5 Big Misconceptions about Passkeys

Why it is smart to start investing in the stock market?

Lorem ipsum dolor sit amet, consectetur adipiscing elit lobortis arcu enim urna adipiscing praesent velit viverra sit semper lorem eu cursus vel hendrerit elementum morbi curabitur etiam nibh justo, lorem aliquet donec sed sit mi dignissim at ante massa mattis.

Neque sodales ut etiam sit amet nisl purus non tellus orci ac auctor
Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti
Mauris commodo quis imperdiet massa tincidunt nunc pulvinar
Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti

Should I be a trader to invest in the stock market?

Vitae congue eu consequat ac felis placerat vestibulum lectus mauris ultrices cursus sit amet dictum sit amet justo donec enim diam porttitor lacus luctus accumsan tortor posuere praesent tristique magna sit amet purus gravida quis blandit turpis.

Odio facilisis mauris sit amet massa vitae tortor.

What app should I use to invest in the stock market?

At risus viverra adipiscing at in tellus integer feugiat nisl pretium fusce id velit ut tortor sagittis orci a scelerisque purus semper eget at lectus urna duis convallis. porta nibh venenatis cras sed felis eget neque laoreet suspendisse interdum consectetur libero id faucibus nisl donec pretium vulputate sapien nec sagittis aliquam nunc lobortis mattis aliquam faucibus purus in.

Neque sodales ut etiam sit amet nisl purus non tellus orci ac auctor
Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti
Mauris commodo quis imperdiet massa tincidunt nunc pulvinar
Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti

Is it risky to invest in the stock market? If so, how much?

Nisi quis eleifend quam adipiscing vitae aliquet bibendum enim facilisis gravida neque. Velit euismod in pellentesque massa placerat volutpat lacus laoreet non curabitur gravida odio aenean sed adipiscing diam donec adipiscing tristique risus. amet est placerat in egestas erat imperdiet sed euismod nisi.

“Nisi quis eleifend quam adipiscing vitae aliquet bibendum enim facilisis gravida neque velit euismod in pellentesque massa placerat.”

Tell us if you are already investing in the stock market

Eget lorem dolor sed viverra ipsum nunc aliquet bibendum felis donec et odio pellentesque diam volutpat commodo sed egestas aliquam sem fringilla ut morbi tincidunt augue interdum velit euismod eu tincidunt tortor aliquam nulla facilisi aenean sed adipiscing diam donec adipiscing ut lectus arcu bibendum at varius vel pharetra nibh venenatis cras sed felis eget.

As FIDO-based passkey based login is getting a great boost from companies like Google (Read here) and Apple, there is a lot of chatter and buzz about Passkeys now. We want to cover 5 misconceptions about passkeys that people have and that stopping them using Passkeys.

Passkeys are like passwords with just a fancy name
My app already use face id/biometric so we do not need passkeys
Passkeys are not phishing resistant
If I lose my device, I will lose access to my accounts if it is completely passkeys based
Passkeys have privacy concern

Let’s delve into these top 5 misconceptions and see what is right or wrong.

Misconception 1: Passkeys are like passwords with just a fancy name

Contrary to this belief, passkeys are not merely rebranded passwords. While both serve the same purpose—to authenticate user identities—passkeys are fundamentally different. Passkeys leverage the FIDO (Fast Identity Online) protocols, which provide robust, phishing-resistant, public-key cryptography based authentication that is easier to use and more secure than traditional passwords.

For example, Google introduced passkeys based authentication for your google accounts without needing to remember a password, reducing the risk of user-induced security vulnerabilities.

Unlike traditional passwords stored on your application provider servers, passkeys work in a different way. When you enable passkey based login to the app or website, it first asks your face id/biometric or a PIN to proceed. Then it generates a pair of private and public keys for your account. Public key gets stored on your server but the private key never leaves your device. An attacker can't derive the user's private key from the data stored on the server, which is always required to complete authentication.

Misconception 2: This app already uses face ID/biometrics, so we do not need passkeys

Many apps allow you to use biometric or face id to access their application and it is more convenient because now you don’t have to remember or store passwords. However it does not make it more secure because your user id-password pair can still be used to access your account and that still gets stored on the application server and prone to mass data breaches.

Misconception 3: Passkeys are not phishing resistant

FIDO-based passkeys have been designed specifically to be phishing resistant. Traditional passwords can be vulnerable to phishing as they often rely on user-entered data, which can be intercepted or mimicked by hackers. Passkeys, on the other hand, leverage cryptographic principles. They are locally stored and never shared with online servers, significantly reducing the risk of phishing attacks.

Misconception 4: If I lose my device, I will lose access to my accounts if it is completely passkey-based

This concern is valid but not entirely accurate. Yes, losing a device used for passkey authentication can potentially lock you out of your accounts. However, most platforms offering passkey-based security provide options for account recovery. These may involve backup passkeys, alternate devices, or even using traditional recovery methods like email or phone verification.

To ensure uninterrupted access to your accounts, it is recommended to set up multiple recovery options when available. It’s also crucial to safeguard your physical devices just as you would protect traditional password information.

Misconception 5: Passkeys have privacy concern

In the Passkeys system, when users sign in using biometric details, they may mistakenly believe that their sensitive data is being transmitted to the server. However, the truth is that such biometric data never leaves the individual's personal device.

Passkeys by themselves do not facilitate user or device tracking across various websites. Each passkey is exclusively assigned to a single site, ensuring no cross-site usage. The underlying protocols of passkeys are meticulously crafted such that no information shared with websites can be used as a tracking mechanism.

Passkey managers are implemented to safeguard passkeys from unauthorized usage or access. For instance, Google's Password Manager employs end-to-end encryption for the secure storage of passkey secrets. These are only accessible by the user and despite being backed up on Google's servers, Google cannot use them to masquerade as the user.

‍

Team SoundAuth

About the author

SoundAuth makes passkey implementation easy. Make your app and website passkey ready within matter of few minutes than several months.