Will passkeys ever replace passwords? Can they?

#### [Security](/security/)**2** Will passkeys ever replace passwords? Can they?===============================================**2** Here’s why they really should—————————–[Bruce Davie](/Author/Bruce-Davie ‘Read more by this author’) Sun 17 Nov 2024 // 18:30 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/11/17/passkeys_passwords/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Will%20passkeys%20ever%20replace%20passwords%3f%20Can%20they%3f) [](https://twitter.com/intent/tweet?text=Will%20passkeys%20ever%20replace%20passwords%3f%20Can%20they%3f&url=https://www.theregister.com/2024/11/17/passkeys_passwords/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/11/17/passkeys_passwords/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/11/17/passkeys_passwords/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Will%20passkeys%20ever%20replace%20passwords%3f%20Can%20they%3f&summary=Here%27s%20why%20they%20really%20should) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/11/17/passkeys_passwords/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) Systems Approach I have been playing around with passkeys, or as they are formally known, discoverable credentials.Think of passkeys as a replacement of passwords. They are defined in the Web Authentication ([WebAuthn](https://www.w3.org/TR/webauthn-2/)) specification of the [W3C](https://www.w3.org/) (World Wide Web Consortium). This work evolved from several prior efforts including those of the [FIDO alliance](https://fidoalliance.org/) (FIDO = Fast Identity Online).My quick take on [passkeys](https://passkeys.dev/docs/intro/what-are-passkeys/) is that they are a good idea, and if we could convince the world to use them instead of passwords, we would all be much better off. Phishing in particular should take a big hit if they are widely adopted. But I fear that this isn’t likely to happen, for reasons that I will explain in a moment. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zzo9k9SogM8BUepjZBVRzQAAAVU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)In the perennial quest to create more secure systems that are also user friendly, some significant implementation issues are apparent. My experience reinforces my belief that a systems view of security is necessary and user interactions with the system must be carefully thought through. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zzo9k9SogM8BUepjZBVRzQAAAVU&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0) ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zzo9k9SogM8BUepjZBVRzQAAAVU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)The basic idea behind passkeys is straightforward enough: A user (or more likely, a device owned by the user) creates a private/public key pair specifically for a single website and provides the public key to the site. The user proves their identity to the website using some other method such as a previously established user name and password, maybe some other factors as well. The website stores the public key for subsequent use. The next time the user wants to authenticate to the website, the site issues a challenge to the user, who uses the locally stored private key to sign their response to the challenge. The website uses the stored public key to authenticate the user.### Key pointsThis is why we say passkeys replace passwords, specifically with public key cryptography. Because the user’s private key never leaves their device it should be much harder for a phishing attack to succeed. Phishing normally relies on getting a user to divulge their password by entering it into a bogus site. (Sophisticated attacks sometimes get users to divulge their second factor, such as a one-time code from their phone, as well.)Passkeys, as well as remaining local to the user’s device, are unique to a particular site — implementations verify a certificate from the designated site before the relevant private key is used to respond to a challenge. So you can’t accidentally use a passkey on a bogus site. Similarly, the problems of password reuse across sites are avoided. Password reuse often means that a security breach on one site can be used to gain access on others. None of that happens with passkeys.> A systems approach to security should include viewing the user as part of the systemThere remain a few weaknesses. The process is bootstrapped by getting the user to authenticate using a traditional approach (such as username and password) which remains open to traditional attacks. One way to mitigate this is to require multi-factor authentication (MFA) — and there are better options than one-time codes sent over SMS, which I will get to. There is no getting away from the fact that public keys always need some sort of bootstrap process. (Remember [PGP key-signing parties](https://xkcd.com/364/)?)But if a website adopts passkeys without disallowing subsequent login attempts by password, then the system remains roughly as vulnerable to phishing attacks as it was before. A savvy user might detect that they are being phished if they are suddenly being asked for passwords after using passkeys for a long time, but any time we rely on the judgment of users to detect security attacks we are bound for disappointment. It bothers me to read blog posts from seemingly credible sources that don’t address the fact that passkeys are being added in addition to passwords but not (yet) replacing them. Maybe the time will come when passwords are the exception, but I see no way to get there on the current trajectory.### In practiceThere are two broad categories of passkey implementation. One approach binds the key to a specific piece of hardware, such as a USB key (eg, Yubikey). Or a passkey might be stored on a mobile phone and require biometric authentication (eg, facial recognition) before the passkey can be accessed.The second class of passkey implementation allows the credentials to be copied among multiple devices, typically using some sort of password manager to keep the credentials secure and synchronized across devices. In this case, the private-public key pair is stored in the password manager and then is made available to the user across different devices (laptops, mobile phones, etc.) when they need the passkey.Hardware tokens make phishing attacks almost impossible (if they replace passwords, see above), since the only way to get access to the user’s credential is to have physical access to the key. A password manager, on the other hand, is a piece of software that normally has some cloud service behind it to handle synchronization across devices. If an attacker manages to get access to the credentials necessary to log in to the cloud service, then they have access to the passkeys stored within it. For this reason (among others) password managers are generally secured with some sort of multi-factor authentication. One of those factors might be biometric, or even a hardware token. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zzo9k9SogM8BUepjZBVRzQAAAVU&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)As an aside, I would note that there is considerable variation in the security of different password manager implementations. Lastpass, for example, apparently made some [poor design decisions](https://www.theregister.com/2023/01/25/goto_security_incident_update/) that meant [a breach](https://www.theregister.com/2023/01/16/dump_lastpass_bitwarden/) was much more serious than it needed to be. By contrast, 1password’s [description](https://support.1password.com/1password-security/) of system security suggests that the only way the passwords (or passkeys) in their password manager can be accessed by anyone is if they have access to all your authentication factors (which in my case includes a hardware token.)My last concern about passkeys is that the implementation seems to have failed the ‘make it easy for users’ test, which in my view is the whole point of passkeys. I have been using public key cryptography for 30-plus years. (My first boss insisted his managers use PGP to encrypt emails containing sensitive information about employees — ah, those were the days.) Surely the reason for yet another technology based on public key cryptography is to simplify its use. If I find passkeys confusing to use, it doesn’t bode well for more typical users. Let me walk through an example.### User interfarceI decided to try to add a passkey to my WordPress.com account on my Apple Mac. So I log in using my existing password and second factor (a hardware token). I navigate to the security page; there is no mention of passkeys, so I click ‘2-factor authentication’ then ‘add a security key.’OK, I’m not going to replace a password with a passkey here; instead I am going to add a security key as a second factor. And for the sake of this example, let’s say I want to store it on my Yubikey. When I click ‘add key,’ three different bits of software compete for my attention.First up is the password manager, offering to store a passkey. (This is the first time passkeys have shown up in this process — you can begin to see how a casual user might be getting confused.) I don’t want the password manager to be involved in this case, so I dismiss the window.Next up, a window appears from macOS asking me if I would like to use TouchID to ‘sign in’ (to what? — I am already signed in to the website) and to save a passkey. Again, note the different terminology. When I dismiss that window, it is time for the browser to have a go, offering me *four* ways to save a passkey, including finally the option to store it on the hardware token. I insert the USB key and proceed.* [Microsoft, Google do a victory lap around passkeys](https://www.theregister.com/2024/05/02/microsoft_google_passkeys/)* [Go ahead, forget that password. Use a passkey instead, says Google](https://www.theregister.com/2023/05/04/google_passkey/)* [AWS is pushing ahead with MFA for privileged accounts. What that means for you …](https://www.theregister.com/2024/06/17/aws_mfa_roll_out/)* [Don’t have MFA on a Google Cloud account? You’ll have to from Jan](https://www.theregister.com/2024/11/05/google_cloud_says_all_customers/)I think we can all agree that this is a confusing experience, with three different systems fighting to be the One True Place To Store Passkeys, along with the inconsistency of terminology (passkeys or security keys) and use cases (password replacement or strong second factor?)It’s like every piece of software wants to ‘help’ but there is noone looking at the system-level behavior where these different bits of software interact with each other and the end user. I’ve encouraged my wife (a social scientist not a computer scientist) to adopt a password manager and 2FA, and she’s very willing to follow my lead, but the confusion of terminology and bewildering arrays of options frequently (and understandably) leads to complete frustration on her part.There is a longstanding trade-off between security and usability. It’s important to take a systems approach to security and that should, I believe, include viewing the user as part of the system. If you can’t make a security technology sufficiently easy for users, then it’s unlikely to provide good security.Passkeys and the WebAuthn specification were intended to make public key cryptography accessible to average users, rather than just the domain of the tech-savvy. If done right, they could seriously improve security on the Web.There is a well-defined API to allow a broad choice of authentication devices (such as FIDO keys or password managers) to manage the creation and use of private/public key pairs. But unless things get a lot more consistent and smooth for the end user, I fear this will end up just like PGP or [client certificates](https://www.rfc-editor.org/rfc/rfc8446.html#section-4.4) in TLS: A technically valid solution that has minimal impact on the majority of users. ® **Larry Peterson and Bruce Davie** are the authors behind [*Computer Networks: A Systems Approach*](https://book.systemsapproach.org/) and the related [Systems Approach](https://www.systemsapproach.org/) series of books. All their content is open source and available for free on [GitHub](https://github.com/SystemsApproach). You can find them on [Mastodon](https://discuss.systems/@SystemsAppr), their newsletter [right here](https://systemsapproach.org/newsletter/), and past *The Register* columns [here](https://www.theregister.com/Tag/Systems%20Approach). [Whitepaper: Top 5 Tips For Navigating Your SASE Journey](https://go.theregister.com/tl/2386/-14369/top-5-tips-for-navigating-your-sase-journey?td=wptl2386bt) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/11/17/passkeys_passwords/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Will%20passkeys%20ever%20replace%20passwords%3f%20Can%20they%3f) [](https://twitter.com/intent/tweet?text=Will%20passkeys%20ever%20replace%20passwords%3f%20Can%20they%3f&url=https://www.theregister.com/2024/11/17/passkeys_passwords/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/11/17/passkeys_passwords/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/11/17/passkeys_passwords/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Will%20passkeys%20ever%20replace%20passwords%3f%20Can%20they%3f&summary=Here%27s%20why%20they%20really%20should) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/11/17/passkeys_passwords/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Multifactor authentication](/Tag/Multifactor%20authentication/)* [Password](/Tag/Password/)* [Security](/Tag/Security/) More like these × ### More about* [Multifactor authentication](/Tag/Multifactor%20authentication/)* [Password](/Tag/Password/)* [Security](/Tag/Security/)* [Systems Approach](/Tag/Systems%20Approach/)* [Zero trust](/Tag/Zero%20trust/) ### Narrower topics* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Credential stuffing](/Tag/Credential%20stuffing/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [LastPass](/Tag/LastPass/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/) ### Broader topics* [2FA](/Tag/2FA/)* [Cloud Computing](/Tag/Cloud%20Computing/)* [Cybersecurity](/Tag/Cybersecurity/)* [Network](/Tag/Network/)* [Network Computing Architects](/Tag/Network%20Computing%20Architects/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/11/17/passkeys_passwords/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Will%20passkeys%20ever%20replace%20passwords%3f%20Can%20they%3f) [](https://twitter.com/intent/tweet?text=Will%20passkeys%20ever%20replace%20passwords%3f%20Can%20they%3f&url=https://www.theregister.com/2024/11/17/passkeys_passwords/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/11/17/passkeys_passwords/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/11/17/passkeys_passwords/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Will%20passkeys%20ever%20replace%20passwords%3f%20Can%20they%3f&summary=Here%27s%20why%20they%20really%20should) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/11/17/passkeys_passwords/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **2** COMMENTS #### More about* [Multifactor authentication](/Tag/Multifactor%20authentication/)* [Password](/Tag/Password/)* [Security](/Tag/Security/) More like these × ### More about* [Multifactor authentication](/Tag/Multifactor%20authentication/)* [Password](/Tag/Password/)* [Security](/Tag/Security/)* [Systems Approach](/Tag/Systems%20Approach/)* [Zero trust](/Tag/Zero%20trust/) ### Narrower topics* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Credential stuffing](/Tag/Credential%20stuffing/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [LastPass](/Tag/LastPass/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/) ### Broader topics* [2FA](/Tag/2FA/)* [Cloud Computing](/Tag/Cloud%20Computing/)* [Cybersecurity](/Tag/Cybersecurity/)* [Network](/Tag/Network/)* [Network Computing Architects](/Tag/Network%20Computing%20Architects/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Microsoft Power Pages misconfigurations exposing sensitive dataNHS supplier that leaked employee info fell victim to fiddly access controls that can leave databases dangling onlineSecurity3 days -| 6](/2024/11/15/microsoft_power_pages_misconfigurations/?td=keepreading) [#### Don’t have MFA on a Google Cloud account? You’ll have to from JanLock it up. Lock it upPaaS + IaaS12 days -| 6](/2024/11/05/google_cloud_says_all_customers/?td=keepreading) [#### Here’s how a Trump presidency could change the tech industryKettle Anything could happen in the next half … decadePublic Sector4 days -| 88](/2024/11/13/president_trump_tech/?td=keepreading) [#### An easy route to AI-enhanced productivityHow the integration of Google Gemini across Google Workspace turbo charges existing apps with AI powerSponsored Feature](/2024/10/07/an_easy_route_to_aienhanced/?td=keepreading) [#### Mystery Palo Alto Networks hijack-my-firewall zero-day now officially under exploitYank access to management interface, statCSO2 days -| 18](/2024/11/15/palo_alto_networks_firewall_zeroday/?td=keepreading) [#### Five Eyes infosec agencies list 2023’s most exploited software flawsSlack patching remains a problem — which is worrying as crooks increasingly target zero-day vulnsCSO3 days -| 26](/2024/11/14/five_eyes_2023_top_vulnerabilities/?td=keepreading) [#### China’s Volt Typhoon crew and its botnet surge back with a vengeanceOhm, for flux sakePublic Sector5 days -| 4](/2024/11/13/china_volt_typhoon_back/?td=keepreading) [#### VMware by Broadcom finds friends to advance its private cloud and AI visionsVMware Explore User group members offered more generous discounts and licenses we’re sure nobody would abuseOff-Prem12 days -| 2](/2024/11/05/vmware_explore_europe/?td=keepreading) [#### ShrinkLocker ransomware scrambled your files? Free decryption tool to the rescuePlus: CISA’s ScubaGear dives deep to fix M365 misconfigsCSO4 days -| 3](/2024/11/14/shrinklocker_ransomware_decryptor/?td=keepreading) [#### Amazon confirms employee data exposed in leak linked to MOVEit vulnerabilityOver 5 million records from 25 organizations posted to black hat forumCyber-crime5 days -| 2](/2024/11/12/amazon_moveit_breach/?td=keepreading) [#### Canada closes TikTok’s offices but leaves using the app a matter of ‘personal choice’Govt order destroys ‘hundreds of well-paying local jobs’, ehPersonal Tech10 days -| 29](/2024/11/08/canada_closes_tiktok_offices/?td=keepreading) [#### Fortinet patches VPN app flaw that could give rogue users, malware a privilege boostPlus a bonus hard-coded local API keyPatches3 days -|](/2024/11/14/fortinet_vpn_authentication_bypass_bug/?td=keepreading)

Related Tags:
NAICS: 334 – Computer And Electronic Product Manufacturing

NAICS: 519 – Web Search Portals

Libraries

Threat Intel Solutions

Will passkeys ever replace passwords? Can they?

Search

Popular Posts

2024 macOS Malware Review | Infostealers, Backdoors, and APT Campaigns Targeting the Enterprise

The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

MintsLoader: StealC and BOINC Delivery

Categories

Archives

Tags

Follow Us