Passkeys Vs Passwords & MFA - Weighing the Pros and Cons!
As part of my ongoing research and study into passkeys, I also wanted to delve into the pros and the cons of using [show private key and public key graphics] passkeys vs using [01] passwords + [02] MFA for account security, and show you a couple of demos to explain the differences. Over the past couple of months, I’d really delved into understanding passkeys as the next generation of account authentication and security so if you aren’t familiar with passkeys, you can follow along with my passkey series on my channel.
[yubico logo lower third] Yubico is sponsoring this episode and I’m working with them to learn all about passkeys. This is an ongoing series that explains what passkeys are, how they work, and the different types of passkeys that can be used. With Yubico, my intention is to be on the cusp of this new security method, since this will likely be our very-near future. Stick around to snag a coupon code from Yubico, and learn how you can use their keys for both multi factor authentication, as well as passkeys!
So in this [03] ultimate showdown between passwords and MFA vs Passkeys, which one is best? Let’s dive into the pros and cons of both to find out.
First up is passwords. These have been around in some form or another long before even the internet was a thing - long before I was [04] downloading music on my dads computer in the 1990’s on dial up… You know the drill. [05] Passwords are strings of characters you’ve created and remembered to prove your identity or authenticate with an online account. You create them in your mind or you can generate them in a password manager, and you either remember them using your own noggin’ or you stick ‘em all in a notebook or password manager.
Add in [02] MFA or multi factor authentication. You input a password and a website asks you for a six digit code that is either sent to your phone via text (which is the least secure option because of sim swapping), it’s generated in an app on your phone (like [06] Google Authenticator or [07] Authy), or your MFA is a security key, like a [08] yubikey that you plug into your device and tap to prove you not only know your password, but you also have access to a physical thing that you have to have in your possession to enter.
The PROS of PASSWORDS: [bulleted list on screen - see B-roll list from Notion] Passwords are extremely familiar. We’ve used them for ages, they’re flexible. You can generate them with tons of creativity - **** like combining uppercase and lowercase and numbers and special characters. You can make passwords extremely long - hundreds of characters, even. And they work on all of your devices, as long as there is some sort of human interface device - like a physical keyboard, or an on screen keyboard.
The CONS of PASSWORDS: [bulleted list on screen - see B-roll list from Notion] Passwords can be somewhat weak, though. Weak passwords – think 'password123' – are like leaving your front door wide open for hackers. And don't get me started on password reuse! If you use the same password for everything, it's like using the same key for your home, car, and secret vault. Even longer passwords can be cracked using today’s technology, and we often don’t know how a website is actually storing our passwords. While they should be encrypted, many sites leave passwords in plain text, so we’ve learned to use different passwords for everything that we do. But passwords are hard to memorize, so people tend to reuse a fallback password as their default one. If you use that password across several sites and one of those sites gets hacked, then your password reuse could allow a hacker to just copy and paste it into other sites, potentially allowing them to get access to more of your accounts - all from one hack.
This is why we recommend using a password manager, but it’s hard to get folks to adopt something they aren’t familiar with. Maybe your cousin has adopted the mindset of “every password should be different” but only uses a slightly different character at the end of their common password. Or maybe they just write them all down in a notepad, or save them all in their Notepad app on their phone. The phone notepad app could be stolen, and a notepad could get destroyed in a flood or fire, so having a secure platform like a password manager is a must for password management - especially if you want to use really strong passwords that are hard to guess.
[bulleted list on screen (pros of mfa) - see B-roll list from Notion] When you add in MFA, this adds a layer of security to your account. Because even if a hacker got your password, they probably don’t have the six digit code, so they still get locked out. With MFA, the biggest PRO is that added security. But even MFA has it’s drawbacks. [bulleted list on screen (cons of mfa) - see B-roll list from Notion] For example, it’s less convenient. Instead of just typing in your password and entering, there’s another step to authenticate. You either have to type in a six digit code that you get on your phone, or tap on a physical device. And if you type in the code wrong, you have to wait for a new one to get sent, or you have to quickly retype the correct code before it’s deemed invalid then you have to request a new one. If you use a hardware key, like a yubikey, this can circumvent the complications of having to type in a code (since there is no code if a website supports my favorite authentication protocol), and they’re more secure (since a hacker wouldn’t have a code to steal - they’d have to physically steal your yubikey). But of course, that’s a device that you’d need to have on you when you’re setting up a new device.
Luckily with MFA, our devices remember our logins, so you usually only need to use that code or yubikey when you are setting up a new device or when you’re computer forgets your login (this is because of how [09] Cookies work - which I did a video on).
So TLDR: Passwords on their own are familiar to us, but they can be vulnerable to hackers, adding MFA is a great option for security but the caveat is convenience for that additional security.
Now, let's turn the key to a new contender: passkeys. Similar to our ultra-MFA option, these can be used with a physical device, like a USB key, or a phone, to verify your identity. They're the fresh alternative to passwords, promising an extra layer of security.
So, let's highlight the pros of passkeys. [bulleted list on screen (pros for passkeys) - see B-roll list from Notion] These take the approach of two-factor authentication – something you have (the passkey) and something you know (a PIN) or something you are (a biometric). Since the “something you know” like a password can be stolen, making the “something you have” the first factor to log into a website creates a more secure method for authentication. Because without that passkey (something you have), no one can get to the second part where you either have to input a PIN or use a biometric to login.
When you use a passkey, there is no more memorizing complex passwords or keeping that ever-growing password list hidden under your keyboard. The passkey for every site is unique, and it uses your phone or your USB key as the passkey.
The nice part of using a USB security key as a passkey is that an attacker would physically need that USB key to unlock an account and a USB key used as a passkey is never uploaded anywhere, it is always just stored on your physical security key.
The other perk of passkeys is that they don’t leave your device, so even if a website gets hacked, that website can’t give up your secret key like they could a password. I delved more into this in my “What are Passkeys” video.
But passkeys aren't without their challenges. [bulleted list on screen (cons of passkeys) - see B-roll list from Notion] First: If you opt to use your phone as a passkey, you also can have Apple or Google store your passkey in a virtual server (”the cloud”), so if you lose your phone, you could access it from another device. That is great for convenience, but you have to make sure your phone account is also extremely secure - you don’t want someone buying an iphone and logging into your Apple ID and stealing your passkey.
Then of course is expense: Your phone has to be passkey ready - which most phones from newer generations already are - or you purchase a separate hardware security key to be used as the passkey. [yubico logo lower third] My viewers have access to a sweet deal through Yubico, though, which will get your $5 off the purchase of any series 5 Yubikeys with the coupon code SHANNONMORSE at checkout. That can save you some money, and you’ll be buying a product that can not only be used as a passkey but also as a multi factor authentication device for tons of websites.
There are compatibility issues. Passkeys are still in their infancy and because of that, not all devices or apps will support passkeys - so hopefully the sites support MFA at the least so you have something more secure than just a password.
But just like with MFA, you won’t need a passkey every single time you open an app, or browse to a website. Apps and sites often remember our login from a known device, so as long as you aren’t switching devices all the time, you won’t need your passkey every day.
So, passwords with MFA or passkeys? Both have their merits and downsides. Passwords are the weakest form of authentication, but with MFA tacked on they can offer strong security, though convenience could be better. On the other hand, passkeys are more convenient since they’re built into newer phones and USB keys, and because there is no password to remember, but they aren’t supported everywhere yet. Once passkeys are supported everywhere, it’ll be like having [10] “one ring to rule them all”, but that one ring will actually have all sorts of different keys inside of it and each key can only be used on one site - you just need the one ring to unlock ‘em.
In the end, the choice depends on your personal needs. Got accounts with money in them? Accounts like your email where important docs are sent? Passkeys might be your new BFF but still might not be supported on all those sites. For social media and light online shopping? A password with multi factor authentication is probably okay. And for those sites where neither MFA or passkeys are supported? Using a password manager to generate strong, unique passwords and to store them all so you don’t run out of RAM in your own mind.
[TEAM PASSKEY vs TEAM PASSWORDS & MFA - see B-roll list from Notion] So are you team passkey or team password with MFA? Or are you both? For me: I’m both, with the intent to become team passkey 100% whenever that becomes a reality. Tell me which option you prefer by commenting below. Thanks for watching, bye yall!
