Passkey confusion

km1500

Vitor said:

- What happens if your phone is lost or stolen?- 

You login with your credentials, satisfy the 2FA with the backup method and regenerate the passkey to store on your new phone. 

so a passkey does not replace the password and 2fa, it is just used instead ? (unless you need to regenerate it because of a lost device for example, in which case the password and 2fa are still available)

flaneurs_lobster

km1500 said:

Vitor said:

- What happens if your phone is lost or stolen?- 

You login with your credentials, satisfy the 2FA with the backup method and regenerate the passkey to store on your new phone. 

so a passkey does not replace the password and 2fa, it is just used instead ? (unless you need to regenerate it because of a lost device for example, in which case the password and 2fa are still available)

Sort of. I have no passwords set for my main Google and Outlook accounts, just passkeys. I could have chosen to have both but that rather negates the additional security that passkey access provides.

I'd like to replace my Bitwarden password access too, but it's not clear yet (at least to me) if that's fully supported.

km1500

So how would you regain access to your main Google and Outlook accounts if for some reason you no longer had the devices that the passkey was on?

Why would you not have a strong password as back up?

flaneurs_lobster

km1500 said:

So how would you regain access to your main Google and Outlook accounts if for some reason you no longer had the devices that the passkey was on?

The passkeys live on two phones, a tablet and two laptops. Agreed that I'm in trouble if I need to access the accounts when without any of the devices but when does that ever happen, I cannot remember the last time I needed to access these accounts outwith my own devices. I would have to revert to account recovery with Google/MS if it was required.

km1500 said:

Why would you not have a strong password as back up?

It's a weakness. Passwords stored on providers servers can be compromised (although you'd hope MS and Google would be safer than most); Password managers ditto. TBF, most passwords stored on servers are encrypted but I bet a fair few are not.
 Passwords can be copied as you enter them into your device, eyeball, camera, key logging malware.

Vitor

Even in a “passwordless” scenario, Google expects you to have at least one alternative way of proving who you are. If you haven’t set up any recovery options (such as a recovery email or phone number), account recovery can become very difficult or even impossible. That’s why Google strongly recommends setting up a recovery email and phone number, even if you’re using passkeys.

If you’re especially concerned about security, avoid syncing passkeys through cloud services like Apple iCloud Keychain, Google Password Manager or BitLocker and instead use a FIDO-compliant hardware key (such as a YubiKey). This way, the passkey remains securely stored on the hardware key and never leaves the device’s secure enclave.

flaneurs_lobster

Vitor said:

Even in a “passwordless” scenario, Google expects you to have at least one alternative way of proving who you are. If you really haven’t set up any recovery options, account recovery can become very difficult or even impossible, that’s why Google strongly recommends setting up a recovery email and phone, even if you’re using passkeys.

Yes, this. Ditto for Outlook/Hotmail. I make the recovery email to be on a different provider, not just another account on eg gmail. Just feels more resilient.

You'd hope that the other email providers encourage/insist on same.