Passkeys vs. 2FA: Why Passkeys Provide Superior Security

AI written, human edited.

In a recent episode of the popular Security Now podcast, hosts Steve Gibson and Mikah Sargent had an in-depth discussion about the security advantages of passkeys over traditional two-factor authentication (2FA). The conversation was sparked by a listener's question about whether using passkeys in place of 2FA would reduce their account security.

Gibson, a renowned security expert, emphatically stated that in a properly implemented system, passkeys alone provide far more security than even the strongest password combined with any second authentication factor. He proceeded to dissect the fundamental weaknesses of password-based authentication systems that rely on server-side storage of secrets like passwords and 2FA seeds.

The core issue, according to Gibson, is that these systems are inherently vulnerable because websites must store sensitive data that could potentially be stolen in a breach. In contrast, passkeys employ state-of-the-art public key cryptography, where the user's private key never leaves their device. Websites only receive the corresponding public key, which is designed solely for verifying digital signatures and cannot be used to derive the private key.

"Everything about passkeys is superior to everything that has come before it," Gibson asserted. Unlike passwords and 2FA codes generated from shared secrets, passkeys create unique, signed challenges for each authentication attempt, making replay attacks impossible.

Gibson acknowledged that while the cryptography underlying passkeys is vastly more secure, user perception could be a potential stumbling block. Many people might view passkeys as overly convenient and conflate ease-of-use with reduced security. However, he emphasized that this perception is misguided, as the underlying technology is what truly matters.

One concern Gibson raised is that websites implementing passkeys might still allow the use of legacy username/password authentication as a fallback. In such cases, the overall system security would be reduced to the weakest link – the outdated password-based method. He stressed the importance of entirely disabling these less secure options once passkeys are enabled.

The discussion also touched on hardware security keys like YubiKeys, which Gibson confirmed employ similar cryptographic principles as passkeys and the FIDO2 specification they are based on. However, he noted that the widespread adoption of dedicated hardware has been sluggish, hence the industry's push for a more user-friendly, software-based passkey approach.

In summary, this Security Now episode provided a comprehensive explanation of why passkeys represent a significant leap forward in authentication security. As accredited password managers now support passkeys natively, Gibson strongly recommends making the switch whenever possible and taking steps to disable any lingering password-based logins for maximum protection.