Looking at advanced 2-Factor authentication and passkeys vs. hardware security keys, like the Yubikey. Passkeys are new, and seem a little flawed and not fully realized from articles I’ve read.
Hardware keys probably have their own challanges. I assume there’s danger of loosing the key, or being stolen, and being locked out of accounts. I wonder if checking email on a computer and a phone would require the same key be inserted into booth, which seems awkward.
With either key, if the service where the key is being used has been backdoored, where they can read user credentials anytime, or perhaps just have downloaded the user database, would adding one of these key types still be good?
Yes, you are protected using either a software password manager (like the iOS Passwords app, 1Password, Bitwarden, etc.) or a hardware FIDO2 key. Passkeys uses public/private key pairs. Your password manager (or security key) keeps your private key (and keeps it private). Anyone can have a copy of your public key and it will not allow them to log in as you at all - they need the private key in order to do that.
Basically a simplified description of the way that passkeys work (I may have this slightly wrong, but it still describes a process that would work) is that the server sends a random, one time code (a nonce) to your authenticator, which encrypts it with your private key and sends it back to the server. The only way to decrypt something encrypted by your private key is with your public key, so the server will know it is you and allow authentication if what it receives back and decrypts with your public key matches the nonce that they sent to you. If anyone used your public key to encrypt the nonce the result of the decryption would not match.
Having your authenticator be a hardware security key vs. a software password manager (using biometrics to unlock the app) doesn’t change how the passkey works. Each I suppose has its attack vulnerability - if someone gains access to your phone and knows or can change the device passcode, they can use your passkeys. If you lose your hardware token, you lose your passkeys.
That’s an interesting question. I think that IMAP these days often uses oAuth to authenticate you once and remain authenticated with a token your client uses to continue to log in and connect with (Gmail uses this, for example), so I would think that this method will continue to be used. So, yes, I think you’d need the passkey to authenticate the first time the email client accesses the server, but then it would remain authenticated.
Backdoors are a risk no matter what authentication method you use if the service doesn’t properly secure the authentication information (for example, the age-old issue of sites storing passwords in plaintext). From your end, there’s not much you can do about backdoors except properly vet the service you use.
Passwords are always vulnerable because they are a fixed datum that doesn’t change automatically. A stolen password works until you change it or the system it’s for locks it out unless you’re using some kind of multi-factor authentication. Both passkeys and hardware keys rely on an exchange of codes that are unique to each transaction, so stealing a code works only for that moment. Stealing tokens (such as with a man-in-the-middle attack) is easier.
As I see it, the main difference between passkeys and hardware keys is convenience. Passkeys are more convenient for most people because they can be stored in a password manager and shared between devices as needed, whereas with a hardware key, the key must be inserted into the device in question for every authentication. This can be problematic if all the devices you may need to authenticate don’t have the same ports (for example, if you have an older iPhone or iPad that has only a Lightning port instead of USB-C, and you also need to use the key with a laptop or desktop computer). In that regard, passkeys are hardware-agnostic.
On the other hand, hardware keys require your presence to authenticate (unless your key is stolen), while passkeys, once stored, can be used by anyone with access to the device. So in that sense, hardware keys are slightly more secure than passkeys.
Issues with implementation aside, hardware keys are overkill for most uses. Properly implemented passkeys along with MFA are sufficiently secure for most things. The only thing the average person would potentially gain value from with hardware keys is protecting access to financial services and communication channels (email, messaging, etc.). If you want that added layer of protection, you can use a hardware key with those specific services you wish to better secure and use passkeys for other things—you’re not forced to choose one or the other exclusively for all purposes.
If you’ve registered a passkey with a service, the computer/phone (yours) that generated the key will upload the public key and will retain the private key.
If your password manager (whatever system you’re using) synchronizes its content between your devices (e.g. Apple’s Passwords does this with iCloud), then all your devices will have a copy of your private key and should therefore have a working passkey.
At least in theory. I have yet to use any passkeys, so I don’t know how it will work in practice. Mostly because I use Firefox on multiple computers (running Windows, macOS and Linux). I know Firefox on macOS can sync passkeys with the macOS keychain, but I’m not sure if it will subsequently sync to my other Firefox instances (as it does with my bookmarks, history and passwords) and I haven’t yet wanted to take the time to find out for myself.
Thanks for everyone’s detailed replies, very helpful for understanding. In general, it sounds like passkeys use a similar approach, just digital instead of physical and more convenient.