My recent feature on passkeys attracted a lot of interest, and several of the 1,100-plus comments raised questions about how the passkey system actually works and whether it is reliable. In response, I’ve put together this list of frequently asked questions to dispel some myths and shed some light on what we know—and don’t know—about passkeys. This FAQ will be updated from time to time to answer more questions on merit, so check back often. This author will not monitor or respond to comments going forward but can still be contacted via email.
Q: I don’t trust Google. Why do I need to use passkeys?
A: If you don’t use Google, Google passkeys aren’t for you. If you don’t use Apple or Microsoft products, the situation is the same. The original article was directed at the hundreds of millions of people who use these major platforms (even if in denial).
As such, the use of passkey is quickly expanding beyond the big tech players. Within a month or two, for example, 1Password and other third parties will support passkey sync that will populate credentials across all your trusted devices. While Google is more than any other service in allowing logins with passkeys, new services allow users to log into their accounts with passkeys almost every week. In short order, you can use passkeys even if you don’t trust Google, Apple, or Microsoft.
Q: I don’t trust any company to sync my login credentials; I just keep it on my local devices. Why should I use passkeys?
A: Even without confidence whatever cloud service to sync your login credentials, the FIDO specs allow for something called single-device passkeys. As the name suggests, these passkeys work on one device and are not synced with any service. Single-device passkeys are typically created using a FIDO2 security key, such as the Yubikey.
However, if you’re syncing passwords through a browser, a password manager, iCloud Keychain, or one of the Microsoft or Google equivalents, be aware that you’re relying on a cloud service to sync your credentials. If you don’t trust cloud services to sync passkeys, you shouldn’t trust them to sync your passwords, either.
Q: Syncing passkeys seems too risky. Why do I have to rely on syncing from any service?
A: Currently, the FIDO specifications call for end-to-end encryption, which by definition means nothing but one of the trusted end-user devices having access to the unencrypted private key (that is, available) form. The specs do not currently dictate a baseline for this E2EE. Apple’s sync mechanism, for example, relies on the same end-to-end encryption that iCloud Keychain already uses for password sync. Apple documents the design of this service in great detail here, here, here, here, and here. Independent security experts have not yet reported any discrepancies with Apple’s claim that it lacks a way to unlock credentials stored in iCloud Keychain.
iCloud is a basic security feature. The onus should be on the company claiming to be safe to prove the said safety [sic]not to others for disproof [sic] this.
A: As stated earlier, if you don’t trust Apple or any other company that offers sync, consider using a passkey on a site. If you don’t trust Apple or any other company that offers sync and you don’t want to use a passkey on a site, passkeys aren’t for you, and there isn’t much point in reading future Ars articles on this topic. Just remember that if you don’t trust iCloud et al. to sync your passkeys, you cannot trust them to sync passkeys or any other sensitive data.
Q: What about other sync services? Where is their documentation?
A: Google has documentation here. 1Password has documentation on the infrastructure it uses to sync passwords ( here and here ). Also, if you are already dependent whatever cloud-based password syncing platform, it’s a bit late to ask for documentation now. There is little, if any, additional risk in re-syncing passkeys.
Q: Isn’t there a recent article about new macOS malware that can steal iCloud Keychain items?
A: This could be a reference to MacStealer, malware that has recently been advertised on underground crime forums. There are no reports of MacStealer being used in the wild, and no confirmation that the malware exists. We only know ads Claims with such malware.
That said, ad hawking MacStealer says it’s in early beta and comes in the form of a standard DMG file that needs to be manually installed on a Mac. The DMG file is not digitally signed, so it cannot be installed unless an end user mucks around in the macOS security settings. However, a victim must continue to enter their iCloud password into the app after it is installed before the cloud-based data can be retrieved.
Based on the description of MacStealer from Uptycs, the security company that saw the ad, I don’t think people have much to worry about. And even if the malware does pose a threat, that threat isn’t just to passkeys but to anything that hundreds of millions of people already have stored in iCloud Keychain.
Q: Passkeys provide control over your credentials to Apple/Google/Microsoft, a third-party sync service, or the site you’re logged into. Why would I do that?
A: Assuming you’re using a password to sign into a service like Gmail, Azure, or Github, you’re relying on these companies to implement their authentication systems in a way that doesn’t reveal the shared secrets that allow you to log in. Logging into one of these sites with a passkey instead of a password gives the sites the same control—no more and no less—over your credentials than they had before.
The reason is that the private key part of a passkey never leaves a user’s encrypted device. Authentication takes place on the user device. The user device then sends the logged in site a cryptographic proof that the private key is on the logged in device.