It might feel like it, but no.
Passkeys continue to confuse people, and I get it. It’s a difficult concept, and it’s about something we all know is super important: our online security.
Using passkeys can kinda sorta feel like two-factor authentication, but they aren’t. Not really. That’s important to understand, so you’ll have the level of security you want and expect.
Let’s run the scenarios to clarify it.
Become a Patron of Ask Leo! and go ad-free!
Passkeys and two-factor authentication
Passkeys enhance security but are not two-factor authentication (2FA). They replace passwords. Subsequent sign-ins require only the device’s unlock method. 2FA might still apply when using a new device or when required by the account, but passkeys themselves aren’t a two-factor mechanism.
Traditional two-factor
Two-factor authentication consists of something you know, like your password, and something you have, like your mobile phone or other 2FA device.
Once 2FA is set up, the first time you sign in on a device, you need to:
- Provide the username and password.
- Prove that you have your second factor, typically by entering a random code provided only on the two-factor device you set up.
The second and subsequent times you sign in on that same device1, you only need to:
- Provide the username and password.
The added security? Since hackers don’t have access to your second factor, they can’t make it past that first step even if they know your password.
Basic passkeys
Passkeys are tokens securely placed and kept on your device that indicate you are authorized to access a certain site. They’re secured by the security of your device.
The first time you sign in on a device, the passkey isn’t yet set up, so you need to sign in some other way. Those “other ways” are typically less convenient, but they jumpstart the process. They might include:
- Responding to a text message sent to the phone number associated with the account
- Entering a code sent to an email address associated with the account
- Entering a code displayed by a two-factor device associated with the account
- If the account still has a password, signing in with a traditional username and password
If the account has two-factor authentication enabled, you may also need to provide that besides one of the listed items, just as with a traditional sign-in.
Once signed in, you can set up a passkey on that device.
After a passkey has been set up, when you want to sign in on that same device, you only need to:
- Unlock the device.
That’s it. Even if the device is not currently locked, the unlock mechanism confirms you’re not someone who has stolen or otherwise gained access to the device.
Unlocking the device could mean:
- Entering that device’s password (unrelated to the password for the account you’re signing into).
- Entering the PIN you set up on that device.
- Passing a biometric confirmation (face or fingerprint) on that device.
- Using some kind of hardware key.
The bottom line here is that you’re unlocking the device, not the account. The device, then, contains the passkey confirming you’re authorized to access the online account you’re signing in to.
Count the factors
With traditional two-factor authentication, we provide two factors the first time we sign in on a device and a single factor thereafter.
With passkeys, we signed in to a new device with a single factor the first time. After setting up the passkey on that device, subsequent sign-ins on that device require only a single factor: the device’s unlock code.
The only time a second factor might be involved is if the account has a two-factor requirement, and then it’s only involved when you sign in using a device without an existing passkey.
The passkey itself is not involved in two-factor authentication, nor is it two-factor authentication.
Do this
There’s no rush, but I advise you to become familiar with passkeys. As confusing as they may seem, they are more secure than our current password-based systems. Once an account goes passwordless and uses passkeys as the primary sign-in mechanism, there’s no password for hackers to steal. That’s huge.
I’m sure I’ll be writing more about passkeys and related security issues in the future. Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: Or, if this is a browser-based sign-in, after you clear cookies.
“The second and subsequent times you sign in on that same device, you only need to:
Provide the username and password.”
Usually true, but I run into a lot of poorly designed websites where the cookie expires after a month and you have to confirm the second factor every month.
My university faculty account use Duo for 2FA. It requires me to verify myself every single time I log in to any university service.
AFAIK, I’ve set up passwordless authentication (passkey?) on my Microsoft account, and I’d already had 2FA enabled on it. Now, when I install a new GNU/Linux distribution, or reinstall Windows, I have to provide my live account username,
password, and second factor when signing in to my account for the first time. Then, after creating a pin, and setting up my biometric fingerprint scanner, all I have to do to access Windows, is either enter my pin, or swipe my finger over the scanner face. After getting signed in to Windows, I can go to my Microsoft account page on the Internet without any additional security checks (My passkey takes care of all that, right?).
If I have anything wrong here, please reply,
Ernie
“I have to provide my live account username, password, and second factor”
Then that’s not passwordless. True passwordless means there is no password at all. I’ve got my MS account configured that way.
And passwordless is not passkey. You can have either or both.
O.K., I think that’s what I do when setting up Thunderbird. I don’t remember what I have to do when setting up Windows, but I think that’s a bit different. I should have been clearer on that. I suspect the password entry is only required for Thunderbird (I haven’t tried setting it up without a password for my Outlook email account yet.).
Ernie (Oldster)
Leo, thank you for more details about passkeys. It appears to me that passkeys for login to an account do not make the account more secure, they just make the actions I need to take to login more simple.
1. Passkeys make logging in on wifi more secure as no ID/password info is transmitted that could be intercepted. More secure.
2. Passkeys do NOT prevent a hacker from guessing my password to gain access to my account. Same as before adding a passkey to the account.
3. With a passkey on an account, instead of remembering/looking up my ID and password, I only need to unlock my device. So makes it easier for me.
4. If I leave my device unlocked, and my teenager or a stranger picks it up, they can login to my account without entering any security info. Less secure.
5. With a passkey on a financial account, instead of a say 12 digit password, now only a 4 or 6 digit unlock code (plus the device) is needed for access. Seems less secure.
Question: when you say “subsequent sign-ins on that device require only a single factor: the device’s unlock code” do you mean the device’s unlock code only needs to be entered to unlock the device or that that code needs to be entered each time you use a passkey?
Unlock codes are used every time a passkey is used.
Amazon doesn’t appear to have figured out passkeys. I set one up on my account and now have the option of using a password or passkey. Since I also set up 2FA on the account long ago, either option still requires the TOTP from the authenticator app each time I sign in.
One thing that I think you should point out is that separate passkeys must be set up for each separate device that one might use to access the account. If I setup a passkey on my smartphone, it does not change how I sign into that same account from my computer or any other device.
Thank you. So I think 2FA + passkey is what my work makes me to whenever I sign with a device other than my work-issued computer.
I get a notice and it shows a number on the screen. It causes the Microsoft Authenticator on my work phone to ask for that number (the 2FA) which I enter. Then it requires me to either enter the PIN on my phone or use my fingerprint on my phone (I think that is the passkey).
Unfortunately, even have to do it on the work profile on my work-issued phone, so I get it on my phone and enter it on my phone.
Do I understand it correctly?
One other question, if I set up a passkey on an Internet account, can I store it in my password manager, and use it with any device that can access my password manager’s vault?
Ernie
It depends on the password manager, but many support it. I use 1Password, which I can confirm does.
Recently access to NY Mayor Eric Adams’ phone was requested and he said he had just changed the pin and couldn’t remember.
In the article the distinction was made that the pin was _something he knew_ while, eg, a fingerprint was something he _had_ and could be required to turn over.
He said he forgot pin. Whatever, they couldn’t get in the phone.
Seems to me that passkeys would inherit the security used by the particular device? With multiple devices the device with the least secure access could compromise the passkey? Unless the least secure device was unknown to the attacker. Security by obscurity? Again?