Passkeys & Privacy

by Jacob Hoffman-Andrews
Electronic Frontier Foundation
Reprinted under Creative Commons License

This is part 2 of 2 in a series on passkeys.

In our previous article we described what a passkey is: a few hundred bytes of data stored in your password manager, security key, or elsewhere, which allows you to log in to a specific website without a password. The good news is that passkeys are quite well designed from a privacy point of view, even though they give a little more information to websites than a plain old password.

Cross-site Tracking

One of the most important attributes for passkeys is that they shouldn't enable cross-site tracking. In other words, if you create a passkey on site A, and create a different passkey on site B using a different name, email address, and IP address, the two sites shouldn't be able to correlate the separate identities, even if they're sharing information behind the scenes.

Passkeys satisfy this requirement. Each passkey you create is unique, though there are some small caveats to be aware of.

If you store your passkey in a security key or TPM, websites can request the make and model of your device (depending on whether the browser allows it). Usually this only identifies a broad category of common devices. For instance, Chrome's policy on security keys "expects" each distinct make and model to represent at least 100,000 devices. In the past, some manufacturers shipped security keys where each one had a uniquely identifying make and model, which was a major privacy flaw. It's possible other manufacturers will make the same mistake, but it's likely that browsers would block such flawed devices. In general, consumer-facing websites should avoid requesting make and model information, since this feature is intended primarily for companies managing their internal login infrastructure. If you store your passkey in a password manager, websites can learn which password manager you are using.

Similarly, some security keys may implement a "signature counter" for passkeys stored on them. A good implementation should ensure that the signature counter is maintained separately for each site, but some security keys keep a single signature counter for all passkeys. That can be used across unrelated sites to try and correlate your identity by looking for similar values of that signature counter. You can ask the manufacturer of your security key how they handle signature counters.

Biometrics

When using a passkey your phone or computer might prompt you to use a fingerprint or facial recognition. This step is to demonstrate to your device that it's really you. Your fingerprint, face, or unlock code isn't sent to the website. Instead, your browser tells the site that "user verification" was successful. This will generally only happen if you already use a fingerprint or facial recognition to unlock your device. If you prefer not to use biometrics at all, you can use your screen unlock PIN or pattern instead.

Shared accounts

For accounts that you share with someone else, passkeys change the privacy situation slightly. With passwords, a website doesn't know whether it's you or your friend typing in the password. With passkeys, you'll most likely need to generate two passkeys for the account: one for you and one for your friend. Each of you can log in using your own passkey, but the site will know which passkey is logging in.

Lost or stolen device

If you store passkeys on a security key, someone who has physical access to your security key can list all the passkeys, including which sites they belong to. Some security keys have a setting to require a PIN before listing the passkeys, in addition to the normal requirement to enter a PIN before logging in with a passkey.

If you store passkeys in a password manager, someone who has physical access to your device and can unlock your password manager will get a list of all the sites for which you have passkeys and passwords - not to mention getting the ability to log in to those sites! If you have a secret account and need to protect against someone with physical access to your devices, passwords may be a better option; just be sure to also use incognito / private browsing mode, and be aware that phishing is still a risk.

Cloud accounts

For most people, the most convenient password manager will be the one built into their operating system: Windows Hello, Google Password Manager (on Android and ChromeOS), or iCloud Keychain. To use them, you'll have to be logged in with your Microsoft, Google, or Apple account. If you're not already logged into one of those cloud accounts, logging in may prompt you to share a pile of additional data, like your browsing history and bookmarks. In general you can turn off those extra "sync" features but it requires a little extra attention.

You can also use a third-party password manager, which won't try to sync all your extra data in addition to your passwords.

Conclusion

For most purposes, passkeys will represent a significant improvement in security at nearly zero cost to privacy. As described in the previous article, there are still significant growing pains in the passkey ecosystem, but they will likely be resolved in the near future.