Passkeys and Privacy

This is part 2 of our series on passkeys. See part 1 here.

In our previous article we described what a passkey is: a few hundred bytes of data stored in your password manager, security key, or elsewhere, which allows you to log in to a specific website without a password. The good news is that passkeys are quite well designed from a privacy point of view, even though they give a little more information to websites than a plain old password.

Cross-site Tracking

One of the most important attributes for passkeys is that they shouldn’t enable cross-site tracking. In other words, if you create a passkey on site A, and create a different passkey on site B using a different name, email address, and IP address, the two sites shouldn’t be able to correlate the separate identities, even if they’re sharing information behind the scenes.

Passkeys satisfy this requirement. Each passkey you create is unique, though there are some small caveats to be aware of.

If you store your passkey in a security key or TPM, websites can request the make and model of your device (depending on whether the browser allows it). Usually this only identifies a broad category of common devices. For instance, Chrome’s policy on security keys “expects” each distinct make and model to represent at least 100,000 devices. In the past, some manufacturers shipped security keys where each one had a uniquely identifying make and model, which was a major privacy flaw. It’s possible other manufacturers will make the same mistake, but it’s likely that browsers would block such flawed devices. In general, consumer-facing websites should avoid requesting make and model information, since this feature is intended primarily for companies managing their internal login infrastructure. If you store your passkey in a password manager, websites can learn which password manager you are using.

Similarly, some security keys may implement a “This article has been indexed from Deeplinks