Royce Williams3d ago

RE: https://mstdn.social/@TechCrunch/116807118492991232

This is incorrect. Physical security keys are more secure than passkeys. All of the strong phishing resistance, none of the software-brokered attack surface.

To be clear, passkeys are safer than push or SMS or email or passwords. And physical keys are a pain to maintain for the same reason they are more secure: you can't synchronize their secrets anywhere.

Show threadDavid Nelson3d ago
@tychotithonus Not to nitpick but there’s still more nuance to it since there are different ways of implementing passkeys. They can live on an external physical key, or on-device and syncable (like in a password manager), or on-device and non-syncable (tied to a Secure Enclave / TPM chip.) So whether they are or are not the most secure option depends on how the end-user sets theirs up.
Show threadRoyce Williams

@dmnelson Very fair. This nuance is also not delivered on the original site that is asserting that "passkeys are better". The fact that a physical security key can protect a passkey is virtually unreachable to any but the most advanced and experienced users, usually due to poor UX. So I'm not disagreeing with you, but I also think that it's it's a nuance that more proves my point than counters it. 😅

Edit: but also I want to support your original point more fully -- you are absolutely not wrong.

Jun 24 at 11:12pmWeb