In our previous discussion, we introduced passkeys—a cutting-edge login method designed to enhance security and thwart phishing attempts. While they offer heightened protection, it’s essential to understand how passkeys handle privacy considerations. Let’s delve deeper into their privacy-centric features and how they impact various aspects of your online experience.
Guarding Against Cross-site Tracking
A paramount attribute of passkeys is their ability to thwart cross-site tracking. This means that when you generate passkeys on different websites using distinct credentials (such as names, email addresses, and IP addresses), the sites should not be able to link these separate identities, even if they share information in the background.
Passkeys adeptly meet this requirement. However, there are slight nuances to be mindful of:
- If you store your passkey in a security key or TPM, websites may request information about the make and model of your device. Typically, this only reveals a broad category of common devices, ensuring a level of anonymity. Manufacturers are expected to comply with certain privacy standards to prevent any potential breaches.
- Passkeys stored in a password manager may inadvertently disclose which manager you use. While not a critical privacy concern, it’s worth noting.
Biometrics and User Verification
When utilizing a passkey, your device may prompt you to use biometric features like fingerprint or facial recognition to verify your identity. Crucially, this data is not transmitted to the website. Instead, your browser informs the site that “user verification” was successful, adding an extra layer of security.
Shared Accounts: A Consideration
For accounts shared with others, passkeys introduce a subtle shift in privacy dynamics. Unlike passwords, which do not reveal who is logging in, passkeys necessitate the generation of individual keys for each user. While this discloses which passkey is used to access the account, it maintains the privacy of individual identities.
Lost or Stolen Devices
In the event of a lost or stolen device, the implications for passkey security vary depending on storage methods:
- For passkeys stored on a security key, physical access grants visibility into all passkeys and their associated sites. Some keys offer additional protection by requiring a PIN for listing passkeys.
- If passkeys are stored in a password manager, a person with physical access to your device and knowledge of your password manager’s credentials gains access to all your stored passkeys and passwords. In such scenarios, passwords may be a more secure alternative.
Cloud Accounts and Privacy Considerations
Utilizing the built-in password manager of your operating system (e.g., Windows Hello, Google Password Manager, or iCloud Keychain) offers convenience but may prompt you to share additional data tied to your cloud account. While you can disable certain sync features, it requires extra attention.
Opting for a third-party password manager can offer a more focused approach, concentrating solely on password management without syncing additional data.
In Conclusion
For most users, passkeys represent a substantial stride toward enhanced security with minimal compromise to privacy. As we highlighted in the previous article, the passkey landscape is still evolving, but it’s anticipated that emerging challenges will be addressed in the near future. Embracing passkeys promises a more secure and private online experience, providing a robust defense against evolving cyber threats.
