doesn't that mean your passkeys are now about as secure as a regular password?

johnmaguire · 2025-05-14T21:11:08 1747257068

Passkeys are highly phishing resistant in a way that passwords are not and are not subject to credential reuse (though password managers somewhat solve the first problem and almost entirely solve the latter problem.)

In effect, though, 1Password is both something you have (the device with 1P logged in, login requires a Security Key that you don't memorize) and something you know (the master password) or are (typically biometrics can be used to unlock for a period after entering the master password.)

jcattle · 2025-05-15T06:47:12 1747291632

How do Password managers solve phishing issues? Even just somewhat?

josephcsible · 2025-05-15T06:52:20 1747291940

Your password manager will autofill your credentials on the real site but not on a phishing site.

jcattle · 2025-05-15T09:02:14 1747299734

Ah true. Didn't think of that. Good point

SchemaLoad · 2025-05-14T22:57:34 1747263454

No. The service you are logging in to does not hold the keys so they can't be leaked, passkeys do not get reused between services, it's effectively impossible to fall for phishing attacks with passkeys, and it's effectively impossible to fall for scammers trying to get your keys since there isn't any mechanism to directly dump the private keys out.

Pretty much all the problems related to passwords are solved by passkeys, having them synced between your devices does not impact that.

kbolino · 2025-05-14T21:03:14 1747256594

A passkey is a public-private keypair strongly tied to a specific site. Sites never have access to the private key, and the key will never be presented for use on the wrong site. Those two advantages remain even if the passkey is stored in software or synced over the cloud.

awesome_dude · 2025-05-14T23:00:00 1747263600

That's my impression as well, and the nature of computing today /encourages/ putting passkeys into some container that means that they can be accessed from other pieces of hardware at different locations.

recursive · 2025-05-14T21:42:32 1747258952

Don't know about you, but my passwords were already secure enough anyway.

loeg · 2025-05-15T06:02:53 1747288973

From a practical perspective, passkeys are mostly identical to passwords where (1) secret generation is guaranteed to be strong, random, and unique; (2) they're tied to a specific site, so they can't be phished; and (3) filling is standardized and therefore ergonomic. If your passwords have those properties, passkeys aren't really an improvement for you. The main benefit to savvy consumers is that websites can trust that your passkeys are actually high quality and treat them as a primary authentication mechanism, instead of only a weak factor in an MFA system. And of course the huge huge benefit to most (unsavvy) consumers is that, you know, they're actually secure/unique and phishing-resistant.

udev4096 · 2025-05-15T07:21:00 1747293660

Normal passwords can be phished, no matter how strong it is. The weak link is always a careless human. Passkeys are definitely a huge improvement for everyone, apart from the vendor-lock in which can be avoided

loeg · 2025-05-15T17:43:23 1747331003

You can get around it, of course, but password managers are aware of the correct domain for a password and will only auto fill it into a form on the right domain. This is phishing-resistant. I'm not saying it's perfect, and I'm a big passkeys advocate. But "randomly generated password auto-filled by 1password" already meets many of the same benefits as passkeys, kinda, so long as auto-fill works on that particular website. Passkeys, in addition to stronger versions of those properties, also provide (1) ergonomics/standardization ("fill" works everywhere) and (2) sites can trust them to be strong.