I read about Passkey comittee being against open source passkey managers during start of this year (can't reference it, sorry) but with open source password/key managers already supporting passkeys, i don't think it turned out to be true.
Doesn't that defeat one of the centrals aims of passkeys? In what ways is your setup different than random passwords in bitwarden - what's the additional security?
Other than that they shouldn't have a big advantage for a more professional user with unique, long, and random passwords. For the common user it should be a great upgrade, giving all these advantages with better UX.
Basically, any site that does 2FA should take passkeys.
Here's an Okta employee threatening to use the attestation (anti)feature of passkeys to block open-source implementations, because they allow you to export your passkeys: https://github.com/keepassxreboot/keepassxc/issues/10407#iss...
Passkeys support transfer to any vendor you want.
[1] https://old.reddit.com/r/Bitwarden/comments/1efs5d2/how_can_...
[2] https://old.reddit.com/r/Bitwarden/comments/1di8nbz/import_p...
because they allow you to export your passkeys in plaintext, for easy stealing.
"Information wants to be free" should not apply to passwords!
>Device loss scenarios
>Users are largely unsure about the implications for their passkeys if they lose or break their device, as it seems their device holds the entire capability to authenticate. To trust passkeys as a replacement for the password, users need to be prepared and know what to do in the event of losing one – or all – of their devices.
>Backing up and synchronising passkeys with a Credential Manager makes it easier to recover access to them compared to other existing second factor options. However, this relies on the user having prepared their Credential Manager account for recovery. Users need help in understanding and implementing the right steps so they can feel ready to go passwordless and use passkeys without extra worry and hassle.
On second reading, I'm thinking this might mean, "since Apple only implements Face ID, biometrics on Apple devices is less secure", which makes more sense (to me).
https://duckduckgo.com/?origin=funnel_home_google&t=h_&q=fac...
Fingerprints are much more non-deterministic and therefore more secure.
But YubiKey supports multiple protocols, one of them surely could work for your use case.
Nice read https://techrights.org/n/2025/05/02/Passkeys_Are_Vendor_Lock...
For example, my family has had to call me for help on the interaction between passkeys on Apple & Amazon multiple times. They have a shared Amazon account, which neither Amazon nor Apple seem to like. The first problem came when they didn't even know they'd been moved to passkeys - there was a popup that one of them didn't understand, they clicked OK to get it to go away, and suddenly the other partner can't log in, and neither of them can figure out how to log into Prime Video on their AppleTV. Another time one of them got "nudged" to add a fingerprint to the account, again freezing out the other person.
Until that nonsense stops happening, Passkeys aren't ready.
* Improving OS flows. Every passkey implementer that's also an OS gets really excited about enrolling you into their proprietary clouds, and using alternate flows to respect the users wish to use their own manager is usually hidden in confusing UI forms that don't feel consistent if you don't already know what you're doing.
* Device loss scenario is already mentioned, although more broadly speaking a lot of the reasons people get leery is because all three major providers (Google, Microsoft, Apple) are notorious for their near black box technical support. Losing access to one of these providers on its own is already enough to heavily disrupt the average person's life. Having your login details stored with them makes this even worse.
* The FIDO Alliance Is Way Too Excited About Device Attestation And I Don't Like It. Basically the FIDO Alliance's behavior around passkeys reeks of security theater and them badgering an open source password manager for daring to let users export their passkeys in the format they preferred, rather than what the FIDO Alliance wanted (which is that passkeys must always be encrypted with a password) is telling. If they are as secure as promised, it's a bad look to start threatening device attestation as a means to get people to comply with your specific idea of security. The only real barrier right now to it outright being a thing is that Apple zeroes out the field and when Apple is the only meaningful halt to that kind of attestation, something has gone very wrong.
I think passkeys are interesting, but I just flat out don't trust the FIDO Alliance with the idea. They're way too invested in big tech being good stewards of the ecosystem, which is becoming increasingly unpalatable as more and more evidence piles up that they're really bad actors on everything else. (So why should we trust them with our credentials?) The idea genuinely has value (it's literally the same kind of mechanism as SSH keys), but the hostility towards user freedom is deeply concerning and a blocker to getting people to use it. Even non-technical people seem leery of them, just because of how aggressively big tech has been pushing it.
You're kidding yourself if you think that this is something Microsoft, Apple, or Google are incentivized to solve. Microsoft is especially bad here - pushing their crappy products in Windows every chance they get. Once some marketing director gets the idea that this can improve retention in Outlook or something the UI will get more confusing and the dark patterns will get darker.
In practice, I expect someone to figure out a way to break into/bypass the OS flow entirely with a less "big tech wants your private details" solution and that's what winds up getting adoption.
And why can't we have the use of such keys enforced by an EU legislation so that all businesses allow users to login using such strings of random characters?
The world would then be a better place.
Passkeys are encrypyed so they can't be simply copied off your device.
Servers should allow multiple passkeys per user (so you can register multiple devices), but many don't.
The bigger question is... why don't we replace the login/password combination with just a string of randomly generated characters and call it a day?
Why protect these strings of random characters from users, call them passkeys and advertise them on all street corners?
Feels like a devil's plot to strip us from all the rights to our devices.
As far as I understand it, in the same way that a public/private keypair differs from a random chain of characters you are used to shoving into the "Authorization: Bearer XXXXXXX" header.
But a phishing site can't steal your passkey and forward it to the real site, the passkey will just not work with the phishing site if you try using it there, it's locked to the authentic domain.
What's an authentic domain?
How is my passkey locked to it?
So, unlike API keys, the actual passkey is never sent anywhere out of your device. Passkeys are more like SSH keys than API keys.
One difference between SSH and the WebAuthn protocol is that the challenge identifies which key it is expecting. So the user doesn't have to explicitly select which key to use.
But afaik you still can't move Passkeys from Chrome or Safari to any other credential manager.
I was vaguely under the impression that there was a ton of push-back again import/export flows in general, that the CEP was going to be the only supported path. And it requires that your Credentials Manager have a public endpoint to send your credentials to. Which doesn't force but radically ups the challenge for individuals to self host or manage things themselves, will drive Passkeys to remain service provided only.
With governments upping their right to snoop, immoral intercept, it's hard to have too much hope that Passkeys can remain trustable & respectable. If the UK passes a law saying they can access all your keys, the odds are not in your favor that Google is going to make a Signal like stand & tell the UK to buzz off. It's unfortunate that these giant massive enterprises are so big are so many products all in one, because if there was a healthy Chrome business not tied to thousands of other profit lines, maybe Chrome would dare have some backbone & tell their majesty to go stick it where the sun don't shine. But these companies are so big that even the most immoral outrageous ridiculous laws end up being accepted. Passkeys seems like a huge painted target; maybe the next 15-20 years go by with no one trying to get in the cookie jar, but it seems inevitable that the moral rot and illegitimacy of governments will stoop down to making this good idea untenable & a joke, in a long enough time scale. Especially with the service-provider-only ecosystem that's being engineered and imposed here.
This is exactly where passkeys go too far. "to keep their accounts safe" is always the excuse used to reduce the freedoms of users. Web sites have no business deciding how things are handled on user devices but it's precisely what passkeys enable. The boundary of control of a website used to stop at the interface between the site and the user. Now that boundary will extend to the devices. The idea of property and ownership is attacked again. The device is not something the user owns and has full control over but something that is a gateway to access content controlled by the big Internet companies.
Knowing this, how long until Netflix, Disney other content providers (sorry I don't know which ones are popular right now) demand use of a passkey originating form a device with a Trusted Platform (aka Untrusted User) Module ? This is part of a long plan initiated years ago with Windows TPM requirements, Microsoft account requirements. The gap between closed and open platforms will widen and the path is clearly to apply the Smartphone model where everything is closed, controlled, DRM'd, to other computers. We're lucky the IBM PC architecture was an open one but the war on that is on.
> Backing up and synchronising passkeys with a Credential Manager makes it easier to recover access to them compared to other existing second factor options. However, this relies on the user having prepared their Credential Manager account for recovery. Users need help in understanding and implementing the right steps so they can feel ready to go passwordless and use passkeys without extra worry and hassle.
The benefit to the user of a passkey is that they don't have to remember passwords ("what you have" and not "what you know"). But if you lose what you have, you're screwed. There's no straightforward way to mitigate this.
Proposed solutions I've seen just add an extra layer of "what you know," but this just changes the security back to "what you know" if it supersedes the passkey.
oldestofsports•2h ago
AlexandrB•1h ago
etskinner•1h ago
- You have a strong unlock password that you don't use anywhere else
- You have a second factor set up for unlocking the vault (TPM in the device you're using, Yubikey, TOTP, etc.)
- The service you're logging into has good account recovery hygeine
The benefit, assuming those things, is that the passkey is phishing-resistant and social-engineering-resistant. If a user gets an email saying "omg, someone tried to transfer your paypal, click this link to log in", then when they try to log in with the passkey, the site the attacker is using won't be able to use the passkey (because the passkey is associated with a particular domain). Even if the user wanted to bypass this, there's specifically no way for them to extract the contents of the passkey.
That is very different from a user having their password stored in their vault. They could easily forget to check the domain, or get tricked by a very similar looking one, and copy/paste their password into the attacker's form.
abdullahkhalids•1h ago
Sure I could manually copy the password from the database, but in practice, this is fairly good security. It also doesn't treat the user as an always-idiot, which is a good thing in my book.
skybrian•1h ago
Passkeys require some kind of password manager. That's the main benefit. The adoption problems are because a lot of users don't really understand password managers.
abdullahkhalids•9m ago
And it could have been done 10 years ago.
ewoodrich•1h ago
I use Bitwarden and when the password autofill doesn't work as expected my first assumption from many previous experiences is that it's because a website changed something slightly in their auth flow or a particular page has a weird redirect/embedded login scheme different than the primary login, or similar "modern" web weirdness.
So if I get phished and let my guard down just that one time due to panic, sleep deprivation, or whatever else I'm glad that it gives me a second layer of defense against me reflexively clicking a couple times to copy/paste the password manually. A passkey dropdown with "No passkeys saved for this site" would be a massive red flag and stop me in my tracks before trying to do something else stupid.
abdullahkhalids•18m ago
But that is after 10s of millions of dollars or more have been poured into the development of passkeys, resulting in new standard specifications, diverse implementations of password managers, etc.
Now, imagine the counterfactual world where those same dollars were devoted to improving the password infrastructure. Could we have forced the average person to always password managers with long randomized passwords? Could we have build better webspecs around password entry workflows, and forced websites to fix the issues you face? I think the answer is yes.
Against this counterfactual world, passkeys are not in practice much better.
alexjm•1h ago
- are generated securely and so can’t be guessed - can’t be phished - are unique for each website you use, so if one website is compromised it doesn’t put your other logins at risk
velcrovan•1h ago
AlexandrB•1h ago
> Users are largely unsure about the implications for their passkeys if they lose or break their device, as it seems their device holds the entire capability to authenticate. To trust passkeys as a replacement for the password, users need to be prepared and know what to do in the event of losing one – or all – of their devices.
scratcheee•1h ago
> whether by phishing or exploiting the fact the passwords are weak or have been reused
1. Phishing is harder when you only ever enter your password into 1 place, and that one place is designed to be secure and consistent.
2. Much easier to have exactly 1 strong password than unique strong passwords for every website.
Is it better than a vault full of random passwords? Probably not, beyond pressuring the user into using the more secure method