instead of SMS for 2FA.
I will wait.
