And more passkey answers.
I recently received a set of questions about passkeys from a reader. Given that there’s a lot of confusion around passkeys, and that I suspect passkeys are the long-term future of security, let’s address those one at a time.
Become a Patron of Ask Leo! and go ad-free!
Google may know that it’s definitely me, but how do I know that it’s Google who is asking? This is even worse with you saying passkeys might work in the background without me even knowing. Let’s assume someone breaks into Google and steals my public key. Computers are able to ask my number thousands of times in seconds. With enough returned numbers, they might be able to “assemble” my private key.
Passkeys work in the background, but you’ll know it because you’ll be asked to authorize their use. That’ll be via a PIN, fingerprint, or face on a mobile device, or whatever Windows Hello supports on your computer. Mine uses a PIN, for example.
Assuming someone breaks into Google to steal passkeys is a red herring. While theoretically possible, I believe the odds to be so infinitesimally small that it’s just not worth worrying about.
Even if someone were to steal the key stored at Google (and this isn’t really a “public/private” key situation; the service has one key and you have the other, nothing more), that key would be useless to them. Just as your key is good only on the device on which you created it, the key held by Google will work only on their servers. Even if the hacker were able to convince you to fall for a phishing attack, the characteristics of the server at the other end would prevent the key from being used.1
Yes, in theory, someone could use the discovered Google key to reverse-engineer your key. The problem here is that with the encryption algorithms that we know are used, it might take thousands or millions of years. I don’t know any hackers who are that patient. Again, I don’t consider this to be worth worrying about at all.
If a passkey is stored in my device, what happens if I change hardware or have a major operating system update or change my operating system on this device? After a major OS update, my husband was in trouble. To what part of my device is this passkey linked? Hardware or software or both?
Related
How Can Passkeys Possibly Be Safe?
Passkeys may feel confusing now, but they're a doorway to a more secure, less frustrating, passwordless future.It’s tied to the device. A normal software upgrade won’t impact it, but a wipe and reinstall of the operating system would erase it.
However, that’s not a problem. Passkeys are never the only way to sign in; they’re just the most convenient. The scenario you describe is just like losing your phone with a passkey on it. Check out What If There’s a Passkey on My Lost Phone? It’s not a problem.
Even better, if you’re using your password vault to store passkeys, the passkeys stored there should continue to work on your other devices. (Once again, only after you’ve supplied your PIN or other device-specific authorization.)
I use a password management tool, and they do a lot of advertising for passkeys. I think it is a good idea concerning websites, but I won’t change my master password to a passkey. If someone breaks into one of my devices, he will have access to my password management. My master password is only in my head.
I agree. I don’t use a passkey to sign in to my password manager. For now, it’s a nice long secure passphrase — the only one I need to remember.
I may revise my position after I see how or even if passkeys are implemented as a way to unlock a password vault.
I have a friend who is a mathematician. He told me that encryption is based on large prime numbers. Of course, there are infinite prime numbers, but the larger they are, the more difficult to identify they are. So there might be “doubles” in the known and frequently used range of prime numbers. This is another gateway or back entrance mathematicians never know and think about.
It is not. The encryption algorithms used have been scrutinized deeply and accepted only after a serious level of vetting. There’s no back entrance. Believe me, mathematicians and others are deeply concerned with the robustness of the algorithms.
I’ll also put it this way: if a true flaw is ever found and it happens to be practically exploitable, your login credentials are the least of our worries. These encryption algorithms are the same that secure almost everything on the internet.
Do this
I encourage these kinds of questions. Passkeys are a new frontier, and they will lead to a more secure ecosystem. Adoption, though, relies on comfort in that security. Given that they are perceived as so much magic right now, it’s worth taking the time to understand what they’re about.
I’ll try to help! Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
Footnotes & References
1: At a minimum, fake domains — like www.google.com.notgoogleatall.com — will simply fail. The only thing that might come close is a DNS poisoning attack where www.google.com sends you to a hacker’s server rather than the real servers. Even then, I expect the key to be useless anywhere but the real server.
Does much of that mean, if we use a PIN for any device, then that device is connected to a passkey? If a person has a PIN to use on only one single device (smartphone), then is this the only arrangement he has for any passkey? If he never setup any passkey for anything else, then is that device the only one for which he has a passkey (being only the PIN for that device)?
Passkey seems to be, at least to me, an unnecessary complication to just using one’s device or devices. Sign-in to a desktop or laptop computer – only a username and password; no passkey. Website? Only sign-in with username/email address, and password; no passkey.
Passwords can be breached, lost or stolen. Passkeys cannot.
If you haven’t explicitly set up a passkey on a device, then it has no passkey, regardless of whether it uses a PIN or not.
After watching your video about passkeys, I decided to give it a try, setting one up for google. This was fine for logging in from the PC or phone. The problem was, I watch youtube on my tv, not the pc. First time I tried it, it went bonkers. Claimed I didn’t exist, and prompting me to enter my password. That was fine, except it said that my password had been changed 9 months ago. Checking my records, the current password had been used since June 2023, and not 9 months ago. I jumped through various hoops, contacted support (waste of electrons as usual), then gave up and went to bed. It occurred to me during the night, that the only change I *had* made, was to add the passkey. I went back to the PC, and removed it, and lo and behold, youtube was back!
Interestingly, and I pointed this out to tech support, I had logged in on the PC to contact them using the very same password which was supposedly wrong.
That’s odd. I have passkey on my Google account AND I use YouTube on my TVs. I use the sign-in process that shows you a code on the TV, you then enter that code into a signed-in phone or PC, though.
Leo, I understand setting up passkeys. But unless I am misunderstanding how you use them, it appears once you set up a passkey for a particular site, all you have to do is just unlock your device (PC, iphone,…) and go to the website. The passkey will automatically log you in. Or do you have to enter your pin again?
So even though I may have a 12 digit complex password for that site, once I create the passkey I am only protected by a 4 or 6 digit pin on my device. And if I leave the device unlocked for a short while, if anybody picks it up, they have access to all my passkeyed sites. If I am correct, doesn’t this leave all my sites only protected by a short pin, even if you enter it twice?
What is wrong with my assumption?
Thanks, Charlie
The PIN (o face or fingerprint) is generally required each time.
You mention a complex 12-character password. That’s the absolute minimum password length. A passkey can easily manage a login with a 20 to 25 or more character password. For example, a 6-character alphanumeric PIN has over 2 trillion permutations, so I think it’s pretty secure. 2 trillion isn’t a lot to crack on a website, but on a device it’s virtually uncrackable.
In a way a PIN can be looked as a shortcut to a long password.
I’m surprised that Leo is sticking his neck out so far in “certifying” that the passkey concept is absolutely secure. The technical details are not the issue, but the fact that every single security system out there has been by-passed eventually. “By-passed” just means that the bad guys will find a way around it to extract benefit from a victim. Worth remembering that there is always someone out there that’s smarter.
And to Charlie, you’re not missing anything. Your device is protected only by a short pin and your ability to physically secure your device. Of course, the passkey approach was based on the expectation that people will use biometric signatures instead of a pin. I’ve seen too many movies to risk my body parts.
Did I say “Absolutely”? Where, please?
For the present, I use a passkey for my Google and Microsoft accounts. When/As other sites begin to offer them, I’ll add them to my devices. Passkeys may not be perfect, but they are more secure/easier to use than the traditional user-name/password combinations, and I’ll always take better/stronger/easier/more intuitive security when I can get it.
Because I use both Windows and GNU/Linux, I use an authenticator app to verify my identity. When GNU/Linux supports biometrics as well as Windows, I’ll switch to that technology, with the authenticator app as my backup scenario.
I look forward to the day/time when passkey/biometrics are ubiquitous everywhere,
Ernie (Oldster)
Leo: OK, you did not use the word “absolutely”, but the entire tone of your article seems to be that this passkey thing is finally IT. It’s the fix for our online security problems. That’s like saying the next Windows Update will fix all security holes.
I’m not saying that you are wrong in saying the chances of being hacked within the passkey system is remote. In fact, I would agree that all the horror stories about security breaches and vulnerabilities are statistically meaningless for any individual home user. But the tone of the article was striking to me in that it went beyond the nuts-and-bolt technical description. Maybe that’s not a fair assessment, but people have given similar assurances about passwords, 2FA, blockchain, etc. So, we’ll use passkeys until someone comes along with headline “Passkeys Hacked”.
It’s not finally “IT” but it’s as close to “IT” as we can get. Security is a game of wack-a-mole, and tomorrow we may have another “IT”.
I may not have been clear about my concerns. As I see it, I need to protect access to many online accounts, both from external attacks and also from local (using the device) attacks.
Both passwords and passkeys can provide protection from external attacks, with passkeys making it easier and maybe more secure. But my concern is about local attacks. If I want to use a password, I turn on the device, enter a pin (only 4 or 6 digits) or facial or fingerprint access (first layer of access security). Then open my password manager with a strong pin (second layer of security), and copy/paste the id and password to the account I’m trying to access. Clumsy, but secure.
But with a passkey, the second layer of security is only the same weak 4 or 6 digit pin as was used for first layer to open the device. Not very secure.
I realize the level of security needed for local access vs internet access is different. Local access also needs possession of the physical device, whereas internet access attempts can be by anyone on the internet with high powered computers to try iterations on your account. So when accessing the internet, high security is needed.
However, if someone “borrows” my iphone after watching me enter my pin, they will have access to all of my accounts using passkeys. With several teenage kids (with snooping eyes) around me, the probability of compromise of my PIN is high.
So as long as passkeys only require the device’s PIN to use, they don’t seem very secure to prevent local access. As a solution, I would prefer if they can be set up to require a more complex password (of my choosing) to allow their use. Similar to using a secure password to access my password manager.
Do passkeys allow me to set my own PIN for their use? It could be the same for all passkeys.
Passkeys don’t control how they are unlocked. The device (or password manager you’re using to hold your passkeys) handles that.
If your passkeys are kept by 1Password, for example, you could require that the master password be entered before using anything.
If you’re not using a password manager then you might look into the options for strengthening your device unlock. For example in Windows your “PIN” can actually be a complex password.
I understand passkeys a lot more since stumbling upon you and your videos. One of my accounts is requiring me to create a passkey. However, I am a bit confused regarding where to store it. In other words there are obviously options and I am not sure how to decide what is best.
To piggy back on figuring out where to store, will I also need to keep a pin in my head or continue with the regular 2FA? I use google authentication normally.
If I am missing something, please advise…besides what I am asking above.