Use Strongbox to save passkeys in your KeePass database and sync them across your devices.
What Are Passkeys?
Passkeys are a password replacement that allows you to log in to websites and apps by simply unlocking your device, typically with Face ID, Touch ID or a PIN code.
Passkeys don’t need to be remembered, you rely on Strongbox to remember and protect them on your behalf. They’re resistant to hacks and phishing. They are both highly convenient and highly secure.
Passkeys replace passwords with cryptographic key pairs. The public key is stored by the service that you’re requesting access to, and the private key is stored on your device (or in your Strongbox database). It’s not possible to reverse engineer the private key from the public key.
If you decided to log into your Google account using a passkey:
- Google would first request that you provide proof or a “signature” indicating that you know the private key that corresponds to the public key you used when you registered with Google.
- Strongbox checks to see if it possesses a matching private key for the requested public key.
- If a matching key is found, a mathematical proof or “signature” is sent to Google. This proof assures Google that you possess the matching private key and then access is granted.
This process is much more secure than simply providing a password, whilst at the same time being faster and easier to use.
Why Use Passkeys?
Passwords Can Be Weak
Weak passwords can be easily hacked or guessed. And if a password is reused across multiple services, one hacked account can lead all of the others to be compromised as well.
Strongbox (and password managers in general) already address these issues by encouraging the creation of strong and unique passwords. That said, many people continue to create weak passwords and reuse them across different websites and apps.
In contrast, passkeys are always strong, they’re never short or simple in the way that a password can be. They’re also unique to a single service. No two passkeys are the same.
Passwords Can Be Stolen
If the server for a website or app you use is hacked and your account password is stolen, attackers can have access to your account immediately.
If, on the other hand, attackers gain access to your passkey’s public key, they are not able to access your account without the corresponding private key which is only stored by Strongbox. The private key is never stored on the servers of the websites and apps you use and it cannot be guessed by obtaining the public key.
Passwords Require Extra Measures To Be Secure
Because of all of the aforementioned issues with passwords, an additional layer of security is often added in the form of multi-factor authentication. A second factor is required in addition to the password, either a time-based one time password (TOTP) code or an in-app approval. This way, even if your password is compromised, a hacker still needs this extra factor to gain access to your account.
This extra protection comes at the cost of convenience. Because of this it’s often not enabled by default and most users do not choose to enable it.
Unlike passwords, passkeys are multifactorial by design:
Passkeys are kept on a user’s devices (something the user “has”) and — if the Relying Party requests User Verification — can only be exercised by the user with a biometric or PIN (something the user “is” or ”knows”). Thus, authentication with passkeys embodies the core principle of multi-factor security.FIDO Alliance
This means all passkeys automatically benefit from increased security without any extra set up or extra steps when signing in.
Passwords Can Be Phished
Phishing is typically achieved by an attacker creating a fake version of a website that looks very similar to the original. The target of the hack is convinced to enter their password into this fake version of the site, usually after being sent a convincing looking email with a link.
TOTP codes can also be phished in this way. The only difference is that the attacker has to log into the real site simultaneously as their target is being phished. When a TOTP code is requested by the real site, the attacker captures the TOTP code entered by the target on their fake site. This process can be automated and deployed at scale.
SIM swap attacks also allow attackers to obtain SMS codes with relative ease.
Using passkeys makes it much harder for an attacker to impersonate a website because the URL of the site you’re logging into is checked before the private key is used to authenticate. Even if the fake site is visually identically to the original, your browser and device will automatically determine that the URL doesn’t match.
Why Manage Your Passkeys With Strongbox
Managing your passkeys in Strongbox gives you more control.
When you add a passkey to KeePass database in Strongbox, you can control where that passkey is stored and how it is synced between devices.
Strongbox databases can also be configured to sync using a cloud drive, WebDAV or SFTP, transferred over WiFi, USB, or AirDrop, or be local-only. When you manage your passwords and passkeys with Strongbox, you can decide how you store and back them up, and whether you copy them onto multiple devices and how that transfer is done.
Protect your passkeys with state-of-the-art cryptography, brute force resistant KDFs, YubiKey support, and much more.
And everything can be configured to your exact requirements.
With Strongbox, you can be confident that you will be able to export your passkeys to a different app in the future if needed. There’s zero lock-in.
And because the default Strongbox databases format is based on the open source KeePass file format, you can access your passkeys in any KeePass compatible app on any platform, including Android, Windows and Linux.
Unfortunately we cannot offer support for passkeys on other database formats, e.g. Password Safe or older KeePass 1 (KDB) based databases, because they don’t offer the flexibility of storing new custom data items. It is relatively straightforward to convert older databases and Password Safe databases to the more flexible and modern KeePass 2 format. We have some guides on our support site for that.
Support for passkeys is coming soon to some major KeePass clients like KeePassXC, with whom we’ve worked to ensure compatibility. We’re hoping other KeePass clients can take advantage of our trail breaking here.
We’ve written a step-by-step guide on how to set up your iPhone, iPad and Mac to create and sign in with passkeys with Strongbox: Use Passkeys With Strongbox