Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
While the lock-in issue is annoying and a good reason not to adopt these, the device failure issue is a tech killer. Especially when I can use a password manager. This means I can remember two passwords (email and password manager), make them secure, and then always recover all my accounts.
Passkeys are a technology that were surpassed 10 years before their introduction and I believe the only reason they are being pushed is because security people think they are cool and tech companies would be delighted to lock you into their system.
This is the only accurate take in the whole thread.
Passkeys solve “well, can’t be fished” by introducing 2 new problems and never resolving super prevalent session hijacking. Even as a basic cost-benefit analysis, it’s a net loss to literally everyone.
That’s what I worried, and then especially to computers that age out of updates (2 older MacBooks).
We end up having to reauthenticate on some other device at some point anyway and that means there’s still going to be a weak point.
Like with 2 auth sim jacking.
Cops also love them because they make getting access to your entire phone including all accounts simple as cake if you use fingerprint/faceID to unlock your device.
Not to mention Apple decided to make passkeys Airdropable. Fun.
I worked on a cool projected called FedID: https://fedid.me/ that creates a distributed identifier (DID) out in the world, federated with AvtivityPub, and gives you a key you can sign in with via OpenID Connect. It allows the DID to have multiple keys for multiple devices, and delegate authority, so losing a device/failure is no big deal.
That being said, Web passkeys can be stored in password managers, just like passwords.
You can store Passkeys in open source password managers.
I don’t know most of my passwords, so the step to passkeys doesn’t feel like a big one. I also really like the flow of pressing Login; Bitwarden pops up a prompt without me initiating it; I press confirm. Done, logged in, and arguably more secure due to the surrounding phishing and shared secrets benefits.
Sure, they probably work great when you have your *passkey manager on the device, but that’s not when I need to have backup routes into my accounts. When using a new device, or someone else’s, having even a complicated password that can be typed or copied-pasted has way more functionality.
As far a I can tell, using passkeys would only risk locking me out of my accounts. Everyone else is already effectively locked out.
I can access my password manager via the browser from any device.
Can’t you access your password manager from a web browser? Or your phone?
Oops, meant passkey manager, fixed it.
Isn’t that the same thing? All my credentials & passkeys are in the cross-platform password manager available from all my devices & any web browser. Passkeys even have a cross-device flow, so we can just scan a QR code & use a phone to sign into anything.
Manually keying in a password just feels so boomer.
You could also use dedicated hardware to store your keys. Any FIDO USB key will do. I have a Yubikey that cost me less than 30 bucks.
It’s really handy, because I frequently use someone else’s device for work. All I have to do is plug it in, press the button on the key and enter the master password for the passkey storage. It’s like having a password manager on a USB stick.
Yeah the moods in this thread, like
“[I don’t understand this]!”
“[I don’t trust this]!”
“[It doesn’t fix everything]!”
“[This doesn’t benefit me]!”
“[What’s wrong with old way]!?”
And like, all valid feelings… just the reactions are a bit… intense? Especially considering it’s a beta stage auth option that amounts to a fancy version of the old sec key industry standard, not the mark of the beast.
Because we all know it will eventually go from a “neat” to mandatory with vendor lock-in for no other reason than “fuck you”.
We’ve all seen it a few hundred times now with X, and Y.
I get a few daily pop-ups for “Want to use a pass key”. One from my bank. No I don’t want to link my fingerprint to my bank account especially in a way that will lock me out when I replace my phone.
Remember folks: Biometrics (What you are) is not constitutionally protected but what you know is (for now at least).
I think they are being pushed because cool technology on paper. Whenever I read an article about them, I can’t help but think about the human factors. How are passkeys created, often by a password or email. okay… that looks a lot like a password. Oh you lost the passkey, here lets send you one again. It stinks of a second factor without a first. Sure, the passkey itself is hard to compromise, but how about its creation. If your email is compromised I see no difference from passwords or passkeys.
They don’t email you a passkey, what are you even talking about?
The flow I hear about when people talk about passkeys is sign up with email. Code gets sent to email. Code is entered, passkey gets generated. There always seems to be some similar step that looks like that, and often you have new device or reset that looks the same. Sure the passkey itself is secure, but how do you get it, how do you generate it, how do you validate the first time?
There are quite a few uninformed takes here & the number of upvotes they got for it is stunning. Lemmy. 😞
Lemmy has been very anti passkey at least since it’s rise in 2023, it’s very interesting how tech forward Lemmy generally is and how anti passkey and not even anti, just generally uninformed on them they are.
I for one love them. I always read everyones opinions here and just think nobody has even attempted to use them. It’s very simple.
Passkeys are a technology that were surpassed 10 years before their introduction
Question is by what? I could see an argument that it is an overcomplication of some ill-defined application of x509 certificates or ssh user keys, but roughly they all are comparable fundamental technologies.
The biggest gripe to me is that they are too fussy about when they are allowed and how they are stored rather than leaving it up to the user. You want to use a passkey to a site that you manually trusted? Tough, not allowed. You want to use against an IP address, even if that IP address has a valid certificate? Tough, not allowed.
They were surpassed by password managers and 2fa.
I’ve found a pretty good use for a passkey. Docusign. About every 3 months I need to docusign something at work. The process involves logging in, changing your password, logging in again, opening the document, logging in to sign, logging in to finish. The only steps you get to skip if there’s more than one document is the initial log on, and changing password. So with a passkey I just touch it a bunch of times and there’s no password change.
sounds like a better solution is don’t use docusign
K, I’ll go tell the CEO that they need to come up with something different.
There’s like a million other free/libre digital document signing platforms out there. Try one that doesn’t suck.
Password managers store passkeys. They’re portable and not device-locked. Been using them on Bitwarden for like 2 years now.
It is not portable in the sense that you need bitwarden installed on the device you are trying to connect from.
Passwords can be plain text, which means I can copy, paste, and dictate them to a device that does not have additional software installed.
Why do you have the 4-digit PIN? Well, it’s just to unlock the part of your device where the private key is stored.
And there is the problem I have with passkeys. With a password it is me authenticating to the service I’m using. Pretty straight forward (if you ignore the operating system, web browser, network protocols, etc., but that’s part of using the tech).
With passkeys you’ve got this third party storing your keys that increases your attack surface. It could be your web browser, your OS, or some cloud provider that you’re now relying on to keep your data safe. I get that for people whose password is “password123” or who aren’t savvy enough to avoid phishing maybe this helps. But with decent opsec this overly complicates authentication, IMO.
To my point, later in the article:
Securing your cloud account with strong 2FA and activating biometrics is crucial.
What’s that now? The weak point is the user’s ability to implement MFA and biometrics? The same users who couldn’t be bothered to create different passwords for different sites? You see how we’ve just inserted another layer into the authentication process without solving for the major weakness?
With my tinfoil hat on I suspect this push toward passkeys is just another corporate data and/or money grab – snake oil for companies to get their tentacles tighter around your digital existence.
Happy to be proven wrong.
How do you currently store your passwords? I would also consider that a third party with an adittional atack surface if you are considering the passkey location one.
Also your argument
(if you ignore the operating system, web browser, network protocols, etc., but that’s part of using the tech).
is faulty. That is because passkeys exist in part to mitigate those atack vectors. Mitm, a compromised browser or client, etc. is less of an issue with passkeys. The information transmitted during an authentication can not be reused on another authentication attempt.
I don’t agree on passkeys complicating things either. For me the authentication-flow is not more complicated then KeePasses autofill.
Assuming one can be ‘tech savy’ enough to not fall for fishing is bad. There are quite advanced attacks or you might even just be tired one day and do something stupid by accident.
What’s that now? The weak point is the user’s ability to implement MFA and biometrics? The same users who couldn’t be bothered to create different passwords for different sites?
You don’t expext the user to ‘implement’ mfa or biometrics. You expect them to use it. And most places where a novice would store passkeys don’t just expect but enforce it. It is also way simpler to set up biometrics on one device compared to keeping with a good password strategy.
Passkeys can’t be phished.
That’s the main point.
Phishing is a reeeeal pain. And something that needs to be solved. Not through training but with technology.
Today we use lots of accounts with unique passwords. Obviously these passwords have to be stored somewhere. So I disagree with you when you say it’s a unique passkey thing.
Passkey has an advantage when it comes to phishing because it doesn’t totally rely on human intelligence or state of mind.
From a personal experience my data was leaked online, not because of phishing or I was careless. but it was leaked from a well known third party site which I used. They were affected by a very serious breach. Many unlike me use the same passwords for their emails and stuffs. But in case of passkeys there isn’t a shared secret. A breach will be useless.
I think you’re making my point. First, you’re right that passkeys can’t be phished. But access to the passkey manager can be. And now you’ve doubled your exposure to leaky third parties, once with the service you’re accessing and another with the passkey manager.
But the third parties actually have no access to your passkeys. The passkey stored are end to end encrypted blobs. So even if anyone gets hold of it, its useless. But a password for instance when leaked from 3rd party can be used easily as the server will have to decrypt the password at one point. So the means to decrypt the password will be at the server but passkeys aren’t like that. The private passkey can be decrypted only on your device for signing the challenge. Basically your exposure was basically halved.
All I know is a few months back someone setup a passkey on a shared google account at my job and now nobody but knows what the password for our email is. I can use the passkey to sign in with my phone, but only I can do that.
I think Google accounts are made usually for single user and thus passkeys. But may be you can try going to the share Google accounts security and there’s an option skip password when possible. Disable it… May be it might work. I’m not sure tough.
someone setup a passkey on a shared google account at my job
I can use the passkey to sign in with my phone, but only I can do that
If you can sign in, you should be able to reset the password.
Tried Passkey in the past. I had many problems, especially could not understand why they must use my google account. Now my google account is gone, don’t gonna go that rabbit hole again, i am happy with my Bitwarden and Aegis.
Bitwarden does support access to access keys in (for example) firefox.
I have not tested outside of browser (firefox). So it may depend on if you use chrome or some other app.Edit: Just got a suggestion inside the Amazon app (Android. Yes, I hate Amazon as well but I got a gift card and I hate it even more to give them a free of charge credit) to add a passkey. So it seems to work (semi-)reliable outside of a browser.
Just don’t take away passwords + TOTP 2FA for those of us who are actually using it correctly.
seems like too much messing around to make it a widespread solution.
Acrually not really.
I do use it with my password manager.
Very convenient.BUT, it’s not hardware based so more suscepticle to attacks.
if it undermines or circumvents my fifth amendment right not to testify against myself, then I’m not interested in ending the use of passwords.
The biggest disadvantage:
Disadvantages of Passkeys
Ecosystem Lock-In – Passkey pairs are synced through each vendor’s respective clouds via end-to-end encryption to facilitate seamless access multiple devices.
More eggs in the American megacorp basket for more people, yay
Currently I use a FOSS (I think?) password manager, BitWarden, that supports passkeys. I use it across Mac, Windows and Android so I’m while my passkeys are locked yo the password manager, I am not locked to any of the aforementioned megacorps.
I use BitWarden too. OS , device and browser agnostic is a win
But I imagine the vast amount of people will use whatever their platform is pushing, so Apple Google or Microsoft. And in 5 years time “3rd party passkeys” are not “secure enough” and blocked by the OS. (Ok that’s a bit tinfoil hat, but Google’s recent Android app developer verification scheme is fresh in mind)
Your password hashes (assuming they even hash them) already live on their servers…
Cool, they know the hash to that one service I signed up with them. Not every account ever.
Your passkeys aren’t synced to anything, so the passkey is no different than your password hash. They’re device locked unless you use something like bitwarden, so you’re no more dependent on American mega corps than you are right this second.I’m wrong.
Dont they all sync to the respective cloud services?
iOS vault -> synced apple cloud Android vault -> synced with Google cloud?
Windows Hello -> synced with Microsoft account?And if they’re not synced, that’s even worse. Loose your device and loose your account. Or keep track of which of your 5 devices are have keys for which of your 150 accounts
Say you don’t understand passkeys without saying you don’t understand them…
A passkey uses public key cryptography to secure your account instead of a password, it only grants you access to the one account you set it up for, and the account provider only holds your public key, you control the private key. Your passkey is a secure alternative to passwords because you CANNOT reuse it across services, cannot reasonably remember it, and the method of using it isn’t by copying and pasting into a field like a password, so it isn’t susceptible to the same attacks.
If the provider loses your public key, they can’t give you a challenge to verify you have the private key, so you lose access. Just like if they lose your password hash. It’s an identical scenario.
The assumption is that the native passkey manager on the device (iPhone, android, windows) would sync the passkeys (to Apple , Google, Microsoft) for protection against device failure and easy of use across devices. Or you risk loosing your accounts if you loose your device.
I don’t want to boot up a fucking android VM to run some login app every time I need to log into an unimportant account that realistically I would have used “el-passwordo” for the password if it let me.
You can use browser extensions, not sure why you’d think you’d have to run an android VM lmfao
I just know the one my employer forces me to use can’t be. Need to use the stupid microsoft app.
Yeah totally not going to be misused by corporations with proprietary cryptographic-algorithm
I use Passkeys with Bitwarden in desktop Firefox, but for some reason I can’t get them to work in GrapheneOS/Vanadium even though I have Bitwarden set as my password provider
The eco-system lock-in makes this a non-starter for me. If I could store the private keys in something like a keepass vault (or that) and do the authentication magic from that I would consider it.
KeePassXC supports passkeys directly through the Browser Integration service.
https://keepassxc.org/docs/KeePassXC_UserGuide#_browser_passkey_support
There you go. Local, serverless passkeys in the software of your choice.
Hardly anyone supports it: https://www.passkeys.io/who-supports-passkeys
So to use it I will have to log in with my google/microsoft account everywhere? Thanks but no thanks.
I’ve used it with many sites not on that list. Including this one. It’s not comprehensive.
No, you do not need Microsoft/Google account.
No, thanks. I’ll keep using password+2FA and I hope that passkeys never become “mandatory”.
Thanks to our dystopian hellscape we live in it’ll become mandatory just like useless online ids. I hate having to explain passkeys to my family. Some fuckface suit who doesn’t use it properly pushed for a portfolio addition.
But what’s dystopian about passkeys? They are actually more secure than Password + TOTP. Phishing out a passkey is practically impossible.
If its not fully functional it feels more like a vendor lock in than anything actually useful. Use a Google device but want to change? Oh I’m sorry you have to do all this work first thanks to passkeys.
Some websites are better about it but they can also have support in-fighting over which service works better. Its the Password Manager scenario all over again but worse.
That’s why it’s important to avoid vendor lock-in and use actual reputable password managers to secure your passkeys such as Bitwarden, 1Password, or KeePass. On Android 14+ and iOS, you can even set your preferred password manager as the default passkey provider.
If you don’t fully trust Bitwarden servers, you can self-host a Vaultwarden instance, which is compatible with Bitwarden clients. Alternatively, using a yubikey is also a great hardware based option. Just because Google & Microsoft are heavily promoting passkeys doesn’t mean they’re inherently bad.
Passkeys work flawlessly for me across platforms:
- Android 14–15 (except on Brave with de-Googled devices)
- iOS 17–26 (and likely beyond)
- Windows 11
- Linux; while it doesn’t have OS-level integration yet, passkeys work perfectly in modern browsers
Personally, I use passkeys everywhere. I host my own Vaultwarden instance to store all my passkeys, and for redundancy, I also keep separate ones in my Keepass database, which I use for TOTPs. My self-hosted stack is secured by Authentik, running completely passwordless and uses passkeys for authentication and other apps integrate via OAuth and Proxy Auth.
I still don’t quite understand the issue you mentioned with websites. Typically, the passkey mechanism is triggered directly by the browser or OS (if you’re on mobile). You’ll be prompted to either save a new passkey or sign in with an existing one. If your password manager is correctly set up as the default credential provider, it should work seamlessly. Even without a browser extension, most Chromium-based browsers let you scan a QR code with another device that has your passkeys or you can simply insert a yubikey to authenticate.
What infuriates me is that some services like Amazon use passkeys only as second factor and asks for an OTP anyways which defeats the whole purpose. But for services that do it right, passkeys works seamless!
Yeah now try explaining all of that to tech illiterate family who don’t care beyond “I’ll just use Google Passkey” even if its the worst option.
I set my mother up on my Vaultwarden instance and she uses it just fine w/o needing to configure anything other than me setting it as the Default Passkey Provider.
Didn’t have to explain her anything other than telling her to scan her fingerprint when the prompt comes. 🤷🏻♂️
Passkeys are cool but you still need 2fa. Which may as well be a passkey itself.
One factor is not great even if it’s a passkey.
Passkeys are cool but you still need 2fa.
How do you use it then if you need to share access in the whole team?
You don’t share your personal password across the whole team now, do you? At least for your teams sake I hope you don’t.
You know that not every account is only used by a single user, right?
I think that’s the problem right there… If you share accounts across multiple people you have far greater problems than how passkeys work…
share your personal password
We share a password. Then we don’t call it a personal password anymore. Was that your question?
That’s an IAM no-no.
So? Read my question above.
You create unique accounts for every team member so that access can appropriately be logged.
Or you implement a PAM tool that logs access and vaults the password and rotates it after use.
So do you think passkeys are not useful at all for me?
