Another question from setting up a new Mac, I noticed that many sites are starting to offer passkeys support. Has anyone else started to use them? (If I do they will be stored in 1Password and yes I live with v8 it’s fine).
Yes, I’m using them wherever possible,
Unfortunately, only a few sites support them. And even fewer properly (replacing username/password/2FA).
Yes and I am loving it as I am in the middle of moving from 1Password to iCloud Keychain.
2 Likes
I don’t understand this. Why?
1Password is even more secure than passkeys and has superior passkeys support than apple’s OEM flavor. Unless you don’t want to spend the $ in which case, I get that.
1 Like
And to answer for myself, no. 1Password is firmly entrenched and will be for some time. 99% of sites do not support passkeys and there’s so much 1PW does other than passkey support
(Watchtower, securely save files, etc)
I’m committed to 1password for the foreseeable future. I’m curious as to whether passkeys help in this context.
1Password highlights in the app when they’re available.
Just trying to get rid of another subscription. iCloud Keychain works great for me. I do love 1Password and have used it pretty much since its inception. I’ve sung its praises for years to friends and family. But I never could get my wife to use it. Now that they do family sharing in iCloud Keychain, it’s been easy to force my wife to use that. 
I’ve started using them in a few places, but with some hesitation. I recognize that the weakest security point is often a site itself getting compromised and passwords stolen (so it doesn’t matter how secure you keep your passwords), so in my limited understanding, Passkeys will help there.
One thing I don’t know is whether Passkeys put you more at risk if your device is stolen and someone has your iPhone unlock passcode. I’d love to hear from someone who has knowledge about this. In my limited understanding, your device now, in essence, is the key. I’ve only used passkeys a few times since setting them up, and my recollection is I still had to authenticate with FaceID. I don’t recall if FaceID can be reset with the iPhone passcode or not. I’d be curious to hear from someone who has already looked into whether a stolen and compromised device puts you more or less at risk if you’re using passkeys.
1 Like
Both your passkeys and your passwords are available to anyone who has your iPhone and your unlock passcode. I have limited experience with passkeys but AFAIK they offer no additional security in this situation.
1 Like
In your scenario, the phone is the passkey. You still need to identify yourself via FaceID, fingerprint or unlock code to access the site or data.
If your unlock code is compromised, the bad actor can reset FaceID or fingerprint using the unlock code, so that’s a definite risk. With 1PW and the like, they would also need the master password for the app, so there’s a further level of security.
If your phone was lost and compromised, you’d presumably notify Apple and have it deactivated. However, during the period before deactivation, in the above scenario, your Keychain data would be at risk.
2 Likes
Passkeys are more secure than UserName + Passwords mostly (only?) because they don’t rely on the user to select the password.
As @WayneG and @ThatGuy have pointed out they’re only as secure as the place they’re stored. So if someone steals and unlocks your phone then they have your passwords.
You have to decide what level of risk is acceptable. In my case 1Password has a strong password on it, so I trust it.
I don’t know how you’ve set your iPhone password, many people stick to numbers and aren’t aware that alphanumeric exists,
2 Likes
Out of curiosity, can passkeys be compromised by a man-in-the-middle attack or if the service provider’s credential database is breached by bad actors? Those are probably the most common ways that username/password combos are compromised.
No idea. I think most passwords are compromised by far more mundane problems:
- Weak Passwords
- Reused Passwords
Both are avoided.
Apparently the answer to my question is yes, passkeys do protect against MITM attacks (commonly used in phishing scams) and stolen or compromised credential databases on the service provider side.
Here are a couple of interesting quotes from an explainer (linked below):
“First, passwords getting stolen. We hear every week about some company getting hacked and passwords are stolen. Since people often recycle passwords across the web, that can give bad actors access to a lot of different accounts — email, banking, social media. Passkeys stop that.”
…
“None of our modern devices, laptops, smartphones or desktops — even those that use biometrics — can package biometric info and send it to the cloud. Modern smartphones aren’t built to share biometrics. It’s always local and on your device. Even if your device gets stolen, the thief won’t have your biometrics to activate the passkey.”
1 Like