Go to main Forum page »
I’m starting to see sites offering passkeys. There’s a good explanation at this link of what passkeys are, how they work, and why they’re even better than passwords with two-factor authentication.
If you’ve begun using passkeys, what has been your experience?
I use passkeys whenever available and so far very few problems. I save them in 1Password which I’ve used for about 2 years. Passkeys are more convenient and safer but they’re most convenient when using the phone rather than web. Still plenty of places use 2-factor and they almost all allow the use of an authenticator app for the 2nd factor rather than email or text. I expect the shift to passkeys will take several years but will continue since passwords alone are so weak and many people can’t handle 2-factor.
I use face id on apple devices as I figure it is at least as secure as a password.
I use 1password for non financial sites. Lastpass got hacked so I switched
I am very worried about. security on financial sites, and I suspect we will not hear if Schwab or Fido gets hacked.
Isn’t it interesting that Schwab seems to have dropped voice ID? maybe too easy for AI to crack?
I’ve used them, so-so, if you stay inside an ecosystem (like FaceID on my iPhone) it’s fine. When Apps start trying to use it, not always success. When I’m on a browser on my laptop, heavy failure rate (it just kicks me back to password).
Isn’t it preferable to have 2FA, as multiple hurdles tend to work better than the all the eggs in one basket approach. (are they really asking us to trade security for convenience)
What happens if you have an accident and your fingerprint changes or your face changes, do you suddenly lose access? Or is it sophisticated enough to work around these challenges.
Last, what’s the compelling interest of the developers? Is this something they’ll give away until it eliminates competition and then charge $11.99/month? If they posted that they were committed to keeping it free in perpetuity I’d be more excited.
Thank you for your comment. That’s a lot for me to explore — which I will.
Could you give one or more examples of an app that kicked you back to your password?
As for two factor authentication, it so often relies on phone call or text that I worry about the phone getting misplaced, stolen, or hacked.
On another note, passkeys are actually meant to be not only more convenient but also more secure than passwords, since even if the site’s portion of the passkey were stolen in a hack, it would be useless without your device’s stored portion of the passkey plus your personal verification (e.g., face ID, touch ID, device startup passcode), and you could then just set up another passkey at the site.
Would you believe them? Remember “do no evil”?
I also fail to see how it would work on my desktop, which is what I use for my finances.
My understanding is that whatever passcode you use to start up your desktop computer could be your choice for the passkey verification.
I don’t use one. It starts up just fine without. I do have two “accounts (?) on it, and one does require a password. I’m still running Windows10, maybe that will change when I have to upgrade.
If you have a set of Yubikeys you’ve been using the same tech as passkeys for a while. Both use similar industry standard protocols from the same standards body.
If you go the passkey route, be sure to use a consistent place to store them. We’ve been using Dashlane, the password manager, which stores passkeys as well as passwords on desktops and mobile, and with most web browsers.
Finally, it’s wise to enable two factor authentication with anything storing sensitive things like passkeys or passwords. And be sure to share a secure note with your executor telling them how to get in when you leave this vale of tears.
It’s interesting you mentioned Yubikeys. When I first read about them, my immediate reaction was no thanks — the last thing I want is another hardware device that could fail or get lost or hacked.
That’s one of the reasons I’m interested in passkeys. Instead of an additional device to keep track of, to access the site the passkey system uses the same device (desktop computer, tablet, phone) I’m already using anyway.
I recently checked and few/none of the financial institutions I deal with are adopting passkey. Mostly retailers, social media etc.
As to password managers, yeah, letting a company store them online seems like a recipe for disaster, but there are on-your-device-only options like KeePassXC.
I’m in the process of setting up a PC from which I will manage all $ things. Usually not even connected to network.
Even if financial institutions are slow to adopt passkeys, I’d be happy to use passkeys on other sites just so as not to have to keep track of those (many!) passwords anymore.
I saw that Google now offers passkeys, and with the widening availability of “Sign in with Google” I figure the era of passkeys is coming…
See the FIDO Alliance for an up-to-date list of sites that support passkeys.
I haven’t used a pass key. I am just concerned that if the company gets hacked they potentially have access to all my accounts. If the federal government, and major corporations including healthcare companies are hacked regularly then so can a passkey company.
FYI, my information has been compromised three times (including one of the major credit bureaus)and as a result I have three different companies monitoring my information.
It sounds like you’re talking about a master password for a password manager. That’s different. Like you, I don’t use a password manager because the company might get hacked.
A passkey system stores your half of the generated (long and complicated) password on your device. Only you can unlock your device with, e.g., your face ID, touch ID, or the passcode you use to start your device. Then the system retrieves your half from your device and if it matches the half for the website, you’re in.
Oh, OK, thanks for the clarification.