About Passkeys and Security Keys
- First, it is important to know that passkeys are used at Wake Forest as a 2nd factor (2-step verification) for our WFU Google Accounts.
Security Keys
What they are:
- A physical security key usually looks like a flash drive and you can keep it handy on your keychain.
- They stay "bound" to that device and don't travel anywhere else.
Example:
- Plug in your security key and when prompted, tap the device to unlock access to your account.
Passkeys:
What they are:
- passkeys are stored in a secure cloud service, like Apple's iCloud Keychain or Google Password Manager.
- This allows them to "sync" across all your devices that are connected to that service.
Convenience:
- This makes logging in much easier, as you can use the same passkey on any of your devices.
- It also provides backup and recovery options if you lose a device.
Security:
- Even when passkeys are synced using a cloud service like iCloud, the private key portion remains primarily within the Secure Enclave of your devices. This means it's heavily protected from software-based attacks.
Example:
- When prompted, tap your finger to enage your TouchID and unlock your passkey for accessing your WFU account.
Key Differences Summarized:
- Location: security keys are on a single device; passkeys are in the cloud.
- Convenience: passkeys are more convenient
- Security: Both are the most phishing-resistant 2-step options. Passkeys are very secure but with a slightly higher theoretical risk.
Which is Better?
- It depends on your priorities.
- Many people will likely use a mix of both. For example, using device bound passkeys for very sensitive accounts like banking, and synched passkeys for more general use.
- IS recommends setting up multiple passkeys, including synched (Google Password Manager, iCloud, Windows Hello), as well as device-bound (security key such as Yubikeys)
Ready to set up passkeys?
Visit go.wfu.edu/passkeys to learn how.
Yes No
Sorry we couldn't be helpful. Help us improve this article with your feedback.