Passkey is some sort of specific unique key to a device allowing to use a pin on a device instead of the password. But which won’t work on another device.
Now I don’t know if that key can be stolen or not, or if it’s really more secure or not, as people have really unsecure pins.
Am not buying the idea. It sounds great on paper but in reality it doesn’t feel better. So idea is you have private and public keys, like many other forms of encryption out there. Private is stored on your device, and public is stored on account holder, like Google. Since keys are mathematically linked anything signed with private key can be verified by public key and vice-versa.
This is great technology and has been proven for decades now. It essentially means your device and account holder can exchange data without anyone ever finding out your private key since it never leaves your device.
However, issues. Keys are backed up somewhere and still depend on password, be it pin or regular old password. Recovering lost key means using password still. That means attack vector has just shifted and they won’t try to steal your key but social engineer their way into phishing your original password, making the whole thing a bit pointless.
Another things that worries me is the possibility each device will have its own key, although they claim transferable. Depending on what data is used to authenticate and prove device is owned properly this can be used to fingerprint users. For example IMEI or some other unique id, etc. Something that’s not easily done with passwords.
Biggest one is the fact it will negate two factor authentication. Verifying code on your phone and knowing password is difficult to exploit since it requires a lot of effort… possession of the device and knowledge of password. But with passkeys, there’s no password to remember and everything boils down to owning a device. They are then relying on the OS and device itself not to leak sensitive information. Not something I’d rely on.
Also, private key being backed up on Google means should they ever leak data someone can get everything they need to access your account. Private keys being protected by simple pin or password means nothing and would probably be easily broken due to simple nature of the protection.
Am not convinced this will see such high adoption as so many are claiming it will have.