Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
The promise of passkeys when i first grad about them was that it would be quick and easy - that you wouldn’t need to enter a username or use 2fa. The reality appears to be that this is that it’s used ** as** 2fa
I’ve been resisting using them and decided to set one on my rarely-used and unimportant Piefed account to try it out.
Saved to Bitwarden fine on my desktop browser. When I try to log in with a browser on my phone, it asks for my username and does nothing more after that dialog closes. While I’m not sure if this is a problem with Piefed, Bitwarden, or Firefox, I’m now disinclined to try it with anything important, especially if that thing might then discourage me from logging in with a password.
I recognize the theoretical advantages, but passkeys don’t do much to solve problems I actually have. All my passwords look like
#vVukh9c$3Kw4Cs8NP9xgazEuJ3JWEand are unique. Bitwarden won’t autofill the wrong domain. I don’t enter credentials in links from emails I didn’t trigger myself immediately before. I haven’t checked whether I can reliably backup and restore them in my Bitwarden vault.No, thanks. I’ll keep using password+2FA and I hope that passkeys never become “mandatory”.
Better title:
Passkeys: still trying to explain why it’s worth the hassle when it isn’t
There’s a hassle?
Nope.
While the lock-in issue is annoying and a good reason not to adopt these, the device failure issue is a tech killer. Especially when I can use a password manager. This means I can remember two passwords (email and password manager), make them secure, and then always recover all my accounts.
Passkeys are a technology that were surpassed 10 years before their introduction and I believe the only reason they are being pushed is because security people think they are cool and tech companies would be delighted to lock you into their system.
Cops also love them because they make getting access to your entire phone including all accounts simple as cake if you use fingerprint/faceID to unlock your device.
Password managers store passkeys. They’re portable and not device-locked. Been using them on Bitwarden for like 2 years now.
You can store Passkeys in open source password managers.
I don’t know most of my passwords, so the step to passkeys doesn’t feel like a big one. I also really like the flow of pressing Login; Bitwarden pops up a prompt without me initiating it; I press confirm. Done, logged in, and arguably more secure due to the surrounding phishing and shared secrets benefits.
Sure, they probably work great when you have your *passkey manager on the device, but that’s not when I need to have backup routes into my accounts. When using a new device, or someone else’s, having even a complicated password that can be typed or copied-pasted has way more functionality.
As far a I can tell, using passkeys would only risk locking me out of my accounts. Everyone else is already effectively locked out.
I can access my password manager via the browser from any device.
Can’t you access your password manager from a web browser? Or your phone?
Oops, meant passkey manager, fixed it.
This is the only accurate take in the whole thread.
Passkeys solve “well, can’t be fished” by introducing 2 new problems and never resolving super prevalent session hijacking. Even as a basic cost-benefit analysis, it’s a net loss to literally everyone.
I came to sorta say this. Regardless of the system if it can fail and if people have to recover an account then phishing will always be a thing. In person options to deal with an account like with bank branches or government offices are the only true way of making things more secure. I sometimes think it would make sense for this. One rare thing I have seen that gives me a bit of hope is the use of in person at the post office for us government accounts. Thats exactly how it should be done. Secretary of state for state and usps for federal. They are the only agencies with enough physical locations.
I think they are being pushed because cool technology on paper. Whenever I read an article about them, I can’t help but think about the human factors. How are passkeys created, often by a password or email. okay… that looks a lot like a password. Oh you lost the passkey, here lets send you one again. It stinks of a second factor without a first. Sure, the passkey itself is hard to compromise, but how about its creation. If your email is compromised I see no difference from passwords or passkeys.
They don’t email you a passkey, what are you even talking about?
The flow I hear about when people talk about passkeys is sign up with email. Code gets sent to email. Code is entered, passkey gets generated. There always seems to be some similar step that looks like that, and often you have new device or reset that looks the same. Sure the passkey itself is secure, but how do you get it, how do you generate it, how do you validate the first time?
None of that is remotely true lol. You don’t get a passkey, you generate. Nothing is “sent” to you at any point in time, it has nothing to do with email.
Passkeys are a technology that were surpassed 10 years before their introduction
Question is by what? I could see an argument that it is an overcomplication of some ill-defined application of x509 certificates or ssh user keys, but roughly they all are comparable fundamental technologies.
The biggest gripe to me is that they are too fussy about when they are allowed and how they are stored rather than leaving it up to the user. You want to use a passkey to a site that you manually trusted? Tough, not allowed. You want to use against an IP address, even if that IP address has a valid certificate? Tough, not allowed.
They were surpassed by password managers and 2fa.
Technically they are the 2fa. The second factor is something you have. I store all my passkeys in my password manager too, so I’m not faulting you, but technically that’s just undoing the second factor, because now my two factors are “two things that are both unlocked by the same one thing I know”. Which is one complicated factor spread across two form fields.
Password managers are a workaround, and broadly speaking the general system is still weak because password managers have relatively low adoption and plenty of people are walking around with poorly managed credentials. Also doesn’t do anything to mitigate a phishing attack, should the user get fooled they will leak a password they care about.
2FA is broad, but I’m wagering you specifically mean TOTP, numbers that change based on a shared secret. Problems there are: -Transcribing the code is a pain -Password managers mitigate that, but the most commonly ‘default’ password managers (e.g. built into the browser) do nothing for them -Still susceptible to phishing, albeit on a shorter time scale
Pub/priv key based tech is the right approach, but passkey does wrap it up with some obnoxious stuff.
Even if you are really careful, your details can always be leaked from a company server during a breach. If the companies adopt passkeys, that issue isn’t there. Because there isn’t a password anyone can randomly use. That’s why I feel big tech companies are moving towards it.
I’ve found a pretty good use for a passkey. Docusign. About every 3 months I need to docusign something at work. The process involves logging in, changing your password, logging in again, opening the document, logging in to sign, logging in to finish. The only steps you get to skip if there’s more than one document is the initial log on, and changing password. So with a passkey I just touch it a bunch of times and there’s no password change.
Sounds like a password manager would make that way easier. Changing your password would involve a few extra clicks. Also, you might want to check with your IT folks. Asking people to constantly change their password is a good way to weaken password strength. I don’t use docusign, but there is probably a setting that they can change.
Oh, I agree, but I have to argue enough with professionals who know better as it is. I have to do it every day with recent PhDs as a BA who’s been doing the job for 15 years. At this point it’s not my problem if something happens. I have other things that affect me every day to fight about. I’ll just continue cycling through my no repeats after 10 changes, 12 character passwords and using my yubikey for docusign for my own sanity.
sounds like a better solution is don’t use docusign
K, I’ll go tell the CEO that they need to come up with something different.
There’s like a million other free/libre digital document signing platforms out there. Try one that doesn’t suck.
Unfortunately, per the comment you replied to, that isnt under my control.
Aren’t passkeys just passwords but numbers? Like passnumbers?
No. It’s a completely different process. It’s a bad name for what it actually does. (Unless you’re talking about how computers do things, then EVERYTHING is numbers)
Look up public/private key pair encryption. It’s the process that has changed.
The problem with all these “what are passkeys” guides is that it’s difficult to convey the differences between password and passkeys if you don’t have a deep understanding of encryption or authentication systems.
The biggest disadvantage:
Disadvantages of Passkeys
Ecosystem Lock-In – Passkey pairs are synced through each vendor’s respective clouds via end-to-end encryption to facilitate seamless access multiple devices.
More eggs in the American megacorp basket for more people, yay
That’s not the biggest disadvantage “if used properly.” Any account you have should get a passkey on every device you own. Each device has it’s own passkey system. If you have an iPhone, yeah, you get an apple passkey, but then if you have a windows laptop, you have a microsoft passkey, a FLOSS system will have it’s own, and so on. You are already on whatever system would contain the passkey and can easily add different ones each time you get a new device.
The biggest issue is that most people use a small number of devices (including many who use 1). Passkeys work best if you have many devices, so if you lose one, you just use another to access your services. If you have 1, you need to use recovery codes (and people don’t save them).
A key for each service for each device is too impractical in real life.
Getting a new device would mean logging in to hundreds of services to link up the new device. Or somehow keep track of which services have keys with which devices. And signing up to a new service would mean having to remember to generate keys for a a handfull of devices, some of which might not be available at the time (like a desktop computer at home when you are out). Or you risk getting logged out if you loose the one device that had a key for that particular service.
I agree passkeys can make sense with something like BitWarden or KeyPassX. Something that is FOSS, and is OS and device agnostic, and let’s you sync keys across devices. And should have independent backups too. Sync is not backup.
Currently I use a FOSS (I think?) password manager, BitWarden, that supports passkeys. I use it across Mac, Windows and Android so I’m while my passkeys are locked yo the password manager, I am not locked to any of the aforementioned megacorps.
I use BitWarden too. OS , device and browser agnostic is a win
But I imagine the vast amount of people will use whatever their platform is pushing, so Apple Google or Microsoft. And in 5 years time “3rd party passkeys” are not “secure enough” and blocked by the OS. (Ok that’s a bit tinfoil hat, but Google’s recent Android app developer verification scheme is fresh in mind)
KeePassXC has begun rollout of their own implementation, and I’m pretty sure they’re considered FOSS.
From a quick scan of the white paper, it appears they’re currently using on-device passkey discovery and otherwise “intercepting” passkey registration workflows, which I take to mean they aren’t originating the request as a passkey registrar. This may be the easiest method to satisfy FIDO’s dID requirements.
While I use and love bitwarden, it’s not exactly foss. Although there is a foss implementation of their server backend
A cursory search lead to this thread from 2024 https://community.bitwarden.com/t/concerns-over-bitwarden-moving-away-from-open-source-what-does-our-future-hold/74800
where an employee stated
I’ll note that policy wise nothing changed. The referenced issue is a packaging bug, but the goal still is the dual licensing model, with the core being open source, and some (mostly enterprise) features being source-available.
Both the client and server are mostly open source. Some server features are paywalled. The alternative Vaultwarden server is fully open source, and much lighter on system resources.
Have there been any recent licensing shenanigans with BitWarden?
Vaultwarden (the free server implementation) also supports passkeys.
This is a big one. Lock-in and the threat of provider blacklisting means it will remain a shortcut like SSO (“sign in with ____”) until we’ve established federated providers.On further reading, this may not be as far off as I thought. Passkey registration providers can be OS-level but browser and password manager based solutions were intended (overview from FIDO alliance). And it looks like KeePassXC has begun rollout of their own. If I’m reading correctly they currently “piggyback” off of an OS-based provider in various ways, so it’s not yet an end-to-end implementation, but these are early days.
Your password hashes (assuming they even hash them) already live on their servers…
Cool, they know the hash to that one service I signed up with them. Not every account ever.
Say you don’t understand passkeys without saying you don’t understand them…
A passkey uses public key cryptography to secure your account instead of a password, it only grants you access to the one account you set it up for, and the account provider only holds your public key, you control the private key. Your passkey is a secure alternative to passwords because you CANNOT reuse it across services, cannot reasonably remember it, and the method of using it isn’t by copying and pasting into a field like a password, so it isn’t susceptible to the same attacks.
If the provider loses your public key, they can’t give you a challenge to verify you have the private key, so you lose access. Just like if they lose your password hash. It’s an identical scenario.
The assumption is that the native passkey manager on the device (iPhone, android, windows) would sync the passkeys (to Apple , Google, Microsoft) for protection against device failure and easy of use across devices. Or you risk loosing your accounts if you loose your device.
That would happen if you store your passwords there too…
If you’re proactive enough with your passwords to manually store them in your own vault, you can be proactive enough to not use the corporate vaults that don’t allow exporting. This isn’t a “downside” of passkeys, it’s a downside of using the built in managers.
Your passkeys aren’t synced to anything, so the passkey is no different than your password hash. They’re device locked unless you use something like bitwarden, so you’re no more dependent on American mega corps than you are right this second.I’m wrong.
Dont they all sync to the respective cloud services?
iOS vault -> synced apple cloud Android vault -> synced with Google cloud?
Windows Hello -> synced with Microsoft account?And if they’re not synced, that’s even worse. Loose your device and loose your account. Or keep track of which of your 5 devices are have keys for which of your 150 accounts
Well shit, you’re right. I must not have been paying attention when they updated them to include that
Okay, so long as a passkey is something I can memorise. Otherwise, it’s significantly worse than a regular password (assuming you use good passwords and don’t reuse passwords etc).
It seems like they want to tie it to a physical computer (like the one in your pocket), which sucks big time. What happens if I don’t have access to that computer at all times, or it breaks, or is lost?
I’m planning on getting rid of my smartphone for something that just does calls and texts for example, because I’m sick of how unhealthily reliant I, and everyone, have become on this thing, and I want to be more connected to the real world. What then?
My brain is the best place to store passkeys, it can’t be hacked, stolen, lost, etc, unlike every other option. It’s easily capable of storing lots of randomised unique passwords for each service (surely I’m not the only one that can do this?). It’s the clear winner.
I store all my passkeys in bitwarden so they are available anywhere I have bitwarden. Which makes it tough if/when I need personal accounts at work (like to log into electric company to check outage map).
How many good passwords can you memorize? I can maintain 2-3 in my head long term, especially if only used rarely, and you can be phished if you are typing it in. Not tenable for online accounts. The only real comparison with security parity is a password manager + 2fa generated on-device, compared with passkeys. In both cases, you have “strong” password, no re-use, resiliency to fishing, and requires both “something you know and something you have.” I think a password manager is slightly more usable, but I’m not convinced either is a “good” experience yet.
security parity is a password manager + 2fa generated on-device
This experience works perfectly for me. I have no need of whatever junk the latest consortium of megacorps has come up with.
🤷♂️
You just need to memorise the PIN at max. If your device has biometric recognition you could even use your face scan or fingerprint so even remembering a PIN is not needed in that case.
They’re device-bound certificate based authentication with some shiny bits.
Or they’re portable-via-certain-services certificate based authentication with some shiny bits.
Either way they’re new and try explaining that the user needs a new one for every device (or needs a new app to carry them around in) and that if the device dies, or the app dies, they lose it all. I have quite a few people in my life who can’t wrap their heads around using a password manager.
Personally, I find them irritating. My chosen password manager on iPhone doesn’t support them, so I need to have the iOS password vault turned on (yes, this is a dark pattern Apple has created to try to increase adoption of their password vault) to use them. Adoption needs to be much higher, interoperability needs to be better, and they need to put back the hint for which vault to use (which was removed early on to keep Microsoft and google from forcing chrome/edge vaults, but has the actual effect that chrome/edge tend to win the race over other options and means that the passkey prompt might be for a different app than the one that you prefer, leading to further user confusion)
Might I suggest Bitwarden.
It’s open source, syncs across every platform I know of, and supports passkeys.
Thanks. Will check it out.
I really don’t want to turn my devices into hardware keys. I can’t imagine how difficult it would be to recover if, say, there was a fire or flood. Hardware breaks, gets lost, stolen. How about people who can’t afford multiple devices? What about the unhoused? How about if you get arrested and your one device gets confiscated- you can’t even give anyone else access to your data. What if you’re a good witness recording something and the police decide to make your device into evidence (or destroy it).
MFA? Absofuckinglutely. I’ll pass on passkeys, sorry.
Yeah this is my situation. My personal computer is really infrequently used and as such I’m already in a dangerous situation when it comes to sign-in risk detection kicking off and asking for further authn proofs. I’ve had my phone die (and come to life when its replacement arrived) and that was a harrowing situation because all the MFA is stored there. Passkeys seem to make it worse, unless I subscribe to a sync service, which I need to infallibly trust (and I’m iffy on that; 1Password has a good security model and all that but passkeys are a different level of trust).
Think of passkeys like they’re backups.
If you have one, you have none. If you have two, you have one. If you have three, at least one of them has to live offsite.
There are a ton of people who can’t reliably meet the “three” threshold, and plenty who can’t meet the two.
Good way of putting it. How many people have three devices they can use for storing passkeys? I don’t and I’m a nerd.
I do; or at least I can. But really, Device #2 should be in a fire safe, and Device #3 should be in a safe deposit box. These should be “set and forget” devices, not just “the laptop that I use and the phone that I use”. Those are additional costs, additional planning, additional effort, additional administration (because you need to also be checking that these cold devices still work on a scheduled basis), maybe additional required skill (depending on what you want these set and forget devices to be). You need to have an appropriate place to keep that fire safe. And when one of those cold devices doesn’t work anymore, you have to figure out why and likely replace it.
To do it right, you really have to have your shit together. That I don’t.
I mean, I wouldn’t mind if I could use my flipper for it, but the big issue is “if flipper break get fucked.” I can back up my .kdbx file in 14 luks encrypted locations, I can’t backup a whole ass flipper as easily.
I have a couple in my Bitwarden (Vaultwarden)
But I already have issues with Android trying to force me to use the system Passkey provider, and companies like Apple only supporting their own device’s built in manager for Apple accounts.
You missed some disadvantages. For example the UX and complexity are terrible.
The passkey options I’ve come across so far are as close to push-button as I can imagine.
Do you mean from the developer perspective, like the complexity of the API/workflow?
Perhaps he means the process of setting it up. Or when it doesn’t work. Or when passkeys are lost. Or using another device. A lot of people’s complaints about passkeys aren’t really about when it works.
It’s valid I think, but also some people forget passwords can have similar experiences. For one, there seems to be this idea that if you lose your passkey you get locked out of your account forever. The recovery process should be no different than losing your password.
Thanks for the great article! I had a question re: the top disadvantage you mention (lock-in).
Background: Although the on-device integration for Apple, Google, etc. use their cloud for E2E sync between devices, it appears KeePassXC using their passkey interception, discovery, and import procedures accomplish the same cross-device passkey implementation without needing a particular vendor cloud lock-in. As best I can tell, this meets the original standard’s sync fabric requirements (whether or not the big providers like it) and relies on platform-specific APIs mostly for interoperability.
Question: If KeePass has been able to implement their own sync this way, and the FIDO standard accommodates non-OS providers (e.g. browsers or PW managers), what is currently the biggest technical hurdle remaining for FOSS-based passkey providers?
Thank you… and Yes you are right… There could be many reasons like greed or could be risk management if you think from both ends of spectrum. It’s sad actually they are developed on the same FIDO2 but insists on being seperate which is weird… Also they feel that regular user wouldn’t be able to set up FOSS passkey provider or may be they lose control over encryption if they share with third party.
My company’s online product uses passkeys (I implemented it) more as a convenience method for login. 2FA is the base standard, and authenticated users can create a passkey for each device they want to use. Subsequent logins can then use the passkey or 2FA. Rather than having to dig out my phone, open the authenticator app, and put in the digits, I can simply use the fingerprint reader and I’m right in.
That doesn’t sound like a TOTP vs passkey situation though. It sounds like the program just releases the passkey when you give it the fingerprint. There wouldn’t be anything stopping the program from generating a OTP and passing that along when you identify with the fingerprint.
I think a big issue is how difficult it can seem to be to get easy access to TOTP codes, like in your example digging up your phone. But that’s more of a browser/operating system failure for not implementing a way to generate those codes like they can already store usernames and passwords.
