If passwords remain, passkeys don't provide better security, only convenience.

CharlesW · 2024-12-17T22:57:01 1734476221

Passkeys provide better security regardless of whether passwords continue to be supported. Two reasons off the top of my head:

• Passkeys stop phishing. Using your passkey instead of a password (when both are available) ensures you're actually signing in to the site/service you expect.

• Passkeys have zero value when leaked. Users' private keys remains secret and safe even when public keys are stolen and distributed.

That said, passwords aren't going extinct anytime soon. It will likely become more popular to require 2FA for password users in the meantime, as it should.

mort96 · 2024-12-18T06:45:16 1734504316

Passkeys don't stop phishing. If the user has both a password and a passkey to a service, a phishing site needs to just ask for a password and not mention passkeys and people will just enter their password.

jesseendahl · 2024-12-19T09:12:02 1734599522

>It will likely become more popular to require 2FA for password users in the meantime, as it should.

A lot of folks/services/engineers mistakenly think that layering 2FA on top of passwords will help defend against phishing attacks.

But attackers have been phishing 2FA codes since at least 2012 and it's gone from an advanced attack to bog-standard. The only way to defend against phishing attacks in 2024 is to use phishing-resistant credentials like passkeys.