Passkey benefits and downsides

We covered the convenience and ease passkeys bring in passkeys for beginners. And with any technology choice, there’s always going to be a trade-off. We go over the pros and cons of passkeys.

Passkey pros

Password stealing becomes a thing of the past

Scammers can’t dupe you into giving up your passwords using malicious or phishing websites because the passkeys only work with apps and websites they were created for. As there aren’t passwords or passphrases, this stops passwords from being entered on apps or sites that steal your details.

When passkeys are generated, apps and websites only ever get to keep a copy of the public key. In the scenario cybercrooks get a hold of credentials, they won’t be able to do much as apps and websites wouldn’t be storing any passwords and there’d be no access to the private key. This also stops criminals dead in their tracks from credential stuffing or password spraying.

It’s secure from the get-go

Every passkey pair is uniquely generated with algorithms that are tough to crack which makes them more secure than most passwords. Passwords are often weak because they aren’t always randomized and long.

Passkeys come with multi-factor authentication built right-in and they replace traditional options like SMS and authenticator apps like Google, Authy and Microsoft.

Passkeys do this with a mix of something you know such as your pin, something you are using your fingerprints paired with something you have like your device. This makes passkeys phishing resistant as cyber crooks can’t hoodwink you into typing in one-time passcodes on fake websites along with your passwords.

Did we say simplicity and convenience?

Passkeys make the user experience more enjoyable. As they work in the same way as unlocking your device, it’s simpler, quicker and user friendly to sign-up to apps and sites well as logging in. Gone are the days of filling in passwords.

If you are already using Apple, Google or Microsoft, passkeys automagically synchronize with your cloud identity so that you can use them across multiple devices for the most part. Apple does it with Apple ID and iCloud Keychain. Google uses your Google account and the Google Password Manager and Microsoft works with your Microsoft account and Microsoft Edge.

If your passkeys are saved with Windows Hello, you have to create additional passkeys for every other device you’d like to use as Windows Hello doesn’t yet synchronize across devices.

Passkey cons

Sharing is a double-edged sword.

For everything passkeys have to offer, they aren’t without disadvantages. For one, if you are using a shared device, passkeys may not be an option. If it can be unlocked by someone besides you, it defeats the purpose of passkeys.

If you have an app or site that you do want share with others like your family members, you need to setup a group or vault that you can give access to. If a passkey was saved to a security enclave, they would need to be in possession of the device.

Passkeys aren’t available to everyone

Passkeys are broadly supported if you are use modern browsers, operating systems and devices. If you are using legacy or unsupported apps, web browsers, operating systems or devices that don’t support passkeys, you are out of luck.

You can’t store all passkeys centrally

If you are already using a password manager to manage your passwords and passphrases, you’d probably want to keep passkeys in there too. In some cases, you won’t be able to. Take Apple for example. Apple doesn’t provide a way for third-party applications to store passkeys for iCloud or Apple ID. You’d have to continue using Apple’s iCloud Keychain.

Passwords aren’t going away soon

Passkeys haven’t been rolled out across all apps and websites just yet. While the list of websites and apps that offer passkeys grow, passwords and passphrases are going to be with us for some time. And as passkeys become the go-to, apps and sites will need to provide alternatives ways of accessing your account if you get locked out or lose your device.

Portability isn’t there yet

Since Apple, Google and Microsoft store and manage passkeys in different ways, you can’t export them at the moment. It’s the same with password managers too which means you are locked into the Google, Apple, Microsoft or <insert your password manager> ecosystem. To move away from any one of them, you’ll have to either reset or recreate passkeys which throws ease, convenience and simplicity out of the window.

Malware is still a thing

If you have an older device and it is infected with malware, criminals could steal the private key. On modern devices the malware could harvest active cookies from the app or browser to access your account. The threat of malware doesn’t just affect passkeys. It can also grab passwords and passphrases in a similar way.

Wrap-up

Passkeys are big step forward and they are a glimpse into a passwordless future. Passwords and passphrases aren’t going away anytime soon before there’s widespread support across apps and websites. Additionally, not everyone is going to be able to afford modern operating systems and browsers.

If you already use biometrics to unlock your device and you have no plans to replace or change the technology you use, passkeys may be the solution for you. On the flipside, strong passwords and passphrases could be the way to go if you’d like the flexibility to export your secrets so that you aren’t stuck with a particular app or device.

And depending on your threat model, if you have a preference that that even if someone got a hold of your biometrics, they wouldn’t be able to log into your device or accounts, sticking with passwords may be the right pick for you. For example, depending where you are traveling to and your legal status in that country, you have the right to withhold sharing your passwords.