Where I Rank Passkeys Security-Wise
Phishing-resistant MFA implementations of passkey are pretty secure.
I Love Passkeys
I do love passkeys. I really do. I love anything the FIDO Alliance puts out (https://fidoalliance.org/). I talk more about my love of FIDO here: What Is FIDO And Why Is It Good Authentication? https://www.dhirubhai.net/pulse/what-fido-why-good-authentication-roger-grimes.
I like FIDO for dozens of different reasons, but my three primary reasons for loving anything FIDO are because:
·????????FIDO solutions are phishing-resistant
·????????It is a well thought out standard
·????????They are the only authentication vendor I am aware of to publicly publish their threat model, mitigations and vulnerabilities; which makes me trust them more (not less)
I love passkeys themselves. I have been promoting them since last October: You’ll Likely Be Using a Passkey Soon https://www.dhirubhai.net/pulse/youll-likely-using-passkey-soon-roger-grimes/.
领英推荐
Passkeys allow you to use strong asymmetric cryptography instead of passwords (and their incumbent problems) on any site or software which supports them. Right now, that means on Apple, Google and Windows devices (with the appropriate newer versions and support). Unfortunately, site support is still very limited. I had a hard time finding 10 sites that worked with passkeys. I expect that to change because using passkeys on a mobile device is exceedingly easy to do. It’s no-brainer easy to do. More and more sites should start to support passkeys.
Passkeys are better than passwords. But they aren’t perfect for every scenario. I wrote about those scenarios in more detail here: https://www.dhirubhai.net/pulse/i-love-passkeys-perfect-every-situation-roger-grimes.
In a nutshell, if the version of passkey you are using isn’t using phishing-resistant MFA, you should use phishing-resistant MFA instead. I’m a big believer in the security power of phishing-resistant MFA. Here’s a list of all the phishing-resistant MFA I’m aware of: https://www.dhirubhai.net/pulse/my-list-good-strong-mfa-roger-grimes.
If your passkey implementation is using phishing-resistant MFA, then I think it’s great. Use it.
So, where do I rank passkeys in the grand scheme of authentication? Well, here: