In 2018, I setup most of my critical accounts with Yubikey hardware security tokens for added security. I had already used one prior to 2018, but it was only setup in a handful of places, and I regularly bypassed it. Then in 2018, I did it right; I bought a matching pair of Yubikey 5 NFCs, set them up as the only source of 2-factor authentication for important online services, and kept one with me at all times, while storing the other in a secure & safe place.

This worked well until this week when I was setting up my new phone, and I couldn't sign into my YouTube account. My Google account being setup with the Advanced Protection Program and my Yubikeys, I grabbed my NFC token and prepared to sign in with it. I was prompted to sign-in and given the option to use a security token. Every time I tried, I'd be redirected to the settings page for Password Options on my iPhone and the authentication would fail. After a few quick searches, it seemed like some folks were having issues with their Yubikeys over NFC and that a common fix seemed to be removing them and re-adding them from a browser.

From my laptop, I signed in to my Google account, successfully used my Yubikey for MFA and then navigated to my security settings; where my primary and backup key remained registered. I removed the backup key and went to re-register it but it popped back up under a different heading, as a Passkey. I used a private browsing window to confirm that it worked for login(call me paranoid, :shrug:) and then reregistered the primary Yubikey, which also showed up as a Passkey.

Intrigued, I followed a prompt in the Google account security tab to a dedicated Passkeys tab where I could read their brief description and learn some more. While setting up my hardware tokens, I had noticed that 1Password, my preferred password manager, had prompted me with an option to use it to store Passkeys. I read their excellent FAQ, Blog and Announcement posts about Passkeys to understand a little more. I liked what I learned.

What are Passkeys

Passkeys are Public-key/asymmetric cryptography implemented in a consumer-friendly manner. Intended for mass-market use as a passwordless authentication system leveraging WebAuthn and developed by the FIDO Alliance and W3C, they seem to be a rebranding of FIDO2 Credentials. When you add a Passkey to an account, a public/private key pair is generated locally, and the public key is shared to the app. The private key is saved to the keystore of your choice, though the most seamless integrations seem to be with smartphone keystores on Apple and Android devices which are further secured with biometrics. In the case of my Google account and Yubikey, the private key was stored to the Yubikey, which secures its keystore with a pin. While buzz around Passkeys is a recent-ish phenomenon, the underlying technologies, asymmetric cryptography and FIDO2 Credentials, are anything but, with a significant track record.

It's worth a brief diversion into a distinction between Passkeys stored in the iPhone/Android/1Password keystores vs on a Yubikey or other hardware token that supports FIDO2 Credentials. The first worthwhile distinction is that when using a hardware token, the keys are generated locally on the Yubikey's hardware. The second key distinction is that hardware bound Passkeys are stored only on that hardware token and cannot be copied off, providing the highest level of assurance. These are sometimes referred to as Single-Device Passkeys. Passkeys generated for iPhone/Android/1Password keystores are 'copyable' and synced to a cloud service secured by biometrics or a passphrase. This is great for consumers but makes a tradeoff that results in lower overall assurance. These are sometimes referred to as Multi-Device Passkeys. I recommend reading Yubikey's Blog on the subject, it takes a no-nonsense approach to the topic, if a little jargon-filled.

One downside to Yubikeys specifically, is that they have limited storage space for Passkeys/FIDO2 Credentials, limited to 25 currently. This just won't cover the number of online accounts most people maintain; my personal 1Password account shows 516 logins currently saved.

Where can I use Passkeys today

The great news is that the increased attention on Passkeys for iPhone/Android benefits anyone looking to use the technology, whether from a copyable keystore or a hardware bound one. They both leverage the same WebAuthn protocol.

1Password has created a directory of Passkey-enabled services that contains great information on how to get started.

Back to my discovery of Passkeys on Google accounts, I realized I should be able to store a Passkey in 1Password in addition to my 2 hardware keys. This proved to be seamless on Browsers and iOS with 1Password release 8.10.16 from September 18th, 2023, though support for Android is still pending. I don't intend to leave a Passkey for my Google account in 1Password for the long haul, but for testing purposes I kept it enabled.

It's not all sunshine and rainbows

Armed with my new knowledge of Passkeys and the directory of supported services, I went to setup a few more accounts.

• I resolved my original error when signing in to YouTube on iOS by changing the "AutoFill Passwords and Passkeys" setting to iCloud Passwords & Keychain and back to 1Password. I signed in and out to test the 1Password Passkey and both Yubikeys, all of which worked.
• GitHub worked seamlessly with both 1Password and the Yubikeys for Passkey sign in on a desktop Browser. GitHub also supports Passkeys as an additional factor in a multi-factor setup, which is useful for organizations that require MFA, regardless of the factors involved. On iOS, I wasn't able to find a way to sign in with a Passkey, but MFA using a Passkey worked with both 1Password and the Yubikeys. Testing this required clearing the cookie cache for safari because it's used for github authentication regardless of what browser is default on iOS.
• Microsoft Accounts for consumers worked seamlessly, though the option is referred to (annoyingly) as Hello or "Use Your Windows PC", and it still supports the 1Password keystore. I didn't have an easy way to test on an iPhone without breaking my existing workflows, so I'll need to return to that at some point.
• It doesn't appear that Microsoft Entra ID(formerly Azure AD) supports Multi-Device or 'Copyable' Passkeys, though support for Hardware Bound keys, more commonly known as FIDO2 Credentials in this context, are supported.
• Shop.pay is listed as a supported application by passkeys.directory but I could not get them to work in either the browser, which is explicitly not supported, or on their iOS app. The setup triggered successfully, but trying to use 1Password as the keystore didn't work; the Passkey gets created in 1Password but doesn't register in the shop.pay app. No option was presented at all for using a hardware token.
• Paypal was a similar experience. Desktop browsers are explicitly not supported and I couldn't get the mobile experience to work, though passkeys.directory makes note of this and indicates a fix is likely inbound. No option was presented at all for using a hardware token.
• Amazon proved to be another interesting one. I couldn't find a reference to Passkeys in the mobile app or from a desktop browser. Safari for iOS & iOS Edge did have the option and I was able to configure 1Password and both Yubikeys as Passkeys. Signing in from both of those browsers was successful, but sign-in from the native Amazon app was unsupported.
  I'm not certain if this is intended behaviour, but unlike all the other services I tested, signing in with Passkey in the supported configurations DIDN'T bypass MFA.

That's everything I've tested at this point, though there are another 4-5 services I use regularly, including Okta, that I will be testing in the coming days. I'll likely update this post at that time.

Another area worth making note of is that Firefox currently doesn't support Multi-Device Passkeys in any form. It does support WebAuthn but currently only hardware-bound, USB tokens are permitted from my research.

Final thoughts

Overall, I'm optimistic that this attempt to finally bury the password as a means of authentication might actually succeed. The user experience is seamless enough that many users might not even realize they've moved to a Passkey setup in their accounts, the FIDO alliance has chosen a simple enough name that clearly conveys the intended use and its all built on established technology. If this leads to greater adoption of WebAuthn, and support for hardware tokens, all the better. There are some growing pains to be certain, but this seems like an excellent direction to be heading and eliminating passwords is a worthwhile goal.