Passkeys are the next step in evolution of password managers. Today password managers are a bit of a hack—the password text box was originally meant for a human to manually type text into, and you were expected to remember your password. Then, password managers started automating that typing and memorization, making it convenient to use longer, more secure passwords. Today, the right way to deal with a password field is to have your password manager generate a string of random, unmemorable junk characters to stick in the password field. The passkey gets rid of that legacy text box interface and instead stores a secret, passes that secret to a website, and if it matches, you’re logged in. Instead of passing a randomly generated string of text, passkeys use the “WebAuthn” standard to generate a public-private keypair, just like SSH.
The issue really is about where that private key resides. This article does expand a bit more on the practical use of passkeys, but we do see there are still some issues. What if you don’t always have that same mobile device with you, what if you switch that device from Android to iOS? I have well over 800 website logins, and I’m certainly not re-logging into each to convert from one device to another one. I want to at least be able to transfer my private key to the next device, and continue seamlessly from there.
I’m still waiting for clear answers to that before I dive into Google or Apple’s passkey ecosystem, as I don’t want to be locked into either of them.
See https://arstechnica.com/gadgets/2022/12/rip-passwords-passkey-support-rolls-out-to-chrome-stable/
#technology #passkeys #passwords #security