I cant believe that the whole show went without a mention as to what a great implementation of passkeys is for ā¦ this site! Talk.Macpowerusers!
Every other site I have enabled passkeys for starts me off with a password and I have to look for the āuse another wayā link somewhere. Not here. Click the login button and my 1password passkey notification appears and all I have to do is click the button and Iām in.
Most Discourse-based community forums have both 2FA and passkeys available, so look out for these if you are using other forums based on this platform (examples include DEVONthink, Bear, Bitwarden, Obsidian, Cryptomator, Drafts, BetterTouchTool, Joplin and other communities). Some support 2FA but not yet the passkeys (e.g. Logseq). (Edit as Logseq community forums support passkeys too.)
Would have been so nice if Damien had been given the opportunity to say something too.
I also felt Damien sadly was not given enough space to share his expertise on the subject.
How do you change, say, from Apple login to passkeys? Is there an advantage to that?
That depends entirely on the service and whether they allow switching away from Apple/Google logins and into a ānormalā account (where you can then activate passkeys, if available). Some do allow this, some donāt. For many services this canāt be changed once the account is created.
As a result of this show I ordered two YubiKey 5C NFC keys. I look forward to seeing what all I can secure with this. I really wish more financial institutions would support hardware 2FA.
What happens to my password when I convert my login to a passkey?
Is the password I had on that site then obsolete?
Currently, the answer is mostly ānoā, although thatās the general goal of passkeys. Most websites ā though not all ā now use passkeys as second factor authentication, and are removing the requirement for a 2FA code, while keeping the username/password system. It will probably take years before usernames and passwords are entirely removed so this is a transitional phase. You can have a password, 2FA codes and a passkey (or several passkeys) active simultaneously.
There are websites where you can log in entirely using a passkey, Discourse forums (this one included) being one of them, as well as Google. When logging in at these sites, you usually have a Login with a passkey option displayed on a login screen and the experience is pretty much the same as when authorising logins to your Apple ID account using Face ID.
I have passkeys active on about 40 accounts (with passkeys saved to iCloud Keychain and Bitwarden for each of the services), and when they work and are properly supported, they make logins quicker, especially on the iPhone and the iPad.
There are also services that allow you to move entirely to a passwordless system, Microsoft being one notable example here. You then no longer have a password for these.
If anyone wants to try a demo of passkeys, thereās one available here:
Nice episode but some additional thoughts/things that were wrong:
-
Passkeys - I find it really frustrating that they are tied to a specific browser or device. I havenāt looked into password managers storing them for re-use, but I tend to bounce between Chrome, Brave, Firefox and of course my phone+laptop. Itās a little unclear to me how many times I have to generate a new passkey each time. Overall I just find these confusing and annoying
-
Would have liked to hear more conversation about tying passkeys to mac TouchID. My org is starting to role this out. Helps you avoid using yubikeys.
-
Hardware - Yubikey actually does have a fingerprint style reader with ābioā in the prefix, but you donāt have to use it. IMO the most flexible combination would be: (a) a 5C NFC yubikey to hang from keyring to use on other devices and NFC for phone, and (b) a 5c nano tiny guy to leave permanently attached to your laptop
One other topic thatās worth talking about is travel. A very common high risk activity is that your phone can be stolen which acts as the main 2FA key (authenticator app or SMS). Iād love to hear other solutions, but when traveling I consider the following:
- always have 2FA via authenticator apps or yubikey and NOT just SMS. You wonāt be able to get a replacement SIM for AT&T/verizon/etc overseas
- consider carrying a cheap backup android phone or similar while traveling as 2FA. Or carry an extra yubikey. Another optinon would be to print out a one time password to bring with you
Would love to hear other strategies.
Itās maddening how many financial institutes donāt offer proper 2FA. Or if they support yubikey/webauthn/etc, they still force you to use sms messaging which is subject to sim swap attacks. At least they are insured.
You theoretically just need a single passkey saved to a password manager of your choice (that supports passkeys ā 1Password or Bitwarden). This is also a multiplatform solution as these will sync to Windows and Android versions (when compared to iCloud Keychain). Their browser extensions should detect that you have a passkey saved for the site; on iOS and iPadOS, the OS will detect a passkey saved to iCloud Keychain or a password manager and show the FaceID screen for you to approve it.
However, you can also have multiple passkeys on sites that support that (most of them do), so you can save one e.g. to iCloud Keychain and another one to 1Password. In essence, passkeys are a software version of hardware security keys.
Thatās what I figured. How do the password managers know when to pass the stored passkey to a site? My confidence in that implementation isā¦ low.
I also feel like whenever there have been alternative login flows like these in the past, either via SSO, social media signin, etc, thereās always some path or setting in the website that you canāt get to that only works with a regular login/pass. Itās just historically ALWAYS been fumbled by like 50%+ of websites.
Iām inclined to stick with regular passwords and yubikey maybe, but would love to move to touchID thatās right on my macbook instead. The odd part is that Iād also have to do facial recognition on my phone.
All so messy.
Much the same way as with regular passwords ā by domain ā except that passkeys are more secure as they work on a designated domain only (e.g. a phishing site will not be able to activate the passkey prompt from a password manager because it does not have a public key for the domain so your password manager will not offer sending your response to a phishing site).
In password managers, passkeys are saved along with their matching accounts and domains, for example in Bitwarden:
Ya thatās what I figured. I might try them out on a few sites. Not sure if they really offer any added value once you create them.
Are they considered any more secure than a generated password though?
If they only save me 10 seconds on signup then the value add is kind of low to me.
They are more secure than passwords in that:
- A phishing site cannot trick you into entering your credentials (the passkey will not work there as the domains do not match).
- Passkeys can not āleakā from a hacked website because the website does not store your credentials in any form, only your public key, which is useless without a private key that never leaves your device (Apple stores them in the Secure Enclave).
- They can not be brute-forced.
From Googleās documentation:
- Passkeys use public key cryptography. Public key cryptography reduces the threat from potential data breaches. When a user creates a passkey with a site or application, this generates a publicāprivate key pair on the userās device. Only the public key is stored by the site, but this alone is useless to an attacker. An attacker canāt derive the userās private key from the data stored on the server, which is required to complete authentication.
The key word you used was ātheoretically.ā I tried an Amazon passkey (saved on 1 Password), but found it wouldnāt work when I needed to log in on other devices. It was so much hassle I switched back to username and password, which was much simpler.
I have passkeys active for over 40 websites and services with keys saved to both iCloud Keychain and Bitwarden and everything is working reliably for me across all my devices.
Iām not using 1Password but third-party password managers need to be enabled in Settings > Passwords on iOS for iOS to āseeā that they have a passkey for the current website and offer log in. Make sure that is switched on.