It’s more about supporting a new standard. Plenty of folks are using same credentials everywhere, and passkeys could potentionally change that. Also, entering 1 thing is easier than entering 2.
Continuing on what Rolling Resistance said (sorry for the delay, had to step away for a while), I know plenty of people who do use a password manager and still use a static password in some places (hell, I’ve been guilty of that in a few places - but generally on network-isolated systems). Some people also don’t use 2FA because they find it inconvenient.
Passkeys are more or less very similar to how SSH keys work if you’re familiar with those, your device (or password manager) generates a secret key that it only has access to, and then gives the public key to the website (and a new keypair is generated for every single website). When you login to a website, the website sends you a challenge which you sign with your private key, that the website can then verify using the public key that you used when enrolling the passkey. This way, a website never has any form of secret - making say password hash leaks less relevant, whereas in theory you could give your public key(s) and post it on Google’s homepage without any repercussions… but don’t quote me on that one.
So even if you use a password manager, if you still have a few websites that share the same password, and one of those gets compromised - those other websites may still be vulnerable which wouldn’t be possible with a passkey.
If you use a password manager like bit warden, on a compromised machine, the credentials used to log into a site, could get copied. Then somebody else could log into that site as you.
Using pass keys, or hardware security keys means the private information never goes over the internet. So somebody who’s compromised the system, still doesn’t get the private key. So they can’t impersonate you later
but butwarden already makes phishing impossible, and even if someone gets the password, they don’t have the 2fa?
It’s more about supporting a new standard. Plenty of folks are using same credentials everywhere, and passkeys could potentionally change that. Also, entering 1 thing is easier than entering 2.
Continuing on what Rolling Resistance said (sorry for the delay, had to step away for a while), I know plenty of people who do use a password manager and still use a static password in some places (hell, I’ve been guilty of that in a few places - but generally on network-isolated systems). Some people also don’t use 2FA because they find it inconvenient.
Passkeys are more or less very similar to how SSH keys work if you’re familiar with those, your device (or password manager) generates a secret key that it only has access to, and then gives the public key to the website (and a new keypair is generated for every single website). When you login to a website, the website sends you a challenge which you sign with your private key, that the website can then verify using the public key that you used when enrolling the passkey. This way, a website never has any form of secret - making say password hash leaks less relevant, whereas in theory you could give your public key(s) and post it on Google’s homepage without any repercussions… but don’t quote me on that one.
So even if you use a password manager, if you still have a few websites that share the same password, and one of those gets compromised - those other websites may still be vulnerable which wouldn’t be possible with a passkey.
If you use a password manager like bit warden, on a compromised machine, the credentials used to log into a site, could get copied. Then somebody else could log into that site as you.
Using pass keys, or hardware security keys means the private information never goes over the internet. So somebody who’s compromised the system, still doesn’t get the private key. So they can’t impersonate you later