Let’s start with a smartphone. A user creates an account with a passkey for a service, that passkey gets stored on their smartphone, and they can use biometrics to sign in from then on. The private key is stored on the smartphone. Great.
But then how do you sign into that same service from a different device?
If it’s by using a password manager, some third party piece of software, How do you sign in on a device where you’re not allowed to install third party software?
I’ve got a pair of YubiKeys that I use to back my passkeys. Works great; I’ve got passkeys that work within the Apple, Microsoft and Google ecosystems and don’t have to worry about password prompts for the most part — but I DO need a YubiKey handy to validate that it’s actually me at the device.
My keys use both NFC and USB-C and work across all my passkeys supported devices when I add in a USB adapter.
One spends most of its time in a safe deposit box, and the other lives on my physical keychain.
To use it, the person would need to be logged in on a device I own (that’s password protected) AND have one of the keys (which also requires a PIN).
Sounds much safer than biometrics.
Definitely. Costs extra, has an extra step to set up, and has an extra step to use, but is so much more secure.
That said, biometrics are better than “1234”. I have no issues with people who have bad password hygiene moving to biometrics, which at least add an extra barrier for account compromise.
But for the rest of us, physical security tokens are definitely the way to go.