FAQ: Questions and answers about Passkeys
The password successor Passkeys is set to make logging in online easier than ever - we answer the most frequently asked questions from readers on the subject.
(Image: Jirsak/Shutterstock.com)
The secure authentication procedure using passkeys is only simple at first glance; behind the scenes, complicated technology is at work. And not everything always runs smoothly.
Amazon key
I use Passkeys with Firefox. This works well everywhere, except on amazon.de where I am not offered passkey authentication. What can I do?
Some web services, including Amazon, only offer login via passkey under certain conditions, for example if you use selected operating systems or browsers. They decide this based on the user agent field that the browser sends with every request and through which it identifies itself on the web. One possible reason is that the operator has so far only tested certain configurations and wants to roll out the passkey function gradually.
In most cases, passkey authentication will still work once you have overcome this hurdle. You can simply instruct your Firefox browser to pretend to be Google Chrome by setting its user agent string. For us, the Firefox extension "User-Agent Switcher and Manager" has proven its worth.
It offers a white list mode that uses the changed user agent specification specifically for certain websites such as amazon.de. This ensures that all other websites function as usual. It is best to set the user agent ID of the current Chrome version, which you can find on websites such as WhatIsMyBrowser.com. In this way, we were able to use Passkeys on Amazon with Firefox without any problems.
Delete Passkey
How can I delete Passkeys?
If you no longer want to or can no longer use a passkey, you should first remove it from the associated account with the web service. It is then immediately invalid and can no longer be used to log in. In many cases, you can also delete the passkey data from your devices. Whether this works depends on where the passkey is stored.
On the iPhone, for example, you can manage and delete passkeys under "Settings/Passwords"; on Android smartphones, switch to the Google Password Manager, which you can find in the settings by searching for "Password Manager". If the passkey is stored in the Windows TPM (Windows Hello), delete it via the system settings, accounts, main key settings. If you use a password manager such as Bitwarden or KeePassXC, delete the passkey via the respective app.
It gets trickier if the passkey is stored on a FIDO2 stick. Not all FIDO2 sticks support the necessary management functions for listing and deleting passkeys. You are best off with a modern stick that supports the current FIDO2.1 standard and therefore also the management functions. However, some older FIDO2.0 sticks will also work. First check whether the manufacturer of your stick offers a management tool. If it is a newer YubiKey, for example, you can use the "Yubico Authenticator" app. Another option is the Windows tool "FIDO2.1 Manager" from Token2, which also works with sticks from other manufacturers.
On Linux and macOS, you can also delete passkeys via the Chrome settings (chrome://settings/securityKeys); Windows users must start Chrome as an administrator and with the parameter --disable-features=WebAuthenticationUseNativeWinApi.
Spare key
Can I create backups of my passkeys? If so, how?
That depends on where you store your passkeys. If you use a FIDO2 stick or the Windows TPM, you cannot read out and back up the private keys of your passkeys for security reasons. However, if you use the passkey functions of the Apple operating systems or Android, there is always an encrypted backup in the cloud, so you don't have to worry about anything.
If your device fails or is stolen, your passkeys are automatically restored from the cloud when you set up a replacement device. This also applies to many independent password managers such as 1Password or Bitwarden, which also use the cloud. Some also allow you to export your passkeys manually and locally to a file.
Regardless of this, most web services allow you to create multiple passkeys per account. For example, you can create one passkey for your smartphone and one for your FIDO2 stick, which can then be used independently of each other.
Fear of loss
What do I do if I have lost my passkeys?
This is not normally a cause for panic: Most web services are prepared for this eventuality and offer a recovery function similar to "forgotten password", which you can use to regain access to the account. Always make sure that the data stored in your account, such as your email address and cell phone number, is up to date so that you can use the recovery function if the worst comes to the worst.
Your passkeys on a lost authenticator are protected against unauthorized access because you have to unlock it using a PIN or biometric features (fingerprint or face scan) in order to use it. This applies not only to FIDO2 sticks, but also to smartphones, tablets and computers. You should therefore set a PIN that is not easy to guess.
Key customer
What are passkeys anyway?
Passkeys are a modern authentication method that does not require a password. Instead, you use cryptographic keys and digital signatures. This has several advantages: When you log in, no secret is transmitted that an attacker could intercept and use themselves. As the crypto keys are generated automatically, a passkey is only ever suitable for one account and dangerous password recycling is ruled out. In addition, passkeys are resistant to phishing, one of the most common methods of attack on the Internet.
But there are also disadvantages: While passwords are sometimes easy to remember, passkeys inevitably require technical aids to generate and manage the crypto keys. In the simplest case, you can use the passkey management of your operating system.
Passkeys are not a completely new invention; they are based on the FIDO2 method, which is being developed by a consortium of numerous major companies such as Apple, Google and Microsoft, the FIDO Alliance. The German BSI is also a member of this alliance. A passkey not only replaces the password, entering a user name is also optional. This requires the user to store data known as resident keys or discoverable credentials - discoverable because a web service can query which credentials are stored for it.
Sharing passkeys
I can easily share my passwords with family and friends to access accounts together. Is this also possible with Passkeys?
Passkeys essentially consist of crypto keys, i.e. long, random character strings that you can theoretically pass on. Whether this is also possible in practice depends on how you create and store your passkeys. FIDO2 sticks and the Windows TPM (Windows Hello), for example, do not allow the crypto keys generated with them to be read for security reasons.
With a password manager, on the other hand, you could be in luck: KeePassXC, for example, offers an export function that allows you to specifically export individual passkeys as a file. Other users can then import this file, provided they use the same software. You can even use other password managers such as Bitwarden in a team and share passkeys with other people in your team at the click of a mouse. Apple users can share passkeys with other Apple users via AirDrop.
Please note that sharing Passkeys is just as secure or insecure as sharing passwords: the other person will have full access to your account and may be able to take it over completely. If possible, create your own passkeys for the other person. You can then withdraw access later by deleting their passkeys from the shared accounts.
Hackable despite passkey
Are passkeys absolutely secure against hackers?
No, there is no such thing as absolute security, not even with passkeys. Depending on where you store your passkeys, there is a risk that attackers may also be able to access them. For example, an independent password manager usually offers no hardware binding of the private keys, which makes it less secure than a FIDO2 stick. If an attacker manages to gain access to the password manager, they can also use the passkeys stored in it.
However, the greatest danger comes from session cookies, and even passkeys do not change this. After you have successfully logged in to a web service, it saves such a session cookie on your computer so that you remain logged in. If malware were lurking on your computer, it could intercept the session cookies and transfer them to an attacker. The attacker could then use the cookies to access your accounts without a passkey or password.
However, this is not a weakness of the passkey procedure, but is due to the fact that cookies are not normally tied to a system. A procedure called "Device Bound Session Credentials", the development of which Google has initiated, should provide a remedy in future. Instead of cookies, public key cryptography will be used, similar to passkeys.
Passkey instead of 2FA
Will passkeys replace two-factor authentication?
Passkeys do not automatically make a second factor obsolete. Many web services still have a password that you can use to log in. This password can also fall into the hands of attackers, which is why it is still important that you protect your accounts with a second factor. In everyday life, two-factor authentication is hardly a problem, as it is usually sufficient to enter the second factor the first time you log in with a device.
Buy a FIDO2 stick
What do I need to consider when buying a FIDO2 stick?
If you want to buy a new FIDO2 stick for using passkeys, you should pay attention to the storage capacity. Although the crypto keys only take up a few bytes, the sticks are equipped with specially protected chips that only have a small amount of suitable memory. Older FIDO2 sticks can therefore run out of memory after 25 passkeys. You can find out how many passkeys a FIDO2 stick can store either in the data sheet or by asking the manufacturer.
Current sticks with a lot of memory are offered, for example, by the manufacturers Token2 (300 passkeys), Google (250 passkeys) and Yubico (100 passkeys). Make sure you buy the latest revision: YubiKeys from the 5 series, for example, only offer the high storage capacity if they have been freshly manufactured (firmware 5.7 or newer). On older versions of the same models, however, you can only store 25 keys and a firmware update is not possible.
It is also advisable to use a stick that already supports the current version 2.1 of the CTAP standard (Client to Authenticator Protocol). This specifies important management functions, particularly for passkeys, with which you can also delete passkeys individually. Although the Google Titan sticks offer a lot of memory, they only support CTAP 2.0 - you can therefore only delete up to 250 passkeys by resetting the entire stick to factory settings. However, all passkeys will then be gone.
Videos by heise
However, if you already have older FIDO2 sticks, you don't have to dispose of them: even if they can only hold a few dozen Passkeys, they will last you quite a while. This is because you cannot currently create passkeys for all online accounts anyway. Older sticks are also suitable as a backup for the most important accounts and for two-factor authentication, which does not require any memory.
Do away with passwords
Can I replace all my passwords with passkeys?
No, that will take a long time. In order for you to be able to use passkeys, the respective website operator must implement the new authentication method. For older websites that are no longer or only rudimentarily maintained, this is unlikely to happen. A well-maintained overview of web services with passkey support can be found at passkeys.directory.
So you won't be able to manage without passwords for the foreseeable future. Ensure as much security as possible even in such cases: it is best to use a password manager to generate random, individual passwords. Activate two-factor authentication where possible.
Fingerprint risk
I've heard that I can log in to Passkeys with a fingerprint or face scan. Can a hacker access my biometric data?
No, because your biometric features are stored in a security chip on your device and are not used for the actual authentication with the web services. The web services have no access to it and an attacker who compromises the service cannot access your biometric data there. The biometrics are only used locally to unlock the authenticator quickly and conveniently. This also applies to your PIN: it is also only stored and checked locally.
Forgotten PIN
I have forgotten the PIN for my FIDO2 stick. How do I get the passkeys?
The PIN of your FIDO2 stick is as secure as the PIN of your bank card. The PIN is checked by a chip, which then authorizes the use of the authenticator or not. You cannot read out or bypass the PIN. After a limited number of failed attempts, usually a maximum of 10, the FIDO2 stick locks up and must be reset. All passkeys are deleted in the process. This ensures that an unauthorized person who gets hold of your stick cannot simply try out all possible PINs to gain access to your passkeys.
If you want to prevent this and be on the safe side, you should write down the PIN on a piece of paper and keep it in a safe place. Alternatively, you can use a FIDO2 stick such as the YubiKey Bio, which you unlock using your fingerprint.
Phishing protection
Why do passkeys protect against phishing?
In phishing, for example, the attacker lures you to a login page that looks like a legitimate website where you actually have an account. They are hoping that you will not notice the scam and enter your login details. With Passkeys, you are in the clear in such a case: you cannot use your real Passkey on the fake site because your browser forwards the domain of the website to the authenticator. The authenticator then searches for matching passkeys and cannot find them because the phishing domain differs from the original domain. You could only create a new passkey for the fake page, but this is worthless for the attacker.
Passkeys barrier-free
I manage my grandparents' computer. How can I set up passkeys for them as easily as possible to eliminate the dangers of phishing and the like?
You can set up the built-in passkey authenticator of the operating systems (Windows, Android, Apple operating systems) so that authentication without a password is as accessible and secure as possible. Then you only need to enter a PIN to log in securely to websites. You can also switch on biometric authentication (fingerprint or face scan) to make it even easier to use.
Make sure that you also have access to the accounts so that you can provide assistance if necessary. For this purpose, you can create your own passkeys for the accounts, for example on a FIDO2 stick, which you can take with you after setting up. Make sure that you also secure accounts on websites that do not offer passkey authentication as well as possible. You can often at least activate two-factor authentication.
To generate one-time passwords (TOTP codes), you can get your grandparents a separate code generator such as the Reiner SCT Authenticator. This is a separate device with a display that works in a similar way to a TAN generator for online banking. This saves your grandparents having to fiddle with authenticator apps.
(rei)
