There are different ways to use passkeys. You can put them on your PCs and phones, secured by special memory and whatever biometrics you use to login to those devices.
Or you can put them in a password manager.
Or you can put them on security keys.
You can use passkeys instead of passwords, but then you need to be sure that they are stored in reliable places, and/or backed up. They cannot be memorized like passwords.
If you trust your phone or your password manager, then that is all you need. But the big advantage of passkeys is that you can easily create them on multiple devices such that they never leave the device. That is, you do not need to back them up if you have alternate passkeys to accomplish the same logins.
Passwords have the drawback that an eavesdropper might copy them, or a phisher might trick you. Passkeys solve these problems. You can put the passkey on a security key, and be sure that it never leaves the key, and it will only be used on the intended web site. There is also a pin on the key, to protect against loss or theft.
Here are some security keys I tried.
Yubico 4. There are pre-2018 and now obsolete, but have the advantage that they can be used for an unlimited number of accounts. Google can use it as a 2sv, with a password. The other keys have this feature also, but Google refuses to use the feature if it thinks that the key supports passkeys.
Yubico 5. These are the market leaders, and are the safest bet. Some can use NFC with a phone, and also store Authenticator keys.
uTrust. Mine works most of the time, but is sometimes not recognized properly.
Onlykey. These have the feature that you can store a bunch of site passwords on them, and protect them with a pin that you enter directly on the key. Other keys depend on the OS to control the pin. A drawback is that each only holds 12 passkeys.
Thetis and Trustkey. These are cheap and reliable, and hold a lot of passkeys.
Solo Tap version 1. I had low expectations for this, as the company announced a version 2. I was able to upgrade the firmware by loading an obsolete python library, and it works well with 50 passkeys. That is better than my Yubico keys.
Fetian. These work with bluetooth, but that is more trouble than it is worth. Being wireless seems like an advantage, but they have to be charged, and the pairing is a hassle.
Price varies from $10 to $60. I get the impression that there is not much consumer demand for these, as some of these products have not be updated in years. Paying more does not necessarily get you a better key, as they all implement the same FIDO2 spec.
Using these has some quirks. With a passkey to a Google account, you can login with Mozilla Firefox without entering your username or password. With Google Chrome, you must take the extra step of entering your password. It is odd that logging into a Google account is more smooth on a non-Google browser than a Google browser.
No comments:
Post a Comment