Passkeys vs. password manager. Enlightenment sought

I have used a password manager, Dashlane, for two decades since David Pogue recommended it in his New York Times column (whatever became of him?).

I use strong, unique, passwords everywhere.

Many sites now encourage me to switch to passkeys. I can see no benefit in doing this but I would be happy to learn otherwise.

As I understand it, accessing a website on my Mac using a passkey would require me to use my iPhone as an authenticator. This involves more steps than simply using the password manager on the Mac. Accessing a website on my iPhone using a passkey would require an authentication step, such as FaceID, but that is little different from authenticating via the password manager on the iPhone. So passkeys might add extra steps and require that I always have my iPhone to hand.

I am sure that those who do not use password managers or do not take the trouble always to use strong, unique passwords will benefit from passkeys. I am curious to learn if there is any value here for me and if I have misunderstood the concept.

1 Like

No. You can authenticate on the Mac itself if it has Touch ID or you use a Touch ID keyboard. The biometric authentication (Touch ID, Face ID) is the requirement (or the device passcode), not an iPhone per se.

The idea is that you rely only on biometric authentication to log on. You do not worry about unique passwords. The downside is obviously that password sharing no longer just works and that cross-platform support isn’t fully baked in (yet).

People who are religious about good (long, complex) and unique passwords and use a decent password manager (Apple’s built-in with iCloud sharing is perfectly fine for this) are likely already secure enough. I see passkeys as providing a major improvement primarily to the masses that still struggle with good passwords or attempt to use the same or similar passwords across multiple accounts. Those people will see a massive benefit from using passkeys, which by the way is a convenient and biometric-authenticated implementation of an old idea: public/private key auth.

I use Apple’s iCloud Keychain and have relied on it over the years to generate unique and strong passwords. That worked great for me, but I still like passkeys and I transition to them where I can if it’s a service I don’t plan on sharing with my wife. I also don’t have to use Windows systems and the Linux systems I do use, don’t need those passwords so I don’t have to worry about cross-platform.

3 Likes

I’m not actually using passkeys, so this is from what I’ve read not actual experience, but…

I don’t think this is true any longer as Apple supports sharing passkeys:

With the caveat that I have pretty much taken the same position – there’s no real benefit for me, so I’ve stuck with strong unique passwords for now – there is a theoretical benefit to passkeys for everyone, even those with good password practice. Because (as @Simon notes) passkeys are based on public/private key cryptography, the website with your account never needs to store your private key which is the sensitive element. The website stores your public key which can be provided to anyone without compromising your security.

So if the website itself has poor security and gets hacked, there are no sensitive passwords lying around to be stolen and allow someone to sign into your account on that site. No matter how good your password is, if the site storing it has poor security practices, it could be stolen by someone and allow them to impersonate you on that site. Not so with passkeys.

3 Likes

Thank you both for these insightful comments. As it happens the Apple keyboard on my Mac mini does not have TouchId and although my MacBook keyboard does have TouchId it almost never recognizes my finger. I have the same problem with TouchId on the iPad so it is probably my issue rather than the technology.

I take the point that with passkeys there is less to be concerned about if the site’s security is compromised.

2 Likes

You can use your account password rather than using your finger to authenticate on Sequoia.

Passkeys are also great at preventing a man-in-the-middle attack compared with username / password. That said - passwords work great for me still, and I am not really switching to passkeys, yet. The one time that I did - for my Amazon account - it will wanted to use my two-factor authentication to log in, so it’s no better than a password for me. (I’m not sure if that’s the case for other web sites - maybe not. Perhaps I should try with one of my less-important Google accounts?)

1 Like

This is for the case where you don’t have a passkey on the Mac but have it on the iPhone.

I don’t think biometric authentication is required. You can authenticate with your local account password on the Mac, and on an iPhone, with your unlock code.

2 Likes

On Sonoma, also.

1 Like

That’s a quirk specific to Amazon’s site. I recall the company actually mentions it somewhere, probably in a FAQ.

It feels like the implementation of passkeys is currently still evolving. Fastmail’s site works the way I expected passkeys to work.

1 Like

Many helpful points here. Thank you all.

However, I am not convinced that typing my Mac login password, which is long, is an improvement over the password manager which enters the site’s login/password automatically.

The summary for me is that for a marginal increase in security passkeys require more than a marginal decrease in convenience. It’s the usual trade-off.

Is your password manager’s passphrase also not long? I’m not sure there’s a difference. Though I will agree that have a discrete passphrase for a password manager is better than being protected by the passphrase for the device itself. I am hoping that a future update to the Passwords app allows this. (I am in the process of evaluating a change to the passwords app from 1Password, as it makes things a bit easier in the family to share passwords - my wife will not use 1Password - and presumably if I die first, it will make things easier n my wife and kids, as they are used to using the Passwords app right now.)

That said: I know with 1Password I can change the length of time before it prompts me to re-authenticate. So far I cannot with the Passwords app. I’m not sure how long it takes, but at some point it locks and requires re-authentication. There is no setting to change this time, or prevent it from happening once unlocked. (That’s probably a good thing for almost everyone.)

I think another factor to consider is what passwords are stored in the cloud. A significant security threat nowadays is difficult, if not impossible, to defend against at an individual level: large scale corporate breaches. Another common hard-for-indivduals-to-defend-against threat is when customer service workers enable account takeovers either by being tricked through social engineering tactics or through corruption.

So as passkeys become more available, I’d say high value (for example, banking and cryptocurrency) and mission critical (such as a cloud password manager and cell phone) accounts make sense to change to passkeys. I also don’t view passwords and passkeys as a binary choice. If anything, diversifying and compartmentalizing account credentials is a good practice to follow.

Personally, I’ve been experimenting with my PlayStation account over the last few months. The change from password to passkey has been smooth and easy. While I do use 1Password, I will begin switching many of my accounts to Apple’s version of passkeys when I replace my current Mac with a Mac that supports TouchID.

Yes the PM passphrase is very long but I chose the option to keep the app open until I put the machine to sleep. I realize this is not 100% secure but I rarely use the machine outside my home. I change the setting when I’m traveling.

Agree that one is trusting the security of the PM supplier. As an extra security measure I do not keep any credentials for banks or financial companies in the PM (or Keychain). I simply remember these (and have a secure offline backup).

I follow a similar practice, where I store certain passwords locally and use either an iOS-based authenticator app or a dedicated Google Voice number for 2FA. I only use GV in cases where a site insists on SMS 2FA. I chose GV for this purpose because of its minimal, almost non-existent customer service. It is really, really difficult for anybody to make changes to GV accounts outside of Google’s self-service account management screens.

2 Likes

That’s creative: poor customer service as a security measure!

4 Likes

No website needs to store your password, either. Ever. Using salted+hashed passwords has been best practice since the early 1980’s. If a web site is so horrendously irresponsible as to store plaintext (or inadequately hashed) passwords, then by definition their security is garbage and won’t be improved by passkeys.

Only with people using the latest and greatest Apple products.

Both Apple and Google seem to have leveraged passkeys to implement another layer of vendor lock-in. I suspect that isn’t part of an evil conspiracy, but just an effect of the fact that we’re early in the evolution of the technology.

There are other significant concerns about passkeys that I don’t often see addressed:

On top of that, Apple’s implementation of passkeys puts all your eggs in the Secure Enclave basket. Secure elements from Apple, Google, Microsoft, and Intel have all been compromised already, and will be again in the future.

That’s correct. But it does require people be in the Apple ecosystem in order to share. You cannot just share with anybody unless they have an Apple ID. That’s IMHO a real advantage that arbitrary user/pass still has over this.

1 Like

Indeed. Hadn’t actually realized that myself since all the devices I’ve used it with have either Face ID or Touch ID. But it makes perfect sense since the device passcode is the fallback for when biometric fails or becomes unavailable. Thanks for pointing that out! :slight_smile:

No website needs to, but that doesn’t mean it’s not possible, and it can (and does) happen. As does naive hashing. With passcodes, the private/sensitive information is never sent to the website, so you don’t have to rely on their security practices. I’m not advocating for passkeys, simply pointing out that by design they remove the possibility of poor handling of private authentication data by websites and apps.

2 Likes

Well, not quite. It requires devices running iOS or iPadOS 17 or later, or MacOS 14 (Sonoma) or later. It’s not just iOS 18 and MacOS 15, and iOS 17 and Sonoma support devices going back 6-7 years.

1 Like