Access keys may not be right for you, but they are safe and easy. here's why

Expand Aurich Lawson | Getty Images

My recent Security Keys feature has generated considerable interest, and a number of the over 1,100 comments have raised questions about how the Security Key system actually works and how reliable it is. In response, I've put together this list of frequently asked questions to dispel a few myths and shed some light on what we know (and don't know) about security keys.

Q: I don't trust Google. Why should I use access keys?

A: If you don't use Google, Google Access Keys aren't for you. If you don't use Apple or Microsoft products, the situation is similar. The original article was aimed at the hundreds of millions of people who use these major platforms (even reluctantly).

That said, the use of access keys is rapidly expanding beyond the major tech players. In a month or two, for example, 1Password and other third parties will support password synchronization that populates credentials across all your trusted devices. While Google is more advanced than any other service in authorizing logins with security keys, new services allow users to log into their accounts with security keys almost every week. In short, you can use access keys even if you don't trust Google, Apple, or Microsoft.

Q: I don't trust any company to sync my login credentials; I only keep them stored on my local devices. Why should I use access keys?

A: Even if you don't trust any cloud service to sync your login credentials, the FIDO specs allow for so-called single-device passkeys. As the name suggests, these security keys work on a single device and are not synced through any service. Single-device passkeys are typically created using a FIDO2 security key, such as a Yubikey.

However, if you sync passwords through a browser, password manager, iCloud Keychain, or one of the Microsoft or Google equivalents, be aware that you are already trusting a cloud service to sync your password information. 'identification. If you don't trust cloud services to sync access keys, you shouldn't trust them to sync your passwords either.

Q: It seems extremely risky to synchronize access keys. Why should I trust any service to sync?

A: Currently FIDO specifications require synchronization with end-to-end encryption, which by definition means that nothing other than one of the end user's trusted devices has access to the private key in unencrypted (i.e. usable) form. The specifications do not currently impose a baseline for this E2EE. Apple's sync mechanism, for example, relies on the same end-to-end encryption that iCloud Keychain already uses for password syncing. Apple has documented the design of this service in detail here, here, here, here and here. Independent security experts have yet to report any discrepancies in Apple's claim that it does not have the means to unlock credentials stored in iCloud Keychain.

iCloud is a fundamental security feature. The onus should be on the company claiming it is safe to prove said security [sic], not on others to disprove it [sic].

A: As stated earlier, if you don't trust Apple or any other company offering syncing, consider using a single site passkey. If you don't trust Apple or any other company offering synchronization and you don't want to use a single site access key, access keys aren't for you, and there is little point in reading future Ars articles on this topic. Remember that if you don't trust iCloud et al. to sync your access keys, you should not trust them to sync access keys or any other sensitive data.

Q: What about other sync services? Where is their documentation?

A: Google has documentation