About Passkeys and Security Keys

First, it is important to know that passkeys are used at Wake Forest University as a 2nd factor (2-step verification) for our WFU Google Accounts. Yet unlike more traditional options like SMS, phone calls, or numeric codes, passkeys and security keys cannot be used by a hacker from far away. They work only in close proximity to you (the real account owner) and your login.

Passkeys

What they are:

• Passkeys are accessed through your protected, trusted devices, and they cannot be shared with others. Because they can be used with your face or fingerprint (if you unlock your device with these methods), they are very convenient.
• Passkeys are stored in a secure cloud service, like Apple's iCloud Keychain or Google Password Manager. This allows them to be used across all your devices that are connected to that service.

Convenience:

• You can use the same passkey on any of your devices (iPhone, iPad, Macbook, for instance).
• If one passkey device is lost or left behind, others can then be used as backup.

Security:

• Even when passkeys are synced using a cloud service like iCloud, the private key portion remains primarily within the Secure Enclave of your devices. This means it's heavily protected from software-based attacks.

Example:

• When prompted, tap your finger to engage your TouchID and unlock your passkey for accessing your WFU account.

Security Keys

What they are: A small, physical key fob that looks like a flash drive.

Convenience:

• Can be kept on a keychain, stored in a drawer or in your laptop bag.
• Can also be used to generate a one-time code to access a service that may not accept passkeys.

Security: A security key is an entirely unique, physical device that only works in close proximity to the device trying to log in. This makes security keys extremely resistant to phishing.

Example:

• Plug in your security key and when prompted, tap it to unlock access to your account.

Known Issues

Because of the way they manage authentication, some installed applications (below) cannot yet support the use of passkeys during the login required to activate use of these tools. Information Systems is working with vendors to update these apps so they will accept passkeys. In the meantime, we suggest the use of a security key for these, or access the browser-based apps for these services, where available. If you have a security key configured, it can be used to generate a one-time use code. Please note, if you do not have a security key configured, this option will not appear. Please contact IS if you would like to request a security key.

Apps which may not support passkeys:

• Adobe Creative Suite (Acrobat, Illustrator, Photoshop, etc.): the Google account signin path will allow authentication.
• Cisco Secure Client (VPN) on iOS
• Cisco Webex (used to make and receive Wake Forest phone calls)
• Microsoft Office (Word, Excel, Powerpoint, etc.)

Key Differences Summarized:

• Location: Security keys are on a single device; passkeys are in the cloud.
• Convenience: Passkeys are more convenient.
• Security: Both are the most phishing-resistant 2-step options. Passkeys are very secure but with a slightly higher theoretical risk.

Which is Better?

• It depends on your priorities.
• Many people will likely use a mix of both. For example, using device bound passkeys for very sensitive accounts like banking, and synched passkeys for more general use.
• IS recommends setting up multiple passkeys, including synched (Google Password Manager, iCloud, Windows Hello), as well as device-bound (security key such as Yubikeys).

Ready to set up passkeys?

Visit go.wfu.edu/passkeys to learn more or visit your Google account to add passkeys.