After all the passwords vs passkeys discussion in episodes 965 and 966, I'm still unsure of why and whether to proceed with a migration from password+TOTP to passkeys. Here are my unorganized separate thoughts. I hope someone could point out some benefit of passkeys that I've missed.
One thing that wasn’t really mentioned in those SN episodes is that passwords are strongly hashed, presumably at least with an account-unique salt, on high-value websites like Gmail, banks, iCloud, etc. SN listeners are likely to use very strong passwords — so even in possession of a password hash an attacker would have a hard time actually cracking its password. At the very least, attackers would have to selectively target individual accounts for expensive password cracking.
If a website is not salting and hashing passwords properly in the first place, how likely would it be to implement passkeys? Maybe someday they would, but for now passkeys don't seem like they'd replace many poorly-implemented websites' passwords.
It seems to me that a passkey in a password manager vault is a "single factor." After a password manager vault breach (like LastPass) using passwords with a separate 2nd factor (separate TOTP or hardware dongle) seems more secure than single-factor passkeys. Or have I missed something? Are passkeys stored in a compromised password vault more secure somehow than the passwords in the same vault?
In summary, though more convenient, I don't really see how passkeys are that much more secure than password+TOTP on either the client or sever side. If a website’s password store is breached, passwords are protected with salted hashing (a passkey is better, but a strongly hashed long unique password is still relatively safe). If a password manager vault is breached, accounts would be safer with a separate TOTP/dongle 2nd factor than with a passkey alone.
For now, passkeys seem like a good way to greatly increase the security for users who otherwise don't use a password manager. I'll experiment with passkeys for a few low-value accounts but it seems too way early to start moving all my accounts to passkeys.
One thing that wasn’t really mentioned in those SN episodes is that passwords are strongly hashed, presumably at least with an account-unique salt, on high-value websites like Gmail, banks, iCloud, etc. SN listeners are likely to use very strong passwords — so even in possession of a password hash an attacker would have a hard time actually cracking its password. At the very least, attackers would have to selectively target individual accounts for expensive password cracking.
If a website is not salting and hashing passwords properly in the first place, how likely would it be to implement passkeys? Maybe someday they would, but for now passkeys don't seem like they'd replace many poorly-implemented websites' passwords.
It seems to me that a passkey in a password manager vault is a "single factor." After a password manager vault breach (like LastPass) using passwords with a separate 2nd factor (separate TOTP or hardware dongle) seems more secure than single-factor passkeys. Or have I missed something? Are passkeys stored in a compromised password vault more secure somehow than the passwords in the same vault?
In summary, though more convenient, I don't really see how passkeys are that much more secure than password+TOTP on either the client or sever side. If a website’s password store is breached, passwords are protected with salted hashing (a passkey is better, but a strongly hashed long unique password is still relatively safe). If a password manager vault is breached, accounts would be safer with a separate TOTP/dongle 2nd factor than with a passkey alone.
For now, passkeys seem like a good way to greatly increase the security for users who otherwise don't use a password manager. I'll experiment with passkeys for a few low-value accounts but it seems too way early to start moving all my accounts to passkeys.
Last edited: