Neatnik

Passkeys are not passwords

Passkeys have been a thing for a little while now, and if you know me you know that I’m a big fan of the technology. They bring the power of public-key cryptography to individual website authentication, and they do it in a way that (usually) feels like magic. It’s pretty awesome stuff.

One thing I see a lot of people (even really smart people) doing is trying to treat passkeys like passwords. This usually takes the form of complaints related to portability: some folks want to be able to export their passkeys so they can move them between devices or password managers, while others want to be able to use the same passkey on different websites (as you can do with SSH keys). Doing these things would require you to be able to access the private key element of your passkey (which is a public-private key pair), and that’s where the problem lies.

I understand the desire here, but passkeys are not passwords. They’re also not SSH keys. They’re something truly unique, because baked into their design is the requirement that they be unphishable. And the only way you can have something that’s completely resistant to phishing is to make it impossible for a person to provide that data to someone else (via copying and pasting, uploading, etc.). That you can’t export a passkey in a way that another tool or system can import and use it is a feature, not a bug or design flaw. And it’s a critical feature, if we’re going to put an end to security threats associated with phishing and data breaches.

We’re used to having access to our private keys for things like PGP/GPG and SSH keys. And we’re not used to carrying around data that we’re not allowed to access or back up by design. Because passkeys go against the grain of these expectations, it’s natural to want to change how they work. But what we really need to do is change our expectations.

The best way to use passkeys is to not worry too much about them. Set them up on the devices that you routinely use with the services that you routinely use. It’s OK to have more than one for any given service. If you change devices and you’re not using an implementation that syncs your passkeys, use the email sign-in fallback that nearly every service offers and then set up a new passkey afterward. And then go on with your day, knowing that your accounts are safer than they’ve ever been before (especially if you’ve removed your password, if the service allows for that).