.
What is a passkey? Is it a file saved to a decice? Can it be on multiple devices? How do you set it up on your first device? What if you lose your device? Do you need your first device to add it to a second device? How is that different than a text field saved to a password manager?
https://www.passkeys.io/technical-details#passkeys-under-the-hood
They are a form of public key cryptography.
The private key never leaves your device.
You can’t really transfer them between devices.
A lot of your other questions depend on the service. Generally you can still opt to use a password+2FA instead even if you have PassKeys enabled so adding one on a second device would simply require logging in with the password first or authenticating from another device if the service supports it.
I don’t use 1Password so I can’t speak to their setup.
This doesn’t seem more secure than having a password saved in a password manager.
It definitely is. A passkey in a TPM, for example, cannot leave a device. Also, passkeys can have phishing resistance that you cannot obtain with a password and most MFA solutions.
Where passkeys fall short is registering new devices and recovery. I’m not sure what 1Password’s solution is here.
It’s much more secure on ‘less than trusted’ devices and for less than secure people.
Instead of having to type your password in on your friends laptop that may have a keylogger installed, you just type your username in and then do your fingerprint on your phone. That’s it; your phone verifies it’s you and then transmits the passkey over Bluetooth, so it can’t be phished or observed while you type it.
For less than secure people, you don’t have to convince them to use a password manager and stop writing their passwords on sticky notes. They just type in their username and do their fingerprint on their phone. It can’t be phished so even if someone is remotely controlling a victims computer the damage is limited to allowing access to a single account on that physical computer - they can’t take that passkey and use it anywhere else, unlike a password for an email account that’s used for online banking as well. They also can’t keylogger it and then log in after they’re disconnected from the victim.
