Getting Started

About Passkeys

Passkeys are a more secure alternative to passwords. They are also more convenient in most cases.

What is a passkey?

Instead of a password, a passkey is a generated cryptographic key that is securely stored on your devices.

When a website asks for your passkey a cryptographic challenge is exchanged - the actual content of this challenge is different every time so that even someone who was listening in the middle cannot gain access to your account.
This is similar to how enterprise level security works with chip based ID cards.

You can have passkeys automatically sync'd to all your devices or use your own dedicated hardware key - more on this below.

Why does Secure ID use passkeys?

Passkeys are newer technology and still occasionally have some rough edges when it comes to usability. So why are we pushing to use them?

Secure ID provides contact details that are used as usernames for other third party services, and can receive messages like authentication codes and password reset emails.

This means we need to be as secure as possible to prevent unauthorised access to all the accounts you connect to Secure ID.

Stolen or guessed passwords remain a major cause of breaches, by using passkeys we massively lower your vulnerability to this kind of attack.

From the DBIR report linked above

A staggering 88% of attacks against basic web applications involved the use of stolen credentials

60% of all breaches involved the human element (where users interact through actions like clicking phishing links or responding to social engineering)

How are passkeys more secure?

  • More cryptographically secure, it's impossible to provide a 'weak passkey'
  • Much more phishing resistant - the browser will only offer passkeys for the domain that created them. This means that even if someone sends you an email pretending to be from us and you click the login link, your device literally won't supply your credentials to an attacker controlled website.
    • This is a very strong protection if you are concerned about non-techy users who may not be as good at understanding when a link points to a legitimate domain. Passkeys literally can't be provided to the wrong domain.
  • In our case logging in with a passkey requires you to both have the passkey and verify your presence - either through a pin or biometric input (e.g. fingerprint).
    • This establishes two-factor authentication, but in a more convenient and secure way than the usual emailed codes etc.

Using Passkeys

When you create a passkey you will have two options:

Recommended: Platform Key, the convenient option

A platform key is created and managed using a so called platform that handles syncing the key to all your devices.

Meaning you can create the key once (e.g on your laptop) and then seamlessly login from your other devices (e.g. your phone).

In practice these platforms are major tech companies (e.g. Google, Apple, Microsoft) or password vault providers (e.g. 1password). They both sync and allow you to recover passkeys if your device gets stolen.

We recommend the Platform Key approach for most people today, even if you are a techy person. If you are pretty much wedded to one of the big tech companies already then their passkey sync service is probably still a big security boost over using a password. The convenience is very good with the least rough edges.

How to create a Platform Key?

When creating a platform key from any of the major browsers or operating systems the default option is almost always going to be a Platform Key

If you are presented an option to remotely create a passkey using a QR code scanned by your android or iphone this is also a platform key.

The hardcore techy option: Hardware key

There are hardware keys that support the underlying FIDO protocol (e.g. yubikey).

They typically work across desktop and mobile devices using a combination of USB and NFC.

Pros

  • You don't need to rely on a big tech third party to secure your account.

Cons

  • Typically a hardware key might only support 15-25 passkeys (FIDO keys).
  • Management interface is limited. Then when the hardware key is full you only have the option to clear ALL the passkeys.
  • With some hardware you can't even see what keys are on the device to be sure which ones are still in use.
  • Practically meaning that when you hit the limit you may have to buy a new hardware key if you haven't carefully documented which keys are on there and if they are still in use.

We support hardware keys but due to the risks we don't recommend them except for experts.

Important during our early beta we don't recommend hardware keys at all, until we support multiple keys (see below) so you can setup backups.

Multiple Keys

In future we will support creating multiple passkeys. This will enable you to have a primary and backup passkey. You will be able to have both platform and hardware passkeys if you wish.

Need more help? Contact Support
Support home Browse all articles Search Articles Contact us
Legal & Cookies
View Privacy Policy
View Terms and Conditions

Credits

Cookies

The web app part of our site uses functional cookies for authentication, remembering your preferences and otherwise enabling your use of the app. No third party or tracking cookies are used on our site.

Impressum


  • Name of website owner: Defora Networks GmbH
  • Address: Wallstr. 9, 10179 Berlin, Germany
  • Contact: info@defora.net, +49 (0)1556-333672-3
  • Geschäftsführer: Pierre Pronchery
  • Registered in Berlin Charlottenburg HRB: 205522 B