How are passkeys better when your account still has a password?

[BigBlur]

I understand how passkeys work and how they're more secure; but in most cases, your account still has a password. I see a lot of people/sites saying you should use a passkey when you can, but isn't your password still vulnerable to being stolen, brute-forced, breached/leaked, and bad actors can still get access to your account that way? I guess you should have 2FA set up to catch those instances, but I feel a lot of people think "I have a passkey set up, my account is super secure now"...when it actually might not be. Your account is only secure as your weakest method of access.

I know Microsoft lets you delete your password and go passwordless after setting up a passkey (or other similar authentication method), but not many other services have that option.

 

[lironl]

I've been wondering this myself. For example, there are lots of articles that tell Gmail users to ditch passwords and use passkeys, but you can't actually delete the password.

There are a few sites which have a half way policy - you can turn passwords off so you can't log in with a password, but they still require the password for some functions like changing two factor authentication settings.

 

[MacGizmo]

If Google (and other sites) are pushing the use of Passkeys, it's probably because they've already figured out a way to use them to track you, which means anyone else can still get access the same way they did with passwords.

Call me cynical, but if you're on the Internet at all, you are NOT secure; no matter what or how you use.

 

[mikes63737]

Even if you still have a password, you are hopefully typing/filling your password less often, leaving fewer opportunities to be phished. And when you do use the passkey, the passkey itself is not transmitted, unlike the password.

I agree though, the most secure option is when services let you drop the password entirely.

This is also a moving target. They may let you drop the password entirely at a later date.

 

[maflynn]

Even if you still have a password, you are hopefully typing/filling your password less often

I find them more intrusive. Oh, I want to sign in to amazon, and I'm buying something. With password managers, the email addr/password can be filled in. Now instead of the password, I need to grab my phone, unlock it and approve it.

Seems less streamlined to me.

 

[CMoore515]

I find them more intrusive. Oh, I want to sign in to amazon, and I'm buying something. With password managers, the email addr/password can be filled in. Now instead of the password, I need to grab my phone, unlock it and approve it.

Seems less streamlined to me.

That hasn't been my experience with Amazon or 1Password in general.

When I login, the browser extension pops up and lets me click sign in.

 

[arc of the universe]

when i look in my iOS Passwords app, im always amazed that i have less than 10 sites that have a passkey.
(whereas the number of sites that i have in the Passwords app that use biometric ID to put in the username and password are probably over 150 or so).

i have a basic question about the iOS Passwords app itself relating to how secure it is.
i would like to confirm that there isn't a way to get into it other than using your biometric ID.
for example. if someone steals my iPhone, and figures out my phone's passcode and add their fingerprint to the TouchID/Passcode (I still am using an iPhone SE so its TouchID), are they then able to get into the Passwords app?
if that's the case, then even Passkeys aren't safe.

i have one banking app on my iPhone, that uses a Passkey, but, even if I myself just add a fingerprint to the TouchID/Passcode, this banking app immediately and automatically requires a different way to authenticate that I am the owner of the account before it will work with a Touch ID enabled Passkey again. but that's my only app that works like this, i think. even my other banking apps dont work like this.

 

[BigBlur]

i have a basic question about the iOS Passwords app itself relating to how secure it is.
i would like to confirm that there isn't a way to get into it other than using your biometric ID.
for example. if someone steals my iPhone, and figures out my phone's passcode and add their fingerprint to the TouchID/Passcode (I still am using an iPhone SE so its TouchID), are they then able to get into the Passwords app?
if that's the case, then even Passkeys aren't safe.

Yes, you can use the passcode. The Passwords app will ask for it if Face ID fails twice. You can try this out yourself by covering up the Face ID camera. I believe turning on "Stolen Device Protection" will help with this...making the biometric authentication required and having no passcode alternative.

Also, something else to be mindful of is that passkeys can be shared. I just did this the other day. I set up a passkey for my mom's Costco account on her phone. I then AirDropped the passkey to my phone, so that I could use it too. (We share the account.)

If someone gets into your phone, they could AirDrop all your passkeys to theirs, and you'd never know they were using them to log into your accounts. It's easy to change a password if it gets stolen; everyone knows how to do that...but with passkeys, you need to navigate through your account settings on the site to figure out how to revoke it and generate a new one.

IMO, passkeys are still a good thing and better than passwords, but they can get stolen too if you aren't careful with your devices.