Feed
 

Passkeys

Avatar Rick Churchill
I have read in several magazines of the desirability in terms of security of using passkeys rather than using passwords with 2 part authentication or worse just passwords.

It seems to me that using passkeys although secure for each website it is used on, there are some flaws.
1. One is that if access to your computer or any of your connected devices is obtained then ALL the sites are compromised. So it is imperative that your devices cannot be left in an “open” state. i.e. snatched out of your hand by a passing thief.

2. My devices have a “back door” password which the devices often ask for when the fingerprint/facial recognition doesn’t work. Does this ONE password now open all websites?

3. I have older devices round my house which are open with a simple password and would like them not to be able to access the “password library”

Perhaps the passkey also requires fingerprint/facial recognition.

4. Does each website that uses passkeys also have another way of accessing the site if the passcode fails? Do they also require password access too?

I am probably missing something and should have attended when the topic was raised at at one of our meetings

Re: Passkeys

Avatar Mick Burrell
Passwords are primarily 'discovered' when a website you use is hacked. Hackers may well try it on other sites to see if you've used it there too.

Passkeys are stored on your device(s) and synchronised using iCloud. Someone would need one of your devices to use one. So much safer - someone getting access to your device is much less likely.

However, every site for which I've set up a Passkey still allows access using the password! To me that defeats the object. If the site is hacked and my password revealed, my passkey doesn't help me.

Re: Passkeys

Avatar Tony Still
I haven't ventured into passkeys yet (until recently there were immaturities and standards problems that I wasn't happy about). Also, I believe they demand the use of iCloud Keychain that I also was not entirely happy about (though I think my reservations there are now out-dated).

However ... Passwords here does demand a biometric check (FaceId or whatever) before allowing access to Passwords (so presumably to Passkeys too). If you are careful to close Passwords after every use then the "snatch" scenario becomes unlikely. This still leaves your issue 3 of simple passwords though.

My current solution (this is not a recommendation, just for info) is an encrypted Numbers file that lives on iCloud Drive. Clunky to use but I keep frequently used low-value passwords in Passwords. I do have manually to close the Numbers file after each use too.

PS In looking at this issue on iOS 26 I found a setting that I've not seen before: in Settings > Apps > Passwords there is 'Allow Automatic Passkey Upgrades'. It was set to 'On' which must be the default; I've turned it off so Passkeys can't just appear. I don't want to be a luddite, Passkeys do have valuable improvements and I look forward to a time when log-in authorisation "just works" but, given its importance, I'd like to take small and recoverable steps towards it.

Re: Passkeys

Avatar Tony Still
Ha - Mick was typing at the same time as I was replying (above).

To be controversial: if web sites correctly store passwords (salted and strongly encrypted) then I don't rate the chances of anyone who steals the password file!

Presumably those websites allowing Password access as well as Passkey will eventually remove the former. Obsolete/fallback access mechanisms are a classic security weakness (just ask Microsoft).
 
Feed