But I also worry about new areas of weakness with passkeys - anyone accessing the device with the passkey on it, or hacked that device, gets access automatically to the accounts. Also if logins are too fluid I worry that anything out of the ordinary during sign ins won’t be noticed.
yeah that’s totally true, but usually modern devices ensure that the passkeys are protected with a PIN or some biometric security, so I think it’s at least as strong as having a password manager on your device that can be unlocked with a PIN.
not really sure what you mean about “out of the ordinary” logins - it sounds like you’re thinking about phishing risks? but remember - passkeys cannot be phished. they verify the identity of both sides of the authentication token exchange - the server verifies you, and you verify the server. If you only use passkey authentication, you are safe from being phished. the most secure system would be one entirely without passwords/oath totp
But I also worry about new areas of weakness with passkeys - anyone accessing the device with the passkey on it, or hacked that device, gets access automatically to the accounts. Also if logins are too fluid I worry that anything out of the ordinary during sign ins won’t be noticed.
yeah that’s totally true, but usually modern devices ensure that the passkeys are protected with a PIN or some biometric security, so I think it’s at least as strong as having a password manager on your device that can be unlocked with a PIN.
not really sure what you mean about “out of the ordinary” logins - it sounds like you’re thinking about phishing risks? but remember - passkeys cannot be phished. they verify the identity of both sides of the authentication token exchange - the server verifies you, and you verify the server. If you only use passkey authentication, you are safe from being phished. the most secure system would be one entirely without passwords/oath totp