Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
They’re device-bound certificate based authentication with some shiny bits.
Or they’re portable-via-certain-services certificate based authentication with some shiny bits.
Either way they’re new and try explaining that the user needs a new one for every device (or needs a new app to carry them around in) and that if the device dies, or the app dies, they lose it all. I have quite a few people in my life who can’t wrap their heads around using a password manager.
Personally, I find them irritating. My chosen password manager on iPhone doesn’t support them, so I need to have the iOS password vault turned on (yes, this is a dark pattern Apple has created to try to increase adoption of their password vault) to use them. Adoption needs to be much higher, interoperability needs to be better, and they need to put back the hint for which vault to use (which was removed early on to keep Microsoft and google from forcing chrome/edge vaults, but has the actual effect that chrome/edge tend to win the race over other options and means that the passkey prompt might be for a different app than the one that you prefer, leading to further user confusion)
Might I suggest Bitwarden.
It’s open source, syncs across every platform I know of, and supports passkeys.
Thanks. Will check it out.
I really don’t want to turn my devices into hardware keys. I can’t imagine how difficult it would be to recover if, say, there was a fire or flood. Hardware breaks, gets lost, stolen. How about people who can’t afford multiple devices? What about the unhoused? How about if you get arrested and your one device gets confiscated- you can’t even give anyone else access to your data. What if you’re a good witness recording something and the police decide to make your device into evidence (or destroy it).
MFA? Absofuckinglutely. I’ll pass on passkeys, sorry.
Yeah this is my situation. My personal computer is really infrequently used and as such I’m already in a dangerous situation when it comes to sign-in risk detection kicking off and asking for further authn proofs. I’ve had my phone die (and come to life when its replacement arrived) and that was a harrowing situation because all the MFA is stored there. Passkeys seem to make it worse, unless I subscribe to a sync service, which I need to infallibly trust (and I’m iffy on that; 1Password has a good security model and all that but passkeys are a different level of trust).
Think of passkeys like they’re backups.
If you have one, you have none. If you have two, you have one. If you have three, at least one of them has to live offsite.
There are a ton of people who can’t reliably meet the “three” threshold, and plenty who can’t meet the two.
Good way of putting it. How many people have three devices they can use for storing passkeys? I don’t and I’m a nerd.
I do; or at least I can. But really, Device #2 should be in a fire safe, and Device #3 should be in a safe deposit box. These should be “set and forget” devices, not just “the laptop that I use and the phone that I use”. Those are additional costs, additional planning, additional effort, additional administration (because you need to also be checking that these cold devices still work on a scheduled basis), maybe additional required skill (depending on what you want these set and forget devices to be). You need to have an appropriate place to keep that fire safe. And when one of those cold devices doesn’t work anymore, you have to figure out why and likely replace it.
To do it right, you really have to have your shit together. That I don’t.
I mean, I wouldn’t mind if I could use my flipper for it, but the big issue is “if flipper break get fucked.” I can back up my .kdbx file in 14 luks encrypted locations, I can’t backup a whole ass flipper as easily.