Passkeys are an authentication mechanism, and as such replace (authentication) passwords, not (encryption) passphrases.
A password (at least as I understand the term) is used to authenticate to some third-party entity to get access to your data or services. The (implied or legal) contract here is: "Only give access to my data to anybody that can provide my password."
Government authorities can in most cases just go to the service and demand that access legally; there is no need to get your password through whatever means.
A passphrase, on the other hand, can be used to encrypt your data directly, and the service provider might not be able to hand over your data to the authorities without it.
Great! Where I can type those passhphrase in google mail or o365 or million other serivces to secure my data ?
Oh? Nowhere? Then why you're even talking about the distinction ?
Also passphrase definition is definitely not "a password used for encryption", I dunno where you pulled that from. Original meaning is just "longer, more secure password"
> Then why you're even talking about the distinction ?
GP was talking about the legal implications of using a hardware authenticator vs. a password.
> Original meaning is just "longer, more secure password"
And where do you usually need a longer, more secure password? Encryption (as opposed to authentication, where you can often rate-limit attempts) immediately comes to mind.
This is incorrect because you’re conflating access by request and access with a court order. Without a warrant, or even probable cause, police can get some meta data, but not everything in the cloud. In many places police can force you to use biometrics to unlock devices, but not compel a passphrase. (Passphrases are significantly harder for e.g. Greykey to glitch brute force than PINs.)
> Passphrases are significantly harder for e.g. Greykey to glitch brute force than PINs.
PINs are their own thing, i.e. neither passwords nor passphrases. They form a hierarchy:
Passphrases: High (enough) entropy; can be stretched into an encryption key using a PBKDF.
Passwords: Medium entropy; long enough to be somewhat brute-force resistant in case of a database breach. Can't really be used to encrypt data by themselves.
PINs: Very low entropy, must be part of a larger, trusted system that can reliably enforce limits on invalid PIN attempts. Practically, this means tamper-resistant hardware, e.g. a HSM, TPM, smartcard, Yubikey...
You're introducing key stretching for unknown reasons. It's irrelevant for attacks on e.g. iPhones -- they're not cracking encryption, they're doing dictionary attacks.
A password (at least as I understand the term) is used to authenticate to some third-party entity to get access to your data or services. The (implied or legal) contract here is: "Only give access to my data to anybody that can provide my password."
Government authorities can in most cases just go to the service and demand that access legally; there is no need to get your password through whatever means.
A passphrase, on the other hand, can be used to encrypt your data directly, and the service provider might not be able to hand over your data to the authorities without it.