Passkeys vs Hardware Keys - Which One Works Best For You?

passkeyssecurityprivacy
Written By Shannon Morse

The term passkey is becoming more relevant. With companies starting to support passkeys to replace passwords, you probably have a ton of questions.

I answered a lot of those questions in my last passkey video [link] so today let’s focus on the difference between syncable passkeys and hardware bound pass keys. Why should you choose one over the other, and is one of these choices best for everyone or does it depend?

To review, passkeys are a new term for FIDO2 credential-based authentication. They are built to replace passwords, and use public key cryptography to secure your accounts. Instead of a website asking for you to input a password to log in, you’ll authenticate via a passkey which you can think of as a special key that resides inside a physical device like your smartphone or on a hardware security key. On a phone, you’ll have to use biometrics or another unlocking mechanism to allow the login to happen, and that passkey is not sent to the website. The website will only look for an “ok” from your device to log in - it never actually sees the passkey, and neither do you because it’s private key that resides in your device. That means attacks like brute forcing and phishing wouldn’t work, since proximity is a requirement for a passkey, and you aren’t memorizing anything that could potentially be given to an attacker. There’s nothing to type in, so no one could steal a plain text password from you.

Of course, there are still caveats and things you have to consider, and I’ve outlined those in my previous video and will be delving more into the pros and cons in another video in this series.

There are several physical devices that can be used to log in with passkeys. For example, newer smartphones can be set up as the device that stores your syncable passkey. But smartphones aren’t the only devices for passkey authentication. As mentioned earlier, hardware security keys CAN BE USED for passkey authentication. In fact, some devices, like the YubiKey, have supported passkeys (FIDO2 credentials) since 2018, so if you're a YubiKey user, you’ve already been using passkeys and probably didn’t know it. This is because passkeys can be implemented as a hardware bound credentials or they can be synced to an encrypted cloud for usage across devices. If you stopped here and said “wait, what?” pause this video - watch my video explaining passkeys, then come back.

Yubico is sponsoring this passkey educational series of videos which gives me a great opportunity to show you how passkeys can work and why you should still be using hardware security keys for multi factor and passwordless authentication. Even though syncable passkeys are the new thing, few websites have implemented them so far. That means your best bet to protect your online accounts is still going to be multi factor authentication and as we all know FIDO based hardware security keys are the best option because they are phishing resistant.

Since Yubikeys already support passkeys, that means you could use one physical hardware key for your passkeys and as your FIDO U2F authenticator (meaning you could still use the key for two factor authentication wherever passkeys aren’t implemented yet, and where hardware keys for 2fa are compatible). So you could potentially use one key for all your most vulnerable and sensitive sites, like your email, social media accounts, password managers and OS or workspace accounts, whether they use 2fa or passkeys.

Yubico is hooking y’all up with a coupon code, too! Use the code SHANNONMORSE for $5 off any Yubikey 5 series hardware key and get a head start on passkeys for the next generation of security. It is important to note, it is best practice to have at least 2 keys for a primary and backup.

So, one major question I’ve seen floating around the web is this: do passkeys make hardware keys obsolete? Easy. No, they don’t. Remember, YubiKeys have supported passkeys already for some time. If you compare the two ways you can set up passkeys, you can either set them up on a hardware key, like a Yubikey, or you can set them up via software so your passkeys get synced to a cloud backup, and you have to also secure that cloud account as well. Depending on if this is for yourself, or for employees across an organization, realizing the threat model is important. One may work better than the other, or you may choose to use a hardware option for some accounts while just using a software-bound key for other accounts - and that’s totally acceptable because everyone’s lifestyles are going to be different, so one use case isn’t going to work for everyone.

So the question isn’t really “do passkeys make hardware keys obsolete”, but “who should be using a passkey on a smartphone, and who should be using one on a Yubikey?”.

And that answer totally comes down to your own threat analysis , convenience, and if this is for personal or business purposes which may require a higher level of assurance. I’ve mentioned the term threat analysis before but this basically just means that you evaluate the degree of threat you have to your systems. Take for example someone working at a bank: they probably need to have a higher threat analysis, because a hacker might target an employee of that bank to try and steal login codes. My threat analysis is high because people try to hack into my social media accounts every day, and those accounts are a part of my job as a content creator. You should consider what kind of information you have access to and if that is data that someone could use for malicious purposes. If your answer to that is “ooo, yeah, I could be a target”, then you may want to consider strengthening your login security with a security key.

Then we have convenience. How convenient do you want your logins to be? If you think using a different password for every website you visit isn’t convenient enough… hi, welcome to my youtube channel, please start using different passwords everywhere and use a password manager so you don’t forget them. But also - passkeys will make this a lot easier for you. Because each website will generate its own unique passkey on your device once it’s available, so there won’t be anything for your to remember and each site will have its own unique login.

Meanwhile, MFA will continue to be extremely important, and I find a Yubikey to be so much more convenient than using codes on my phone because I just tap the key to login and there are no six digit codes to type in assuming a site is using the correct protocols. I also think a Yubikey will be more convenient for me because I review a lot of phones for my youtube channel, and creating passkeys on each new phone when I switch them might be annoying.

Coming up on my channel, I’ll break down the pros and cons of passkeys in more detail, and walk you through setting up passkeys in several different ways. So please leave your questions in the comment section!

If you like this video and you want to see those upcoming videos, a subscribe would me a lot to me. I use subscriptions as an indicator that I am actively building an audience here who is interested in these topics, and it lets me know you find value in this kind of content.

Thank you again to Yubico for sponsoring this series! Bye yall!

Shannon Morse

Shannon Morse is an online video producer and host. She has reviewed hundreds of consumer tech products and produces easily understandable tutorials about security and privacy.

Shannon currently hosts Morse Code, Sailor Snubs, and Shannon Travels The World. Her tech channel is a leading source for practical and logical security and privacy information in today’s digital age.

https://www.shannonrmorse.com/
Previous

How To Stay Connected By Calling With Google Meet!
Next

5 Google Pixel Fold Pro Tips + Tricks For Productivity!