First, I completely get the visceral reaction to storing biometric verification credentials. You’ve only got ten fingerprints, two irises, and one face — what’re you supposed to do when they’ve all been hacked?
But the dispassionate analysis shows that those fears are not just unfounded, but counterproductive.
First, before questioning any sort of highly-regarded modern cryptographic system, remember the $5 wrench:
xkcd.com
Next, it might help to know that it’s not that your actual one-and-only face scan (or whatever) is being encrypted and stored on your phone. Rather, the process works something like this:
First, the passkey itself is created. Presumably, this is a typical asymmetric key pair, with a public half and a matching private half.
Then, your face is scanned, creating an insane number of measurements. These measurements are just numbers, the same way that the letters you type are just numbers — 65 for A, 66 for B, 97 for a, 98 for b, and so on. The private half of the key pair is encrypted in such a way that it can be decrypted with an arbitrary random subset of the numbers from those measurements. This subset is large enough to be secure but small enough to work when you’ve got shadows on your face, when you’re wearing glasses, when your hair gets in the way, and so on.
The public half is sent to the site who wants to authenticate you. When you want to do the authentication, your phone scans your face and tries to use the numbers from the scan to decrypt the private key. If it succeeds, the rest of the asymmetric verification proceeds as usual with the decrypted private key.
So an attacker would have to both have your phone (where the encrypted private key is stored) as well as either your actual face (see the $5 wrench) or a realistic-enough animatronic copy of your face. Or have your phone, the technical expertise to extract the encrypted private key from the physically-tamper-resistant memory, and a not-yet-invented quantum computer to decrypt it. Or a $5 wrench.
This is leaps and bounds more secure than anything that has ever been available to the general public ever before — especially since it’s secure from the “look-over-the-shoulder and then steal the phone” attack that’s currently the biggest threat iPhone users face.
So … is it perfect? No; if nothing else, there’s still the $5 wrench to worry about. Are there vulnerabilities that a sophisticated agent could exploit? Perhaps, but they’ll be so expensive that the sophisticated agents will be extremely careful about those they target.
Much more importantly, is there anything better? Not that I’m aware of — and that especially includes everything that’s familiar. The closest you can get is a password manager (like what’s built into MacOS, probably the best one available for individuals) … assuming that your passphrase is secure. But no human can remember a truly secure passphrase and also update it with the frequency necessary to come close to the level of security offered by default with passkeys. So, then, a password manager with a super-secure password that’s rarely used plus biometric authentication for regular use … and the passkeys simplify that and remove the biggest vulnerability.
Cheers,
b&