Sorry, I'm still not clear what the advantage is, compared to storing unique passwords in 1pw. If a site is hacked, the only thing at risk is my data on that specific site, which would be the case either way. I definitely understand how they would be easier and more secure for people who don't use a pw manager, but that's not my question.
There are some obvious, significant benefits I can think of off the top of my head:
- Passkeys give the website no secret to keep.
Breach of the passkey public key is not an event worthy of credential rotation.
- Passkey authentication is submitted via a rigorously-defined mechanism intended for machine-to-machine communication.
Ever had your password manager try to fill the wrong field with your login credentials? Passkeys cannot make that mistake. There's no heuristic mechanism at play trying to figure out where to insert the passkey.
- Passkeys are immune to credential theft via MITM
Sure the MITM could hijack the session, but not the credential. (I know this one is a stretch, but you asked for anything)
They aren't that much more secure than a random 256 bit unique password for every site stored in a secure password manager. They are designed to raise the security for the average user, not the most security conscious.
This is a weird take. The passkey can be up to 1400 bits in length which makes it significantly more difficult to brute force than a 256 bit password. Not to mention some sites won’t even let you type in a password that long, and then ofc rainbow tables.
Passkeys are significantly more secure for everybody.
a truly random 256 bit password would require more energy to brute force than the sun will emit during its entire lifetime. a 1400 bit long random password is not any more secure in practice.
