My first experience with passkeys was eBay. They implemented them 3-4 years ago, and my password manager, Dashlane picked up on it. They offered to save it and I wouldn’t have to enter a username or password. Great, seemed to work. Until I needed to login on another device and then Dashlane saved that passkey too, but each passkey was tied to the specific device… only it wasn’t clear when I logged in which passkey I should choose, and chose the wrong one and it doesn’t work. After having like 6 different passkeys for eBay I gave up. Now I always decline to use passkeys. They don’t work, idk who uses them but as a fairly tech savvy user, without a very complex setup (chrome, with Dashlane installed) if it’s not working for me it’s probably just not working.
I’ll also add. I don’t have a good mental model for what a passkey is or how it works. And again, like most users if I don’t really understand what’s going on I’m just not gonna bother with it. For all the complexity that it takes to implement secure login with a username and password, most of it is hidden from the user, with passkeys it feels like they’re shoving all the complexity front and center, but not explaining any of it.
The only way passkeys make sense is in terms of vendor lock in. If you stick with a single vendor (ie. Google or Apple) to manage them for you, it kinda works if you ignore edge cases (eg. how to recover if phone breaks).
So the motivation for why big tech wants them is clear. They've just not managed to make a compelling case for why anybody else should want them.
The only way pass keys become a widespread thing is if they force the issue by removing password authentication, and I don't see that happening any time soon.
> The only way passkeys make sense is in terms of vendor lock in.
This is what I've figured as well, and even if my password manager claims "eventually we'll support it, once it's available" (https://blog.1password.com/fido-alliance-import-export-passk...), I've been putting it off until the implementation is actually in place.
But the question is when that'll be. Last I've heard about the whole "Risk of lock-in from export blocking" is:
> The general vibe is supportive and language has been added to this effect, though it looks like we haven't done a public working draft in some time so I don't think that's externally visible yet. Also usual caveats about in-progress work subject to change.
I guess time will tell. But for now, considering the history of lock-in on the web, it's best to stay away from Passkeys for now, until they figure out a proper way of avoiding it.
> We'll explore key updates including [...] and the secure import/export of passkeys
Have they shared any details about if this is actually cross-provider/platform import/export? I feel like if Apple doesn't outright share those details, they're talking about import/export within the Apple ecosystem.
Nothing of the info Apple published so far seems to indicate that they'll implement that. And again, based on the track record of Apple, feels unlikely they won't implement something on their own.
From the video cited upthread: "This transfer uses a data schema that was built in collaboration with the members of the FIDO Alliance. It standardizes the data format for passkeys, passwords, verification codes, and more data types"
Let’s see — Apples track record of interoperability isn’t great unless dragged by regulatory bodies. Managing private emails at scale to migrate away from Apple for instance is wildly painful.
There is an industry standard being deployed for passkey (and other credential) import/export so that everything will work together seamlessly. Most players are waiting for that so there aren’t N different formats floating around that only work with subsets of other PW managers, which is a real problem now.
I tried finding anything in the transcript that mentions that import/export explicitly will be the open standards, but they seem to mention "FIDO" and import/export in different contexts, not together.
re Bitwarden Passkeys export/import, I found this:
> Q: Are stored passkeys included in Bitwarden imports and exports?
> A: Passkeys are included in .json exports from Bitwarden. The ability to transfer your passkeys to or from another passkey provider is planned for a future release.
But I'm not sure I understand the last part, how is the "ability to transfer your passkeys to another passkey provider" planned for a future Bitwarden release, if the Passkeys are already included in the export data? Wouldn't that be up to other Passkey providers to implement the import? Or is the export data not complete enough for an import?
Yes, other providers could theoretically import Bitwarden’s proprietary format. Bitwarden’s reference to a future release is regarding the standardized import/export of passkeys that is in development: https://fidoalliance.org/fido-alliance-publishes-new-specifi...
I work at bitwarden and I can confirm this. While technically you have the data, any other app need to support our json format (which they totally can, our code is open source) - but CXP (the standard) is happening this year so we’re planning on using it.
1Password are working with Microsoft to integrate more with Windows’ passkey APIs.
The real test will be, how easy is it to move passkeys from say 1Password to Keepass XC (open source). It’s on my todo list.
For now, 1P’s passkey support appears to work quite well with all the sites I’ve tried. I’ve got multiple devices (Linuxes, macOS, Windows) and passkeys just work. I like the fact that 1P is cross platform, but after all it too is proprietary.
> how easy is it to move passkeys from say 1Password to Keepass XC (open source). It’s on my todo list.
AFAIK, there is no export from 1Password with Passkeys yet, so maybe better to put it in your calendar to check back in 6 months or so.
> passkeys just work
Yeah, I'm not doubting that, but I cannot reasonable base my core authentication on something that locks me to one service, that just feels to irresponsible. Hence the wait for proper import/export before spending any time on this :)
This so many times. The cryptography around passkeys is great. An operational consequence that a lot of people seem to miss is lock-in.
I know passkey vendors will say they’re working to make interoperability easier in 2025, and that’s true. Equally the number of users who’ll take advantage of this interop will be a rounding error. The net effect will be even more platform entrenchment.
Unless people use weak passwords today, all their passwords are scattered across various browsers and system autofill, unless they use a PW manager deliberately, in which case they’re “locked in”.
One of the couterpoints here is that while good security might have you adopt one password manager vendor, that vendor is not necessarily the same as your platform vendor. Traditionally this is a way to fight vendor lock in.
> The only way pass keys become a widespread thing is if they force the issue by removing password authentication, and I don't see that happening any time soon.
I mean, that's what Microsoft is doing here, no? They're changing their password manager to only accept passkeys, not passwords and to block off autofill functions. Granted, right now they're the only vendor to do this, but that's a pretty risky precedent to create.
It is massive in corporate. I think it's the most used authenticator. On the Play Store alone it's got 2 million app reviews, Google Authenticator 579 thousand, Authy has 86 thousand. The download count seems to stop at 100M+ so I can't compare that.
Microsoft is (re-)splitting their 2FA app from their Password Manager. The Password Manager is moving exclusively back into the Edge app. It will still provide autofill inside the Edge app. It may even get autofill (again) into other apps.
If anything this seems a move to get users to use more Edge than to use more Passkeys.
For myself it’s a very good secondary auth in alternative. E.g. I register with a vendor, create strong password in password vault and then create a passkey.
Passkey is convenient for log in (and also - quick) but worst case scenario I still have passwords. I wouldn’t trade in passwords completely but I prefer passkeys to OTPs.
Passkeys absolutely make sense from a security (and in theory also UX) POV. Handling logins for dozens of services is either very insecure (reuse), has even worse vendor lock in (federated ID), or has pretty bad UX (password manager).
In practice, unfortunately the UX gains are not realized because interoperability is unsolved, because vendors have little motivation to solve it and eliminate the lock in.
> When I click “add key,” three different bits of software compete for my attention.
> First up is the password manager, offering to store a passkey. (This is the first time passkeys have shown up in this process – you can begin to see how a casual user might be getting confused.) I don’t want the password manager to be involved in this case, so I dismiss the window.
> Next up, a window appears from macOS asking me if I would like to use TouchID to “sign in” (to what? – I am already signed in to the website) and to save a passkey. Again, note the different terminology. When I dismiss that window, it is time for the browser to have a go, offering me four ways to save a passkey, including finally the option to store it on the hardware token. I insert the USB key and proceed.
> I think we can all agree that this is a confusing experience, with three different systems fighting to be the One True Place To Store Passkeys, along with the inconsistency of terminology (passkeys or security keys) and use cases (password replacement or strong second factor?)
> It’s like every piece of software wants to “help” but there is noone looking at the system-level behavior where these different bits of software interact with each other and the end user. I’ve encouraged my wife (a social scientist not a computer scientist) to adopt a password manager and 2FA, and she’s very willing to follow my lead, but the confusion of terminology and bewildering arrays of options frequently (and understandably) leads to complete frustration on her part.
I’ve been in charge of a 3rd party authenticator passkey implementation twice and both times the platform (be that chrome or apple) unfairly leveraged their position to push their solution above 3rd party options. Apple, in its most recent update, finally allows the user to disable iCloud keychain so it’s not an option always getting in their way if they use something else like 1pass or bitwarden. Chrome still puts themselves first before allowing the user to see the list of “other” authenticators to use, which isn’t serviceable as an other.
> Until I needed to login on another device and then Dashlane saved that passkey too, but each passkey was tied to the specific device… only it wasn’t clear when I logged in which passkey I should choose, and chose the wrong one and it doesn’t work.
I'm not sure if that has changed since years ago (when you last tried), or that that is a Dashlane thing. In any case, that's not how it is now. I've stored them in 1Password. I can use them on any 1Password-enabled browser, and on my Android. They're slightly easier than password flows, and much easier than MFA flows.
> I’ll also add. I don’t have a good mental model for what a passkey is or how it works.
It's a public and private key-pair. You keep the private key, the server gets the public key on registration. When you login the server sends a challenge. "You" encrypt it with the private key and send it back. The server uses the public key to verify and boom, you're logged in.
In the article they mention they are not just going to support exporting passkeys, but also passwords and other credentials. The goal is to create a secure exchange format for that. They have published drafts of the standards.
I remember being a kid on the internet 20-something years ago, understanding how passwords worked, and thinking the whole of the internet must be crazy for accepting a "pinky-promise we don't store that secret password you're sending us in plaintext, let alone use it for nefarious purposes" as the status quo.
I then discovered SSH and how it worked, asked in some public forum why there isn't a way to log in to websites using an ssh keypair, and was ridiculed for it.
I defend against that scenario by letting my password manager generate a different random password for every site. It defends also against sites handling passwords in terribly wrong ways, hacks, leaks, etc.
> I then discovered SSH and how it worked, asked in some public forum why there isn't a way to log in to websites using an ssh keypair, and was ridiculed for it.
In an alternative universe, the web standardized something like "tripcodes but cryptographically secure" which would keep any secrets out from servers, and we'd just be dealing with signed data.
Even with SSH, you need access to the console when things went awry. But that’s easier to secure as you need to be physically present in front of the machine, or go through your cloud provider’s security mechanism.
But that’s only inconvenient when you want access back. Most B2C don’t care about you enough to offer those processes.
Client certificates are a thing and can in principle be used for authentication on websites. Not 100% sure that was possible 20 years ago, but Istrongly suspect that it was.
The problem is the UX around handling the certificates. Password are nearly impossible to beat in terms of "works everywhere without requiring any support infrastructure".
I felt the same when implementing OpenID connect flows according to spec. It uses the browser in creative ways ;) Especially the device flow, absolutely insane complexity for what it is.
They're just public/private keypairs that are generated either by a device (whether it's part of you phone, computer, or hardware key), browser, or password manager. I do agree that it can be a bit of a pain when it comes to multiple managers trying to offer to save/respond to a passkey, but otherwise it's a fairly straightforward exchange.
> They're just public/private keypairs that are generated either by a device (whether it's part of you phone, computer, or hardware key), browser, or password manager
Now imagine saying that sentence to a person outside tech
A monad is just a monoid in the category of endofunctors, what's the problem? Ape holders can use multiple slurp juices on a single ape, so if you have 1 astro ape and 3 slurp juices you can create 3 new apes.
Why would you give the technical explanation to a person that doesn't want the technical explanation? To the person outside of tech, passkeys are just your phone has a really good password and fills it out for you. Just use that and don't bother having to remember (and forget) another password.
Glad to know I'm not alone. My story is more or less the same (except without password manager). One day I was logging into my ancient Yahoo mail account that I use mostly for unimportant/throwaway things and spam, and I was offered a passkey. I accepted. Next time I logged in I was in a different computer (I regularly use 4-5 computers apart from my phone) and it didn't work. Later, in the original computer, it didn't work either... I guess because I updated something or whatever, no idea, I didn't bother to find out. I'm back to the password now, after having logged in successfully with a passkey exactly zero times after setting it up.
I also don't have a good mental model of how passkeys work. I could get informed. But why should I bother? I'm a busy person. Passwords have worked for me for more than 25 years, and passkeys seem much more fussy and inconvenient (what if I'm traveling and connecting from a random computer in an hotel/airport? I imagine I'll be expected to do something with my phone, as modern cybersecurity seems to be based on trusting everything to the phone -if it gets stolen, bad luck- but what if I have no battery?). I guess I'll have to find out if they force them on us, but if I (a CS PhD and professor) have to actively find out in order to use them, it's going to be chaos with regular users.
I hate passkeys, only because it seems like every few months I'm trying to help ream them out of my grandmother's computer because she can no longer login to her yahoo email. I've told her countless times, stop saying yes for passkeys but she somehow inevitably gets them enabled on everything while on her desktop and then can't figure out how to access it from her phone.
I think Proton Pass just stores one key for all devices? Not even sure! But it does work anywhere without the experience you had: I go to a website I have saved, it pops up, I click and am logged in.
Not sure if Proton does the device specific stuff under the hood (and hides it well), or if they are abusing the system by simply sharing the private key over all devices? (That is misuse right? Idk, I had the same experience with BitWarden). The keys should be device specific right? That's the 2fa replacing magic.
I too, have no idea. And I too am a bit disappointed it is so difficult to understand what happens. I do believe I can just export the keys and import somewhere else (i.e. Proton <-> BitWarden), which would suggest one passkey per account... Hmmm... Also, I believe it's just Google and Apple that try to make this a walled garden, it wasn't designed to be like that.
Ah but why are they better than classic credentials then? I thought they were device specific and thus "2fa build in". I thought you'd have to approve every new device from an existing one? But indeed I never saw that in action...
Pretty sure I could with VaultWarden. For Proton indeed it seems to be an open issue. In theory it should be doable right? It's not like "impossible because of the spec" or something?
> It's not like "impossible because of the spec" or something
It could be, but I don't know if it is. One of the design points is that they are cryptographically un-phishable or something to that effect.
The ability to export directly conflicts non-phishability, at least in theory. I've heard conflicting information about what precisely is allowed or possible.
The difficulty of exporting them is kinda the point(sorta). The benefit of passkeys is that the average user is less likely to hand them over to a scammer, because they literally can't/don't know how, whereas everyone and their mother knows how to give a scammer their password/username and the funky numbers in the email they just got.
I don't have this problem. I'm using passkey probably on only 1 website (github) but it's working without any issues on all my devices. Maybe it's a password manager issue? I'm a bitwarden user
Well you have your passkey stored in Bitwarden, which may weaken its security, since it's a software-only solution.
The idea of passkeys is that they are supposed to be tied to a hardware device. And this leads to very odd situations, like Chrome asking Windows to authenticate, and Windows having to ask for the passkey on an Android phone.
I migrated to Bitwarden around 3 weeks ago and now Chrome is no longer asking Windows to authenticate, but Bitwarden. But then Bitwarden doesn't have the passkey, so it will offer to delegate to Windows, which will in turn reach to the Android phone, unless it's one which is stored in Windows.
This are the kind of problems which arise, and for a 75 year old senior who never dealt with all this crap, this is nothing but a huge annoyance, because they simply don't understand what's going on. It was easy with username and password.
What I liked the most was username+password and a Yubikey for OTP. And for what can't or no longer wants to deal with Yubikey, I've moved to app-based OTP. And now I'm starting to get forced to move to passkeys, which annoys me a bit because things are no longer so clear.
> The idea of passkeys is that they are supposed to be tied to a hardware device.
No, not really. That was more of a U2F/WebAuthn concept. Passkeys are intentionally permitted to be attached to accounts.
You can use hardware bound tokens as passkeys if you prefer, of course. However, that approach has led to a huge amount of people getting locked out of their accounts because they lost their Yubikey or reset their phone.
There are implementation improvements to be made, for sure, especially on Windows. However, that same 75 year old also won't know to look in Edge's password manager when Bitwarden says it can't find a password for a given website.
And let's be honest, that 75 year old won't be using Bitwarden or a password manager anyway, their password will be NameOfGrandkid2003 despite being told to pick a different one after the last time their account got taken over.
I wish I could use passkeys more often but when websites offer 2FA of any kind, it'll be through TOTP, and usually without providing any recovery codes either. TOTP and email+password aren't going away.
Passkeys are the name used for FIDO2 authentication flows for normal people.
WebAuthn is the JavaScript API to access the USB devices speaking U2F to the browser.
FIDO2 extends the WebAuthn API by also offering to store security tokens inside of a device's TPM, by using CTAP2 to authenticate with an external device or service, or by using good old U2F. If you're implementing it, you generally only need to deal with the WebAuthn side, the browser will take care of the rest.
You can think of Passkeys as "WebAuthn 1.1". Names like WebAuthn and U2F don't exactly attract the general consumer, so they rebranded it. The same way websites used names like "passwordless logins" when trying to describe WebAuthn+U2F, expect "passkey" seems backed by larger companies.
If you've implemented WebAuthn correctly (I doubt you actually interacted with the U2F API directly), you've also implemented passkeys.
The naming is rather confusing, mostly because a lot of websites used the wrong name for the wrong part of the process. Luckily, almost nobody acfually knows what the hell a WebAuthn is, so passkeys are the introduction to the whole stack for most people.
Just a side note my 80 year old mother uses Linux with keepassxc and has generally more secure processes than many software developers I know (who often use very simple passwords, share them around freely...).
Just to say that we should be careful with our generalisations (I know you didn't start this one).
Why should we be careful? Not trying to troll here, but your mother being an exception to the generalization doesn't mean the generalization is wrong. Nobody said 100% of old people had bad security habits.
Do you have a source for the hardware-tied design? Neither the specs[1] nor Wikipedia[2] say anything about Authenticators being hardware-only as far as I can see. The specs even specifically talk about Clients (ie browsers) storing passkeys.
Looks like a Dashlane problem from what you are describing.
Since I use a Mac, I will refer to my MacOS experience: Keychain and now Passwords will sync passkeys via iCloud to any other device. The end result is that you only have one passkey. Pretty seamless experience.
I have a Macbook and an Android phone, as do many people.
Can I still have a seamless experience with passkeys, or have they made that difficult? Do I need to remember to reject the dialog offering to save keys on Keychain and learn to use a 3rd party passkey service?
What am I supposed to about all the passkeys that will be needed at my multiple jobs, which I access from my own Macbook and phone? Can I use a single service, ideally open source, or do I need to use several "passkey sharing & backup managers", one for each entity and one more for my personal keys?
Nowadays I use the passkeys with my password manager and everything works across multiple devices. I’ve never been presented with a list of passkeys to select from.
I’ll second this. A combo of KeePassXC (desktop), KeePassium (Apple), and KeePass2Android plus manually synching my .kbdx file makes the passkey experience relatively smooth for me.
It doesn't support passkeys yet so I'm surprised you mention it because this is what I wait for a full cross-device (for me) support, to start using passkeys
So you need three different applications and manually moving around files to achieve a "relatively smooth" experience? I don't think this is the endorsement you think it is.
KeePass is a community project, Bitwarden is not. These are just client applications that sync and interact with the .kbdx file the community has formalized a standard on. That's why Bitwarden has a unified client application ecosystem and KeePass does not.
You don't understand KeePass, which is fine, but please don't make bad assumptions like these if you don't understand the underlying reasons for why a thing is the way it is.
It's like calling out why there are two dozen email clients that speak IMAP.
Uh I know what KeePass is and how it works. The proposed "smooth" solution is - at best - clunky and inconvenient. You've missed the forest for the trees.
> You don't understand KeePass, which is fine
Haha this is so hilariously smug and condescending I have to wonder: are you the real-life Comic Book Guy?
Yes this is being pushed on everyone, including grandma's and the tech illiterate. If the "best" solution is clunky at best, what chance to the tech luddites have?
the best solution for the technical user isn't the best solution for the non technical user. the streamlined solution for the non technical person is that they just have their phone and it has the passkey.
If you want to talk about the laptop and desktop use case, we can talk about those, but non technical people don't have laptops or desktops anymore, they got thrown out sometime after the iPhone and ipad came out, circa 2010. (sorry you didn't get invited to the conference. It was nice, Sarah brought her granddaughter and we had chips and guacamole, it was all very nice)
I disagree, it's an extremely myopic understanding of the world likely perpetuated by a sheltered Silicon Valley cabal.
There are millions of non-technical people with jobs, where they are issued a company computer.
It's conceivable they might want to access the World Wide Web on it.
Assuming they own no other devices other than a mobile phone as you suggest, they still have at least two and probably don't want to sync anything from their personal phone to a company computer.
P.S. your comment was funnier before you added the part about the gucamole
The only difference between an imagined smooth solution is the sync mechanism and a unified client application ecosystem, neither of which is really possible without a large company behind it.
I said you don't understand how KeePass works because you refer to 3 applications for 3 different OSes (2 mobile) as if they were a confusing mix of different applications, when really they're just client implementations around a single, formalized spec. And most folks don't use both iOS and Android so really there's just your choice of KeePass desktop app and one for Android or iOS.
No one says the plethora of email client choices is confusing. This is exactly the same.
This is peak HN. You behave like a douche then appeal to decorum and cry about the rules when called out about it.
> No one says the plethora of email client choices is confusing. This is exactly the same
It's absolutely not the same. No one is manually syncing files across PCs and devices so they can retrieve mail on all of them. You have zeroed in on some irrelevant pedantry and continue to ignore the big picture.
Yet you keep name-calling, so who is acting rudely?
3 different applications to access your secrets is what you focused on and now you're moving the goalposts. KeePass having 3 different client applications is what you chose to make a mountain out of, yet they're all just porcelain in front of an agreed upon standard.
Making a kbdx file accessible in Dropbox or any other cloud service does not take technical wizardry.
Exactly my experience. The mental model is easy once you understand that it’s just a key on your device/app.
It’s just really hard to wrap around your head that this is the actual implementation with so many drawbacks given most people have 2+ devices, and different OSes to provide it.
I won’t use them.. although I’d have loved to use them.
When they worm they work, but I can’t trust them completely, so what’s the point? There’s no difference with a password, except that the sign-in process can be streamlined when everything works
I suppose they refer to a more detailed mental model. For example, I know that it's a key in my device, but I don't have a detailed enough model to know if it will work if transferred to another device or stored in the cloud, or what I'm supposed to do at a cybercafe/hotel/airport/borrowed computer. So my mental model is not good enough. With passwords, the answers to questions like that are obvious.
That’s the problem. I don’t think that’s part of the spec.
I’m also not sure, and given that there’s no mention of transferring, backing up etc, I assume they’ll be lost forever.
I won’t take that risk. And if they require my email/password/2fa to recover, the. What’s the point.
I wanted to love them so much, but I can’t. I won’t burn myself again like with getting a new phone and loosing all your 2FA, because someone thought it’d be a good idea to make them device bound on most apps.
> There’s no difference with a password, except that the sign-in process can be streamlined when everything works
There is one other major difference behind the scenes: With passkeys, the service you’re logging into never has enough information to authenticate as you, so leaks of the server-side credential info are almost (hopefully completely) useless to an attacker.
If you think there's no difference between a password and a passkey, that kind of tells me you don't really know a lot about passkeys, so it makes sense you'd think they're just worse-implemented passwords.
The only difference is that you sign the authentication.
I think Facebook does the same thing when logging in with a password.
It’s been crudely done for ages by sending over a hashed version of you password when submitting a form.
Not the exact thing, but still.
What is the problem they’re trying to solve? I’m not sure to be honest. Is it leaked passwords/keys? No difference there, as all passwords are unique anyway with a password manager.
Is it ease of use? I hoped so too.. but nope.
Is it anonymity? I hopes so too, but just like “hide-my-email”, apps will detect it, and require all other missing info such as your real email, name etc.
The only difference is that you sign the authentication, except all the other differences like the server doesn't keep a secret that can be stolen, it can't be phished, you can't reuse it, you can't mistype it, you can't store it improperly.
That's just a problem with how Dashlane and/or eBay implemented Passkeys. I have tons of site passkeys (1 per site) saved with 1password and use them across multiple devices just fine.
Interesting. I’m only a user of them but not had one second of trouble. I save them on my device in the native saving place (iOS/mac) and it just works. I didn’t know this issue existed and I’d like to avoid it. Is the issue when you save them in a password manager?
I have Bitwarden for personal and now 1Password for work, so might hit the issue at some point.
As far as I understand the passkey are not to be intended to sink across devices. They unlock private keys stored on device and these keys are used for authorization on web sites etc. At least this was my understanding when last time I tried to grok passkeys :)
I've had two regular Joes come to me because Google locked them out of their accounts (plus a third one with Apple) and they had important emails they couldn't get to. The "solution" in all cases ended up being a total loss and starting from scratch.
Now when Google locks them out of their account with no recourse (or, more likely, when their phone dies without backup) not only do their lose their email, but also every other service they ever signed up for.
Passkeys may be better when everything works right, but password managers are miles ahead when something goes wrong.
Google aggressively forces you to add your phone number or a backup email, multiple pop-ups per month. When you make a passkey they again aggressively try to force you to have backup access methods. You really have to put in a good effort to lock yourself out.
If regular Joe configured a TOTP and then ignores the huge warnings about not saving the backup codes, are you going to blame the service or him?
> You really have to put in a good effort to lock yourself out.
When Google and Apple block you, you stay blocked for good regardless of how many backup measures you provide. An Apple representative literally told me once that I needed to provide the phone number of the thief who stole my brother's phone if I wanted to regain access to iCloud; Google asked for my password and backup email only for their system to say "that's not enough to let you in, but there are no other methods so you're SOL".
Even in more "normal" situations, how much do I need to pay to get someone at Google to check my identity (possibly with official ID) and restore my account? Answer: None, because that's not a service Google offers - you can try to sign up for a paid plan, but even then there's no guarantee that they'll listen to you.
Any system that depends on FAANG companies is a system where you can find yourself locked out without recourse. I definitely blame the service.
Oh, you mean being locked out by the vendor, not accidentally locking yourself out.
Yes, that sucks. I have an old account at a FAANG they won't allow me to log in to despite me knowing the current password, my old passwords and the old e-mail. But it is partly my own fault because I changed the e-mail and phone number to a fake one.
I will say that getting locked out (= banned) by Google or Apple usually means you're doing something odd or even seedy. Of all the regular people I'm acquainted with, it hasn't happened to anyone, ever. And that's gotta easily be 100+ people. However people like dropshippers, grey hats, OF models etc etc any people with irregular cash flows or e-mail traffic definitely run a risk.
FWIW you’re supposed to use one passkey synced across your all devices where your PW manager (Dashlane) is installed. The fact that Dashlane let you so easily do the wrong thing might be an issue of their early/unrefined support for passkeys.
I use Bitwarden on every device, it saves exactly ONE passkey per service. No more fiddling it passwords and some services don't even want to bother with your username as well. Just one passkey prompt and login happens seamlessly.
The downfall of passkeys is that - as was inevitable - they are horrifyingly implemented webshit.
For example, nearly every visit to my Amazon orders page I am now greeted with a nearly full screen modal browser popup letting me know about passkeys and why I should switch to them RIGHT NOW. I politely declined - the first thousand times. I don't know if this is a site or browser issue and frankly I don't care anymore. It's spam at this point and I want nothing to do with it.
My hesitancy was rooted in concerns about potential issues pretty much what you just described so glad to know I was right.
Seems like passkeys use a very simple model where you are using a single device with a single browser or are somehow syncing across devices with some cloud service - and from your description it sounds like that doesn't even work.
No thanks - I'll stick with passwords. Did everyone forget about hardware tokens which are device and OS-independent and rely on no external infrastructre?
Don't forget that a per-device passkey is the wet dream of any $MEGACORP wanting to track your habbits. Which is another reason why it is a no-go for me.
> Seems like passkeys use a very simple model where you are using a single device with a single browser or are somehow syncing across devices with some cloud service - and from your description it sounds like that doesn't even work.
Unlike passwords, you can have multiple passkeys per account. You can have 5 passkeys for your amazon account if you use your amazon account on 5 different devices. If you lose device 4, or if it gets stolen, you can just delete passkey 4. The other ones are safe.
Or, you can use a syncing service like a password manager. Both solutions work!
I have yet to see a compelling argument for passkeys that is strong enough to overpower it's negatives.
- I want to be able to share passwords for accounts with my family (some, but not all of them)
- I want to be able to load up my login information from whatever device I am currently working on; my phone, my home computer, my work computer, my wife's phone, etc
- I don't want to risk my phone breaking and losing access to all my accounts
Something like 1Password or Bitwarden fits all of that perfectly.
It's tied to vendor lock in. Which increases the ability of companies who develop certain technologies for the masses to increase the friction of interacting with things outside of the ecosystem. The argument is that if a user is unable to use an alternative, by hook or crook they will pay increasingly high subscriptions to access the services provided by that ecosystem. This increases a number on a spreadsheet, the only true compelling argument one could say
I'm not making changes to my security workflows now based on promises that the lock-in potential will be reduced as some unspecific point in the future.
As long as the passkey spec includes remote snitching (attestation) your keepass open source alternative will exist only because big tech allows it, and it will end when big tech demands it. The entire import/export standard is a red herring.
It's sort of happening already. Members of FIDO threatening to block KeepassXC users [0] from logging in, unless KeepassXC complies with FIDO demands regarding specific implementation
On one side of the pond, we have the EU's Digital Markets Act to protect consumers. It has teeth and it's already being used to ensure consumers have choice.
Not so sure that EU bureaucrats will understand and fix that problem. With NIS2, they let the IT-security-crapware lobby dictate draconian and mostly stupid security laws. Could be that the security-paranoid part of the bureaucracy overrides the consumer protection part in that case.
> I have yet to see a compelling argument for passkeys that is strong enough to overpower it's negatives.
> - I want to be able to share passwords for accounts with my family (some, but not all of them)
This, but for another reason.
To all those "I can do this with Keepass/Bitwarden etc", how can you share your Netflix password with your parents 100 miles away to use it in their smart TV?
You cannot and will never be able to do it. Yes, passkeys improve security in some contexts but also tighten the grip of service providers.
> To all those "I can do this with Keepass/Bitwarden etc", how can you share your Netflix password with your parents 100 miles away to use it in their smart TV? You cannot and will never be able to do it.
I'm not sure that's a good example. I thought you currently only need to share your password if you want to let them use your Netflix account on their computer/phone/tablet. If you are just trying to set them up on their smart TV wouldn't you simply have them install the Netflix app on their smart TV, launch it, hit sign in, and then tell you the 8 digit confirmation code from the app, and then you would go to netflix.com/tv2 on your computer/phone/tablet, enter that code, and use your credentials to confirm?
So let's change it to you want to let your parents use your Netflix on their computer/phone/tablet. Netflix doesn't currently support passkeys, but we will assume they will at some point.
What you would do is something like this.
1. Tell them your Netflix account name.
2. Have them go through Netflix's procedure for logging in on a device that does not have a passkey when you have no other devices available that do have a Netflix passkey for your account. They are almost certain to have some way to do this.
3. Once they are logged in they can add a Netflix passkey to that device.
Since sharing Netflix passwords is a breach of their terms of use, that's not really a compelling argument.
I doubt streaming services are looking to make passkeys the only way to authenticate devices though. Too much competition, and too many valid use cases for use outside of a personal device.
> Since sharing Netflix passwords is a breach of their terms of use, that's not really a compelling argument.
Like the millions of "terms of use" breached by the exact trillion dollar companies pushing for passkeys (Google, Microsoft) while training their AI models? Sounds like terms of use are entirely irrelevant in the first place.
Terms of use != laws. ToS are very often overruled by laws in lot of jurisdictions. Saying anything that violates ToS should not exist as a free/public standard, is corporate speak, and not in the interest of the consumer.
Not sure if anything different happens. If you get caught, you probably get fined - that is true for Meta and for you. Not sure what jurisdiction you are in that would get you into prison.
Meta just figured the fine is worth the leap ahead in AI training, and I kind of agree.
> Since sharing Netflix passwords is a breach of their terms of use, that's not really a compelling argument.
Since when "you are not supposed to do it" works? :) Most videogames cannot be freely copied or modified/tampered with, according to their ToS; still, companies implement draconian DRMs/anticheat to block people from doing it anyway. This is the same situation.
The “problem” they solve for Google and Apple is how to further lock people into their ecosystems. Microsoft too, they are part of it as well I believe.
You can do all of those using Passkeys in Keepass, eg though KeepassXC, including import/export. However, Keepass applications have already been flagged as non-compliant for this reason. What you also currently can't do afaik is use them on mobile.
But companies like Google, Microsoft, and Apple have a vested interest in making third party tools like bitwarden not work as well, or not at all on their platforms.
iOS and Android both have APIs for plugging in custom password managers into password entry fields in every app, and for using passkeys with those custom password managers. I use 1password on my iPhone and my Android and it integrates perfectly with both. I agree that those corporations have an interest in making those tools work poorly to stop you from leaving the platform, but they seem to have done the right thing and put some effort into allowing them to work well.
Bitwarden works just as well on Android. In fact, it's even easier when it comes to managing multiple passkeys per domain. And yes, that includes CTAP2 logins ("scan a QR code with your phone to log in").
From what I saw, 1Password was fighting tooth and nail to get into the FIDO Alliance, as the big corps were trying to leave 3rd party password managers behind. I assume without fights like this, all 3rd party password managers would have been left behind. I think that was the plan, thankfully it didn’t work.
Keepass was straight up threatened with blackballing using the attestation feature an enforcement mechanism. This thing was barely out of the gate before the mask slipped.
iOS third-party password manager integration has gotten better over the years. It went from nonexistent, to half-working but constantly pushing me to use iCloud passwords instead, to allowing third-party to be the default once I set it up and never mentioning iCloud passwords to me during normal use.
If blocking this integration will ever be in their interest (I can't say much about this though), then they'll just tighten the grip as soon as passkeys are the norm and other auth methods are deprecated. It's always easy to invoke generic or obscure "security" reasons, even if it means creating the problems themselves so they come with the solution just in time.
A lot of answers to problems people raise wrt passkeys seem to be “using a good password manager”.
But one of the selling point is that they are supposed to help bog standard users be more secure. How many bog standard users do you see using a good password manager, despite how long we've been suggesting that they do. If they aren't going to use one for passwords they aren't going to use one to smooth the edges of passkeys use.
1Password also supports passkeys. I'm not sure if you can share them in a family vault, but considering they're just "passwords" in 1Password, i don't see why you wouldn't be able to. The portion of a passkey stored on device is just a private key, which is essentially just a string of bytes.
The built in password manager in iOS/MacOS also supports synchronizing passkeys across devices (via iCloud), and again, i'm not sure if you can share those passkeys between uses, but same argument as for 1password.
This still doesn’t solve requirement 2, at least as far as I can tell.
I’m a 1Password user. There are times I want to login with one of my personal accounts on my work laptop, auxiliary device I have, or family member’s device. On all these occasions, I’m not going to install 1Password and sync down my entire vault, just to delete it 5 minutes later. I simply reveal the password in my app and type it in. With passkeys there is no way to do this. It’s an edge case, but an important one.
I’d feel much better about passkeys if it wasn’t some mysterious thing locked away in a vault. If it’s effectively a public/private key pair, I should be able to see the private in my password manager and copy/paste it wherever I want, and however I want. If I could do this I would instantly understand what’s going on and be more accepting of it, though I’d expect I’d still run into some edge cases.
That assumes the device/app I’m logging into supports that. It also assumes I have my password manager on a device that can scan QR codes.
Are passkeys ubiquitous? It doesn’t feel that way. Tech demos are nice, but they’re just tech demos. When I’m doing my taxes I don’t want to find out I can’t download my data in TurboTax because I can’t login to my bank with a passkey via their app. Or maybe I want to use some old hardware, where the apps haven’t been updated with QR codes and passkeys, I guess I’m out of luck.
Too many edge cases. They are trying to sell passkeys as a magic way to login. I’m not going to entrust my ability to login to magic.
Also, scanning QR codes to authenticate feels very janky. Isn’t that why CurrentC failed? No one wanted to do a QR code dance with their phone.
> I want to be able to share passwords for accounts with my family
No you don't, you want to share access, and the only way you can do it with passwords is by sharing the password itself. With passkeys you can have each person register their own passkey.
They can "control" them in any meaningful way if they use them for access of things that you do not allow or denies access for things that you do allow. If neither are happening, then you're effectively the one controlling, not them.
The specific issue at hand is sharing. With passwords, I can easily share my passwords. Is it easy to share passkeys? And could doing so be prevented by Microsoft?
The point of passkeys is that you can have many of them unlike a single password. Each device should have its own passkey that I can revoke if my device is lost.
Does the Passkey-enabled account support multiple passkeys?
I'm pretty sure I have my Android phone setup with a passkey for my Google account and also my Windows laptop.
Presuambly the same logic applies for a service that permits multiple passkeys. Each person would register a passkey on their device using the shared credential.
> Does the Passkey-enabled account support multiple passkeys?
There in lies the issue. With passwords, it doesn't matter if the account supports multiple passwords. I can share the one I have
> Presuambly the same logic applies for a service that permits multiple passkeys. Each person would register a passkey on their device using the shared credential.
but can I simply share the passkeys without someone's permission (other than my own)?
How does that differ from each person having their own password? Right now, if the service only allows for a single login (username/password), then is there a reason to believe it would allow multiple people to have different passkeys?
Plus that doesn't really address allowing someone else in your family to log into your account "temporarily"; ie if you want them to check something for you.
Yes I do, don't put words in people's mouth. I want to share passwords (not access) with my family so they can authenticate into services without the service provider being able to tell who is accessing it.
For those who may not have read the article fully, Microsoft's existing traditional password management on mobile devices is not becoming unavailable, but is being moved from the Authenticator App to Microsoft Edge.
I had this warning show up in the iOS Authenticator app like last week or something and it guides you through changing your iOS settings to instead use Edge as a password manager. As Edge is my browser of choice on my Windows PC and I already had it installed on iOS, this was a very minor inconvenience for me.
It's worth mentioning that even though I almost exclusively use Safari as a web browser on my iOS device, when filling in passwords on websites it seamlessly allows you to use any iOS configured password manager including Edge.
It's definitely a little weird that you now require Edge to also be installed for essentially the same functionally and Microsoft might be doing it to try push people to install Edge.
This makes me feel a little better about this change. However, there are bound to be weird Edge cases.
Edge allows multiple profiles, are all always available to store passwords? Can your IT department block the use of personal profiles if you’re logged into a company profile?
And people complain about Apple being paternalistic.
If you’re already saving passwords in an app, you’re being more secure than most users. A forced move to passkeys seems nuts when not all systems support them yet.
I’m also still concerned that passkeys seems more likely to fail the average user when they break or lose a device, compared to a decent password.
They used to complain about that 10 years ago, but apple was just ahead of it's time. Microsoft saw the light and is racing down that path. Soon enough, no computer without user-defeating secret logic and remote ownership will be allowed to interact with important networked applications. Linux users will either need a tainted linux variant or not have access to banking, streaming (already a problem), games, and so on.
And still, the entire bank account is still vulnerable to a $15 silent borrowing of your phone number for a day, bypassing all normal protections. The system is only harder to access for the rightful owner.
Or if you get your line cancelled for some reason and have no access to your phone number and you are abroad. You’ll have trouble with banks and many other things that use phone number for verification.
Really wish they worked on removing phone number verification before doing any other security/password thing.
This is only true in some countries, and tbh. having this as the state of the art, sounds a bit dystopian.
I've been using my BankID, which is a Norwegian electronic identity solution, to log into banks and such, for decades now.
With these type of solutions, there is no way that taking control over phone numbers make any difference when trying to get access to a bank account.
Btw. this type of electronic identity solution are not Norway specific, I know all the other Nordic countries have them, and they are, as far as I know fairly popular in the rest of Europe as well.
It is already required to buy an approved terminal to participate in society. This may seem a bit of joke in some countries but in many places it is absolutely real.
The next step in progress is to bake in functionality that can guarantee interested parties that it is you operating the terminal at all times.
You're probably right. We'll have enforced boot chains and attestation for devices if we want to take part in large parts of our economic system in the future. A ton of important systems like banking, safe and secure sex worker and entertainment sites for users and performers, government services like online taxes and car licensing and drivers testing* and children-safe sites.
Over twenty years ago, many of us warned about the dangers of increased and unaccountable intelligence service power. We saw what the Patriot Act would create.
We joined the EFF and the ACLU, or renewed our memberships. Organizations at the time that focused more on actual deep philosophical issues and how they relate to our political world.
Obviously the Patriot Act has saved lives. Terrorist events and neglected victims are tragic and VERY emotional.
But today, immigrants and others are spending their own lives protesting the actions of ICE. Their own very limited time on this planet.
I'm not here to judge Immigration and Customs Enforcement. I'll take flak for that among liberals. Again, I'm not judging ICE. In many cases they've been falsely accused where there was clear evidence they weren't at fault.
No, what bothers me is immigrants, who already have difficult lives, and Generation Z, who have less economic security themselves, are the ones marching in the streets.
Twenty years from now, who will be working extra unaccountable and unbillable hours protesting in the streets because the DRM and secure computing systems being pushed through today are abused?
Even if most of that abuse is a show, meant to divide citizens and law enforcement. There are people out there working for free for that show.
Who will work more in the future?
And like not judging ICE, I'm not judging the countries racing and battling to deploy secure computing environments. Knox and TrustZone and TPM and whatever new things await us in the future. There are reasons both for safety and economic security I dont judge.
And there are dark patterns around software supply chain weaknesses and online safety and incentives to accelerate those issues to push through security architectures.
Other countries are doing it. I hate the fucking game theory solutions that it encourages.
But what I'm worried is that in twenty years who will be working for free because our secure computing environments are found unfair?
And unfair can be many things. Governments push values, even when it's not explicit. When I'm using my integrated cyberdeck or implants or just ambient room device, what am I missing? What is being pushed into or out of my vision or awareness?
That's twenty years in the future, what's forty years in the future? I won't be here, but you bet your ass I'm worried. Because the people who I fucking care about now working their asses off for free are being blinded about the upcoming digital wreck, like they were in 2001.
Also next to impossible to write down to give to someone else.
This (or by phone) is how I've transferred: all family accounts, all small community accounts, some business accounts, many friend-shared accounts, and it's also how some people ensure accounts can be accessed if they die. It's not a small problem.
Yeah, I think people will lose their passkeys a lot. I think companies are happy to provide another service ("passkey syncing") that you will pay for for life. Back In The Day you could be a freeloader by remembering your passwords like a nerd. No longer. The loophole is closed!
That said, passwords are actually so bad that anything would be an improvement over them. While a stealable passkey vault sync'd to your malware-infested Windows laptop is not ideal for security, it's sure better than typing your bank password into your favorite forum because you don't understand that website administrators can see your password when you type it on their site. (Not to mention phishing.)
Apple, Google, and Microsoft already do passkey sync for free. They don't do exports, though. However, there are various third party solutions for synching passkeys that aren't tied to your computer manufacturer.
I don't think passkeys are going to replace passwords any time soon, and I don't think freeloaders are even part of the equation here. You can share a passkey through Bitwarden just as easily as you can share a password.
Freeloaders already need to jump through hoops to share passwords and even then they're getting off easy; if streaming companies actually cared about catching freeloaders, they could stop the practice all together. What they're doing now is just signalling them that you're not supposed to and adding very minor annoyances to the mix.
After you set up iCloud for Windows, you can use iCloud Passwords to access your passwords in Google Chrome or Microsoft Edge using a browser extension. You can also manage your passwords in the iCloud Passwords app.
This is very bold because passkeys haven't been the smoothest ride so far. There are many inconsistencies in implementations among platforms. For example, many websites use passkeys as an alternative sign-in option, and let you keep your password login. So, you remain susceptible to phishing despite having a passkey on your account. Recovery flows are inconsistent too.
I applaud Microsoft because a big player had to go all-in into passwordless authentication. I'm sure it won't be painless, but it might push others to adopt the approach eventually.
There's still a dearth of support in commonly used open source backend frameworks, too – and, at least after looking a bit the other day, I couldn't find much in the way of documentation on the standard flows. I was hindered a little in searching by SEO spam from various companies offering APIs to deal with users/passkeys for me as a service.
Absolutely bonkers if true. The #2 thing you don’t want a password manager to do (after, of course, leaking your passwords) is deleting your passwords!
Hopefully this will entice people to switch to 1Password, but I’m pessimistic — it will most likely just convince people not to use password managers at all.
I hope they don't switch to 1Password, I switched away from it, after their new Electron app repeatedly failed to autofill passwords in Safari - a basic function.
While not quite switching to 1Password, the latest Win 11 build includes:
> We have partnered with 1Password to bring users a seamless plugin passkey provider integration in Windows 11.
after other details at least it does go to:
> If you are a credential manager developer, we invite you to integrate with Windows 11 to support customers in their passkey journey. To find out more about implementation detail, go to https://aka.ms/3P-Plugin-API.
What I don't understand with the push for passkeys, is that for years we have been told we need at least two factors for secure authentication, something we have and something we know.
Now with passkeys, it seems we are just throwing all those arguments overboard and are saying 1 factor (something you have, e.g. hardware device) is enough. I've not read anywhere a good argument why.
Sometimes people have been arguing that the passkey should still be locked into e.g. another password manager with password, but that doesn't seem to be the case with most implementations, am I missing something?
Passkeys are basically just asymmetric encryption. When you create a passkey, you upload the public key to the website, and the private key stays on your device.
That greatly reduces your risk if/when credentials gets leaked from the site in question. Public keys are meant to be public, and worthless by themselves.
As for your private key, that usually ends up in a secure enclave or similar HSM, which in turn is protected by a pin code and face or fingerprints.
The private key then becomes "something you know", and your biometrics are "something you have".
Client certificates have existed for basically as long as encryption. Passkeys are more than that, and that is a crucial point. They allow to verify the identity of the signing device, and allow access only if the device is "legitimate" from the point of view of the remote service. That is a very big encroachment on the user's privacy and freedoms and a new very big step in the process of tying everything even more tightly to accounts and devices controlled by the big service providers and making it more difficult to get out or to enter the market for new actors.
Think Trusted Computing. Soon it will be impossible to log in to some media streaming platform, for example, if you don't have a passkey sanctioned by an OS with a TPM. Then everything will be locked in and the only flaw will be our eyes and our ears.
Absolutely, passkeys couple a trusted device (typically a phone with HSM) with asymmetric encryption.
HSM ensures that the device is actually the device it claims to be, as the key cannot leave the device, and by coupling it with biometrics, which is authentication, you prove to the device you are who you claim to be.
So by the device authenticating you, the device by extension can authenticate you against the remote site using a cryptographic challenge.
There is no vendor lock in however. You can use a password manager like 1Password to store passkeys, or even Apples keychain supports synchronizing the passkey across devices (including windows). KeepassX also supports passkeys, so it’s not limited to official vendors like TPM.
As for HSM, you can also use something like a Yubikey.
I was wondering why I couldn't just use a client cert (or better yet my ssh keys) and figured it would be something like that. It turns out I was right to invest zero time or energy figuring it out.
If this weren't hackernews I'd call you a bad name for wasting my time like that. Until and unless I can just give you my ssh key I won't touch this with a ten foot pole.
Well, biometrics usually act as a proxy for PIN codes, so the PIN code is something you know, the private key is something you have, and biometrics is authentication.
You are a human, and humans have permanent fingerprints. The difference between "something you have" and "something you are" is that you can regenerate the former, but not the latter.
I believe they were referring to the fact that you can't hit a button and generate new fingerprints for yourself. The ones you have are with you forever, generally.
Actually, all three factors are things you know: Your password is something you know. The private key on the security processor is something you know. And your scan of your fingerprint is something you know.
There’s a slight improvement in that the passkey will only transmit to the correct website. Cannot select and fill it to the wrong domain.
But other than that I agree. Especially now that these synchronise with iCloud, BitWarden, etc seems a no brainer you can just steal these and access everyone’s accounts in many cases with no extra 2nd factor.
> Now with passkeys, it seems we are just throwing all those arguments overboard and are saying 1 factor (something you have, e.g. hardware device) is enough.
That was my initial reaction too. I think the assumption is that the second factor is what-ever you use to unlock your device (a “something you know” if that is a password/pasphrase or “something you are” if that is biometrics).
I'm not convinced any of it is as more secure than user+pass as is being claimed. passkeys being device/AU dependent adds a bit of hardship to someone trying to hack your account, but people seem to be suggesting sharing passkeys between devices/AUs using their pasword managers which nullifies that effect?
My view with passkeys was basically that they force the use of a password manager (even if that manager is mostly invisible to the user). The password manager is something you have and you unlock it with something you know or something you are (biometrics).
That said, I don’t like them. I don’t really understand what happens when I run into edge cases, and that makes me nervous. That’s also true for 2FA in many cases.
So far my only passkey is for Amazon, I felt tricked into it, which I’m not happy about, though my password also still works. I’m opposed to this about as much as forced 2FA. I understand the security aspect, it Gmail randomly started to use their mobile app for 2FA, and now I’m afraid if I delete the app from my phone I’ll be locked out of my account, with the potential for excessive hoop jumping to get it back.
I read an article a while ago with the ultimately conclusion that passkeys don’t offer a major benefit to people who already use long, complex, unique passwords in a password manager. If this is the case, it seems this whole push is designed for people with terrible password habits, who definitely don’t understand what’s going on with passkeys, and I expect will find out once they hit an edge case and end up in a bad spot.
The article is wrong: users copy passwords from their password manager into the website if the autofill doesn't work => phishing. Can't do this with passkeys.
Agree with your other points, the whole passkey story is undeveloped and unclear yet.
There are many non-phishing times my password manager fails to autofill. That’s a problem, as it does lead people to get lazy. However, it will show the login, that I’m on the right site, it just won’t fill it. In these situations, I do end up copy/pasting it in. It’s my only option. If passkeys break in this way, for whatever reason, you’re just screwed.
There are also times when companies change their URL. Or their app using a different URL for their auth API than the website URL. If it’s obvious, the new URL can be added to the password manager to fix this. If it’s an API the user can’t see, this is much more difficult, especially if using a 3rd party password manager, it’s basically impossible. The only thing that made me aware of this, was when Apple introduced their password management and I could see all the login data if saved from various app. All kinds of URLs that were otherwise invisible to me.
What happens to a passkey in this case? Make a new account, start over?
Passkeys are quite disappointing in practice. I feel like they were described as ssh keys for website logins but they seem to be half-baked. Accessibility concerns and vendor lock-in are certainly an issue.
Definitely stick to keeping passwords and passkeys in a password manager for portability. KeepassXC and Bitwarden (which can be self-hosted) work best for this in my opinion.
I’m now not sure if there was an edit or if my brain inserted a word. When I replied, I thought I read that they were saying to keep passwords and passkeys in separate password managers, but maybe I’m just going crazy.
The simpler version is that Microsoft Authenticator--a mobile app that provides 2FA--is discontinuing its password autofill feature and the passwords stored/used with that will be wiped in August unless action is taken, as has been communicated for a while now.
"Your saved passwords (but not your generated password history) and addresses are securely synced to your Microsoft account, and you can continue to access them and enjoy seamless autofill functionality with Microsoft Edge"
Besides other inconveniences mentioned here, I'm very concerned about "passkey provider attestation" (see: walled garden). This was already brought up as a threat against KeepassXC because their implementation allowed "too much" user choice: [1].
Does anyone know if this kind of anti-user attestation has been or can be deployed? I really can't understand why anyone would promote passkeys in good faith if that's the case.
What is Microsoft gaining from their push to passkeys? They knew this was going to piss off a lot of people, but they went ahead with it anyway. That makes me believe there's something else at play.
My experience with passkeys has been worse that my Bitwarden password auto complete, so needless to stay I'm sticking with my regular passwords on my Bitwarden (I know Bitwarden has Passkeys support. I don't want to use it)
I suspect it's another step in the push to make the mobile device the centre of digital identity. (Yeah, it might support some standalone key devices, but nobody's giving Joe Sixpack a Yubikey)
The one with far more data gathering capability and generally less robust ability for the end user to assert control over it, and which is generally tied to a service contract that in many countries requires identity verification.
So in business Microsoft cloud land, not using Microsoft Authenticator specifically is basically impossible. You have to shut it off four different ways even if you have an alternative solution already configured.
I think centralizing control is absolutely the core play for them.
All the Microsoft accounts in my Microsoft Authenticator broke when I restored onto the new iPhone. None of the non-Microsoft accounts stored in the same Authenticator app broke.
No, Microsoft, I don't trust you to manage passkeys for me.
Password managers sync passkeys just fine. If you use one of those, the benefit of passkeys is that some sites skip their SMS 2fa if you use a passkey. The downside is that you can only use them from your own devices, where you have the app/extension.
I don't think skipping 2FA is a benefit. Sure, replace SMS with passkeys or TOTP or literally anything else, but don't actually take away my second factor, please!
Having to pointlessly copy aroudn TOTPs from the same device is just security theater. There's no meaningful security difference for 2FA whether you actually need to copy around those tokens or if you click "authenticate with the key in app on my second factor device".
It's still 2 factors. Just with less hassle (and resulting in more security due to better UX).
Placing a bunch of factors into 1 system is a giant SPoF like storing TOTPs with corresponding passwords within the same password manager. It defeats the whole purpose of 2+FA.
This response fundamentally misunderstands what passkeys are, and it feels like a cargo-cult copy-pasted answer for outrage points rather than one that is really considered. The whole point of passkeys is that they are a) one per device and b) stored on the device's secure enclave, where in theory you're never supposed to be able to export/exfiltrate them, only validate them.
And yet people still need to share authentications between different devices (or people) and back them up for recovery purposes. If you're expecting only what you're saying, you'll find yourself simultaneously disappointed at how low the uptake is in the real world and how many major implementations (e.g. Apple) have a vastly different security model.
No, their point is that they are absurdly long and not phishable. Point b is not practical for mass uptake, as hardware devices get broken/lost/stolen all thr time. And no, only nerds will have multiple ones.
Ya really what you want is your passwords saved in an encrypted vault that you can copy from device to device for backup. If passkeys are really one per device and you have have 100 passkeys from 100 different services, and moving to a new device requires accessing each of those 100 services to create a new passkey for the new device, that sounds terrible
> If passkeys are really one per device and you have have 100 passkeys from 100 different services, and moving to a new device requires accessing each of those 100 services ....
I'm typing this on my Firefox remote app. Everything is cached in it. It runs in a VM at home.
I've been super happy with it. My logins are always with me but they never leave the house.
> It actually sounds like the best way to use passkeys and still have control over them.
I belatedly recall that I tried to setup a Google passkey in a VM and was rebuffed. Google depends on Windows Hello for passkey presentation prompts - and Hello is disabled in an RDP session (ostensibly because facial rec won't be needed).
I poked at the problem for a while and couldn't find a workaround.
> The WebAuthn _also_ allows device-bound keys, but they are not "passkeys".
True. WebAuth is good fit for a login that's tied to a user - and that user only logs into it from their workstation and maybe a laptop. There are better options when more flexibility is needed.
Happily, there are enough secure options that my phones will always be authenticator-free.
> The whole _point_ of Passkeys is that they are representable as clear-text data, and so they can be synced.
That seems to be counter to everything else I've heard about it so far. If that was the case, exporting would be easy, yet many password managers have had open feature requests for some time (1y+?).
I don't know what the truth is, but if you're right, there's definitely a lot of misinformation about it. Far more than correct info IME.
What a terrible article. The text suggests that Microsoft wants to force you to use passkeys, followed by an attempt by the writer to convince you to use passkeys, when the actual news is "you need to install another app to get autofill from Microsoft's password sync service".
You can just install Edge. From what I can tell, you don't even need to browse using Edge to use passwords.
If you don't use Microsoft Authenticator, nothing changes. If you do, probably because IT makes you, you've already seen the warnings about this.
I'm confused. Is this a Windows-exclusive thing? As an iPhone and Mac user is there anything I need to do?
There is an app in the iPhone App Store called "Microsoft Authenticator" - is that what this story is about or is there a Windows feature with a confusingly identical name?
Yes, they're talking about a mobile app used for two-factor authentication. It doesn't run on Windows (or Mac). If you don't have this app on your phone, you don't need to worry about it.
IME some MS shops enforce use of it for 2fa to access company resources like vpn and etc. - for eg, the only reason this app exists on my phone is so I can log into my employer's vpn.
Are you sure you need the Microsoft one? After reading the giant support document at my employer I eventually figured out that any TOTP supporting app would work but most of the documentation made it sound like Microsoft was required anyway.
it seems to be a push notification where the ms authenticator doesn't generate a code until I first log into the vpn using exchange creds but tbf, I didn't look hard enough for alternatives so you are probably right that I could use any totp app.
Most every bit of online exchange and O365 (+the ever-changing, ever-growing stack of MS policy/admin/security panels) is overkill for 10-20 users who need mail, Outlook, Word, Excel (no substitutions).
It's a massive hydra and it's most dependable output is onerous requirements. And the more of those we heap upon light duty users, the more reasonable it becomes to circumvent them.
In this scenario Winauth is how we placate the unreasonable overlord.
Wherever I work, IT departments expect me to install MS Authenticator on my own smartphone. To authenticate myself to MS so they can authenticate me to the organisation that already has seen my passport and my driver's license. No thanks...
Wait so are people just going to lose their passwords? That seems like terrible PR for a company that want to shift to services. If you rug people just for marketing reasons like that why should anyone trust you with important business processes. This won't be something people can just ignore, if I lost my (homebrew for exactly this reason) password manager it would probably cause close to 40 hours of time cleaning up the mess spread out of months. We're talking about millions, potentially even billions of dollars worth of destruction depending on how many people were stupid enough (yes that's the appropriate word although it's more obvious now) to trust Microsoft to maintain their secrets for them.
All because of advertising. Strong passwords + not tying the account to an email address is the most phishing resistant thing one can do, however nobody is allowed to do this because they need your email address for advertising. Stop welding my identity to an email address and the entire problem becomes an order of magnitude easier to manage and maintain.
Slightly off topic, but the Microsoft Authenticator app on iOS is - in my opinion - the probably worst designed app by a large corporation. Nothing in there works the way you’d expect it to work.
And my absolutely favorite thing was when it itself came in the way of seeing the 2FA code for a modal entry and you had the option on the screen to hide the modal for 10 seconds in order to remember the number underneath…
Don't worry it's not better on Android either. Since my work has switched to office365 it's just been hassle after hassle.
The outlook app on my phone (and I can't use any other method because it has been disabled), frequently looses authentication and I stop getting notifications about calendar events, emails ..., missed several meetings and important emails because of this.
When trying to login on my desktop/laptop I get told to confirm using either outlook, MS authentication app. Guess what often I have been locked out on those as well, so now I have to go through the dance of logging in using a sms code instead. It's sometimes even worse, even on mobile I get told to confirm from my authentication app/outlook, where I'm just trying to log in.
Authentication request often only come through to my phone on the 3rd of 4th try. So now logging in to check my email suddenly takes 2 min, because I'm trying to get the popup in the app, it doesn't appear, I need to cancel the request, restart ...
This was in February of last year according to the screenshot, my device was an iPhone 11 - not a small one, but rather very much standard screen size!
Also, Apple requires at least one AppleID password, that I need to keep entering at random intervals - usually when I update any device, but sometimes randomly when I buy stuff on App Store.
Also I still need a Mac user password, which is a different password, of course.
> Also I still need a Mac user password, which is a different password, of course.
Why “of course”? No one is stopping you from using the same password there. Also, you can optionally turn on the option to be able to reset your Mac’s password with your Apple Account password.
If you need a new password manager to keep 2FA codes as well as passwords, Bitwarden is open source (AGPL-3.0/GPL-3.0), and you can self-host the server if you want. Only solution that won't eventually become crappified by a business that doesn't care about you.
I am skeptical of passkeys. Not of the technology itself exactly, but people’s implementation of it.
Username/password is much easier to grok (for developers and users) and while it absolutely has downsides, as a user, I can fully protect myself with username/password (unique password per site).
Passkeys might allow for fewer _user_ footguns but I worry there more _developer_ footguns. Also as a “power user”, I don’t want to deal with passkeys when I’m trying to automate something or scape my own data out of a website. It’s just another complication and I worry that anything edge-case-y (even approved methods) will break or have complications if you use passkeys (think app-specific-passwords when 2FA rolled out for gmail access).
Because of this I consistently decline passkey usage until such a time that I feel it’s better understood by the people implementing it.
No it's not, what if I drop my phone in the ocean. Sure in terms of encryption, secure storage and so on, it's securely stored. It's just no physically secured.
That's what concerns people. What happens if I lose my devices? What happens if I need to access an account which has been secured by a passkey, but I don't have any of my other devices, what do I do then?
You can't get the password from your safe when you're on the ocean and if your house burns down the little piece of paper will be ash the moment the flames reach the safe.
If you lose access to your phone, click "forgot password" and recover your account through your email address, the same way you would if you'd forget the combination to your safe.
A lot of people only have a phone these days. It's way more likely that they lose their phone than their home burns down.
In Microsofts case they want to use passkeys for Outlook.com as well, so their advise on using an email as recovery makes no sense. Then you can use security questions, which honestly is possibly worse than username and password. The last option is via a linked phone number, which security experts also advise against.
My complaint about passkeys stand, without non-digital way of backing them up, as easy as writing a password on a post-it and stuffing it in your sock draw, it can see it being anything that a major hassle.
For some things, e.g. Github, Facebook and things of that nature, fine, go with passkeys. For your email account, may not.
I need an analogue way to get access to my accounts.
If my phone gets crunched, I should be able to go to a secondary device or secure sheet of paper and restore full access to my password safe/accounts. Nothing should be tied to one piece of hardware.
It's why I despise having to use proprietary TOTP like Symantec for banking. If my phone breaks, I have to go through a recovery process. If I could backup my TOTP with a normal app, it wouldn't be a problem.
While I understand they want to transparently replace passwords with passkeys for websites that support it, what happens with passwords for websites that don't support passkeys?
Also, if someone sleeps over this, they will just lose their passwords to random websites and have to go through account recovery flows?
If you install Edge, you can keep using the synced passwords. They're only disabling password autofill for their authenticator app, they're not throwing your passwords away.
The app has been warning about this for a while now. This might catch someone out of guard if they only use the app once a year for something bureaucratic, but I doubt a credential like that will be stored in Microsoft's authenticator app.
And more importantly (for them), it's much harder to share a passkey than it is to share a password.
“Why GNU su does not support the `wheel‘ group
Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn’t know how to do that in Unix.)
However, occasionally the rulers do tell someone. Under the usual su mechanism, once someone learns the root password who sympathizes with the ordinary users, he or she can tell the rest. The “wheel group” feature would make this impossible, and thus cement the power of the rulers.
I’m on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.”
...But this article headline is insanely misleading by not mentioning it's being migrated to Edge. To the point where I'd call it a smear crafted for maximum clickbait shock value. Nothing is being wiped, it's just being moved to a different app. Sure, there's good reasons to not like that app (it's the Internet Explorer sequel after all), but the story here is not as extreme as implied.
No, this will force you to either install Microsoft Edge on your phone or switch to one of the many other password managers that do offer autofill on iOS.
If you weren't synchronising your passwords through the Microsoft authenticator app, you won't be affected at all. If you were, Microsoft has decided to be annoying and make you install their browser to get password autofill support back.
Microsoft prefers synchronising passkeys between devices because passkeys are immune to credential stuffing attacks, but you don't have to do what Microsoft wants.
Killing autofill and saved passwords in Authenticator is a bold move, especially considering how many non-technical users rely on that feature without even knowing what a passkey is
I would have thought password management will be quite important for a long while yet. Is MS simply dodging the responsibility? Maybe so they can't be leaned on by government?
This is missing an important piece of information. If I open Authenticator on iOS I see this message front and center:
> Autofill via Authenticator ends in July 2025
You can export your saved info (passwords only) from Authenticator until Autofill ends. Access your passwords and addresses via Microsoft
Edge at any time.
To keep autofilling your info, turn on Edge or other provider. (Learn more)
not sure the full Android feature set, but MS is moving their iOS autofill provider to the Edge app, which doesn’t mean I have to use Edge to browse, just changes which app hosts the passwords. I can still fill them using the native mechanism for any password manager to provide passwords to any password field.
Microsoft is not forcing anybody to adopt passkeys as far as I can tell. Although overall people should because passwords are quite frankly a broken idea. Almost as broken as the idiotic janky “we just emailed/texted you a code” bullshit that most sites do now instead of TOTP.
> July 2025: You won't be able to use the autofill password function.
> August 2025: You'll no longer be able to use saved passwords
There has to be some sort of cost benefits analysis for this as this will certainly piss a ton of people off especially the tech illiterate. Maybe passkeys are extremely simple but saved passwords being disallowed is a huge pain point.
Nobody tech illiterate was using MS Authenticator as their default autofill provider as it’s not the default autofill mechanism on iOS or Android.
The passwords have always been stored in your Microsoft account. Anyone who has their passwords there can just install Edge on their device and enable it as the autofill provider (no, that doesn’t require you to browse with Edge, just to log into it). This whole article is silly, as there is zero change to your ability to save passwords in your MS account or to autofill them on mobile.
Is this anything to do with them taking passwords without consent?
I rarely use windows, and when I do one of the first things I do is switch from edge to chrome.
I think I set up edge and used it once to see what it was actually like, but I was pretty careful about the data syncing / sharing settings. I have the Microsoft authenticator app on my phone, I was pretty careful about the privacy settings on that too, but it's been through a couple of phone upgrades.
Somehow all of my passwords were making their way into Microsoft authenticator, so I must have missed something somewhere. I can only imagine how many millions of people must have had their passwords unintentionally slurped by Microsoft if they have been that aggressive with it.
I’ll also add. I don’t have a good mental model for what a passkey is or how it works. And again, like most users if I don’t really understand what’s going on I’m just not gonna bother with it. For all the complexity that it takes to implement secure login with a username and password, most of it is hidden from the user, with passkeys it feels like they’re shoving all the complexity front and center, but not explaining any of it.
So the motivation for why big tech wants them is clear. They've just not managed to make a compelling case for why anybody else should want them.
The only way pass keys become a widespread thing is if they force the issue by removing password authentication, and I don't see that happening any time soon.
This is what I've figured as well, and even if my password manager claims "eventually we'll support it, once it's available" (https://blog.1password.com/fido-alliance-import-export-passk...), I've been putting it off until the implementation is actually in place.
But the question is when that'll be. Last I've heard about the whole "Risk of lock-in from export blocking" is:
> The general vibe is supportive and language has been added to this effect, though it looks like we haven't done a public working draft in some time so I don't think that's externally visible yet. Also usual caveats about in-progress work subject to change.
https://github.com/fido-alliance/credential-exchange-feedbac...
I guess time will tell. But for now, considering the history of lock-in on the web, it's best to stay away from Passkeys for now, until they figure out a proper way of avoiding it.
The rest of the platforms give you zero ability to export or back up your passkeys, which makes them worse than useless.
Have they shared any details about if this is actually cross-provider/platform import/export? I feel like if Apple doesn't outright share those details, they're talking about import/export within the Apple ecosystem.
Standards themselves:
https://fidoalliance.org/specs/cx/cxf-v1.0-rd-20250313.html
https://fidoalliance.org/specs/cx/cxp-v1.0-wd-20241003.html
Maybe I missed something?
> Q: Are stored passkeys included in Bitwarden imports and exports?
> A: Passkeys are included in .json exports from Bitwarden. The ability to transfer your passkeys to or from another passkey provider is planned for a future release.
https://bitwarden.com/help/storing-passkeys/#passkey-managem...
But I'm not sure I understand the last part, how is the "ability to transfer your passkeys to another passkey provider" planned for a future Bitwarden release, if the Passkeys are already included in the export data? Wouldn't that be up to other Passkey providers to implement the import? Or is the export data not complete enough for an import?
The real test will be, how easy is it to move passkeys from say 1Password to Keepass XC (open source). It’s on my todo list.
For now, 1P’s passkey support appears to work quite well with all the sites I’ve tried. I’ve got multiple devices (Linuxes, macOS, Windows) and passkeys just work. I like the fact that 1P is cross platform, but after all it too is proprietary.
AFAIK, there is no export from 1Password with Passkeys yet, so maybe better to put it in your calendar to check back in 6 months or so.
> passkeys just work
Yeah, I'm not doubting that, but I cannot reasonable base my core authentication on something that locks me to one service, that just feels to irresponsible. Hence the wait for proper import/export before spending any time on this :)
I really see this language around passkeys a lot.
How is losing your phone, phone breaking, etc considered an edge case?
It’s common enough that Apple has a whole app called Find My.
Phones falling into toilets led to a whole meme about putting them in rice to fix them.
And even before Find My existed as an app Apple had equivalent functionality available online within a couple of years of the iPhones introduction.
I know passkey vendors will say they’re working to make interoperability easier in 2025, and that’s true. Equally the number of users who’ll take advantage of this interop will be a rounding error. The net effect will be even more platform entrenchment.
One of the couterpoints here is that while good security might have you adopt one password manager vendor, that vendor is not necessarily the same as your platform vendor. Traditionally this is a way to fight vendor lock in.
I mean, that's what Microsoft is doing here, no? They're changing their password manager to only accept passkeys, not passwords and to block off autofill functions. Granted, right now they're the only vendor to do this, but that's a pretty risky precedent to create.
If anything this seems a move to get users to use more Edge than to use more Passkeys.
Passkey is convenient for log in (and also - quick) but worst case scenario I still have passwords. I wouldn’t trade in passwords completely but I prefer passkeys to OTPs.
Worth my point for this emphasis.
Can concur.
In practice, unfortunately the UX gains are not realized because interoperability is unsolved, because vendors have little motivation to solve it and eliminate the lock in.
> When I click “add key,” three different bits of software compete for my attention.
> First up is the password manager, offering to store a passkey. (This is the first time passkeys have shown up in this process – you can begin to see how a casual user might be getting confused.) I don’t want the password manager to be involved in this case, so I dismiss the window.
> Next up, a window appears from macOS asking me if I would like to use TouchID to “sign in” (to what? – I am already signed in to the website) and to save a passkey. Again, note the different terminology. When I dismiss that window, it is time for the browser to have a go, offering me four ways to save a passkey, including finally the option to store it on the hardware token. I insert the USB key and proceed.
> I think we can all agree that this is a confusing experience, with three different systems fighting to be the One True Place To Store Passkeys, along with the inconsistency of terminology (passkeys or security keys) and use cases (password replacement or strong second factor?)
> It’s like every piece of software wants to “help” but there is noone looking at the system-level behavior where these different bits of software interact with each other and the end user. I’ve encouraged my wife (a social scientist not a computer scientist) to adopt a password manager and 2FA, and she’s very willing to follow my lead, but the confusion of terminology and bewildering arrays of options frequently (and understandably) leads to complete frustration on her part.
https://www.theregister.com/2024/11/17/passkeys_passwords/
I'm not sure if that has changed since years ago (when you last tried), or that that is a Dashlane thing. In any case, that's not how it is now. I've stored them in 1Password. I can use them on any 1Password-enabled browser, and on my Android. They're slightly easier than password flows, and much easier than MFA flows.
> I’ll also add. I don’t have a good mental model for what a passkey is or how it works.
It's a public and private key-pair. You keep the private key, the server gets the public key on registration. When you login the server sends a challenge. "You" encrypt it with the private key and send it back. The server uses the public key to verify and boom, you're logged in.
If it was just a private key that I had, then import/export would be trivial.
There's a JSON example of an export on the page. It shows nicely what's stored on your machine.
It's a non-standardized format, because a standard is still being worked on. I think most vendors are just waiting for that. The FIDO Alliance has a news message about it: https://fidoalliance.org/fido-alliance-publishes-new-specifi...
In the article they mention they are not just going to support exporting passkeys, but also passwords and other credentials. The goal is to create a secure exchange format for that. They have published drafts of the standards.
I then discovered SSH and how it worked, asked in some public forum why there isn't a way to log in to websites using an ssh keypair, and was ridiculed for it.
Ah well, glad times change.
In an alternative universe, the web standardized something like "tripcodes but cryptographically secure" which would keep any secrets out from servers, and we'd just be dealing with signed data.
One could always dream :)
But that’s only inconvenient when you want access back. Most B2C don’t care about you enough to offer those processes.
The problem is the UX around handling the certificates. Password are nearly impossible to beat in terms of "works everywhere without requiring any support infrastructure".
They are woefully designed and implemented, wish we just cut our losses with them and stopped pushing them.
Tuck them away in settings, not on the default login path.
Now imagine saying that sentence to a person outside tech
Except that is _not_ true, there is an entire thread of people saying they are unintuitive and hard to understand!
I also don't have a good mental model of how passkeys work. I could get informed. But why should I bother? I'm a busy person. Passwords have worked for me for more than 25 years, and passkeys seem much more fussy and inconvenient (what if I'm traveling and connecting from a random computer in an hotel/airport? I imagine I'll be expected to do something with my phone, as modern cybersecurity seems to be based on trusting everything to the phone -if it gets stolen, bad luck- but what if I have no battery?). I guess I'll have to find out if they force them on us, but if I (a CS PhD and professor) have to actively find out in order to use them, it's going to be chaos with regular users.
Not sure if Proton does the device specific stuff under the hood (and hides it well), or if they are abusing the system by simply sharing the private key over all devices? (That is misuse right? Idk, I had the same experience with BitWarden). The keys should be device specific right? That's the 2fa replacing magic.
I too, have no idea. And I too am a bit disappointed it is so difficult to understand what happens. I do believe I can just export the keys and import somewhere else (i.e. Proton <-> BitWarden), which would suggest one passkey per account... Hmmm... Also, I believe it's just Google and Apple that try to make this a walled garden, it wasn't designed to be like that.
No, they can be synched. There are different types of passkeys, synched and device-bound (for YubiKeys, etc.)
Hope this clears up the confusion (haha).
It could be, but I don't know if it is. One of the design points is that they are cryptographically un-phishable or something to that effect.
The ability to export directly conflicts non-phishability, at least in theory. I've heard conflicting information about what precisely is allowed or possible.
The idea of passkeys is that they are supposed to be tied to a hardware device. And this leads to very odd situations, like Chrome asking Windows to authenticate, and Windows having to ask for the passkey on an Android phone.
I migrated to Bitwarden around 3 weeks ago and now Chrome is no longer asking Windows to authenticate, but Bitwarden. But then Bitwarden doesn't have the passkey, so it will offer to delegate to Windows, which will in turn reach to the Android phone, unless it's one which is stored in Windows.
This are the kind of problems which arise, and for a 75 year old senior who never dealt with all this crap, this is nothing but a huge annoyance, because they simply don't understand what's going on. It was easy with username and password.
What I liked the most was username+password and a Yubikey for OTP. And for what can't or no longer wants to deal with Yubikey, I've moved to app-based OTP. And now I'm starting to get forced to move to passkeys, which annoys me a bit because things are no longer so clear.
No, not really. That was more of a U2F/WebAuthn concept. Passkeys are intentionally permitted to be attached to accounts.
You can use hardware bound tokens as passkeys if you prefer, of course. However, that approach has led to a huge amount of people getting locked out of their accounts because they lost their Yubikey or reset their phone.
There are implementation improvements to be made, for sure, especially on Windows. However, that same 75 year old also won't know to look in Edge's password manager when Bitwarden says it can't find a password for a given website.
And let's be honest, that 75 year old won't be using Bitwarden or a password manager anyway, their password will be NameOfGrandkid2003 despite being told to pick a different one after the last time their account got taken over.
I wish I could use passkeys more often but when websites offer 2FA of any kind, it'll be through TOTP, and usually without providing any recovery codes either. TOTP and email+password aren't going away.
I thought Webauthn is a U2F continuation that uses them for both 2FA and login... and the login thing is called "passkey". It is not?
(I implemented U2F 2FA before and still cannot figure this out.)
WebAuthn is the JavaScript API to access the USB devices speaking U2F to the browser.
FIDO2 extends the WebAuthn API by also offering to store security tokens inside of a device's TPM, by using CTAP2 to authenticate with an external device or service, or by using good old U2F. If you're implementing it, you generally only need to deal with the WebAuthn side, the browser will take care of the rest.
You can think of Passkeys as "WebAuthn 1.1". Names like WebAuthn and U2F don't exactly attract the general consumer, so they rebranded it. The same way websites used names like "passwordless logins" when trying to describe WebAuthn+U2F, expect "passkey" seems backed by larger companies.
If you've implemented WebAuthn correctly (I doubt you actually interacted with the U2F API directly), you've also implemented passkeys.
The naming is rather confusing, mostly because a lot of websites used the wrong name for the wrong part of the process. Luckily, almost nobody acfually knows what the hell a WebAuthn is, so passkeys are the introduction to the whole stack for most people.
Just to say that we should be careful with our generalisations (I know you didn't start this one).
[1]: https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-aut...
[2]: https://en.wikipedia.org/wiki/WebAuthn#Reasons_for_its_desig...
Well you can decrypt your bitwarden using a Yubikey
Since I use a Mac, I will refer to my MacOS experience: Keychain and now Passwords will sync passkeys via iCloud to any other device. The end result is that you only have one passkey. Pretty seamless experience.
Can I still have a seamless experience with passkeys, or have they made that difficult? Do I need to remember to reject the dialog offering to save keys on Keychain and learn to use a 3rd party passkey service?
What am I supposed to about all the passkeys that will be needed at my multiple jobs, which I access from my own Macbook and phone? Can I use a single service, ideally open source, or do I need to use several "passkey sharing & backup managers", one for each entity and one more for my personal keys?
Trust issues aside, is there a way to get those passkeys out of there?
Suppose you want to switch from iCloud to whatever else, can you export and import those passkeys?
Other tools do, though, like KeepassXC or any other password manager really.
Any other Apple™ device.
It doesn't support passkeys yet so I'm surprised you mention it because this is what I wait for a full cross-device (for me) support, to start using passkeys
https://github.com/PhilippC/keepass2android/issues/2099
You don't understand KeePass, which is fine, but please don't make bad assumptions like these if you don't understand the underlying reasons for why a thing is the way it is.
It's like calling out why there are two dozen email clients that speak IMAP.
> You don't understand KeePass, which is fine
Haha this is so hilariously smug and condescending I have to wonder: are you the real-life Comic Book Guy?
So no one uses desktop or laptop computers anymore? Who made that decision for everyone, I wasn't consulted.
There are millions of non-technical people with jobs, where they are issued a company computer.
It's conceivable they might want to access the World Wide Web on it.
Assuming they own no other devices other than a mobile phone as you suggest, they still have at least two and probably don't want to sync anything from their personal phone to a company computer.
P.S. your comment was funnier before you added the part about the gucamole
The only difference between an imagined smooth solution is the sync mechanism and a unified client application ecosystem, neither of which is really possible without a large company behind it.
I said you don't understand how KeePass works because you refer to 3 applications for 3 different OSes (2 mobile) as if they were a confusing mix of different applications, when really they're just client implementations around a single, formalized spec. And most folks don't use both iOS and Android so really there's just your choice of KeePass desktop app and one for Android or iOS.
No one says the plethora of email client choices is confusing. This is exactly the same.
> No one says the plethora of email client choices is confusing. This is exactly the same
It's absolutely not the same. No one is manually syncing files across PCs and devices so they can retrieve mail on all of them. You have zeroed in on some irrelevant pedantry and continue to ignore the big picture.
3 different applications to access your secrets is what you focused on and now you're moving the goalposts. KeePass having 3 different client applications is what you chose to make a mountain out of, yet they're all just porcelain in front of an agreed upon standard.
Making a kbdx file accessible in Dropbox or any other cloud service does not take technical wizardry.
Kindly stop your personal attacks.
It’s just really hard to wrap around your head that this is the actual implementation with so many drawbacks given most people have 2+ devices, and different OSes to provide it.
I won’t use them.. although I’d have loved to use them.
When they worm they work, but I can’t trust them completely, so what’s the point? There’s no difference with a password, except that the sign-in process can be streamlined when everything works
I’m also not sure, and given that there’s no mention of transferring, backing up etc, I assume they’ll be lost forever.
I won’t take that risk. And if they require my email/password/2fa to recover, the. What’s the point.
I wanted to love them so much, but I can’t. I won’t burn myself again like with getting a new phone and loosing all your 2FA, because someone thought it’d be a good idea to make them device bound on most apps.
Ease of use is a security feature.
There is one other major difference behind the scenes: With passkeys, the service you’re logging into never has enough information to authenticate as you, so leaks of the server-side credential info are almost (hopefully completely) useless to an attacker.
And, you’re likely to loose access to your service. It’s like would you rather loose your pictures forever, or have them copied by someone
I think Facebook does the same thing when logging in with a password.
It’s been crudely done for ages by sending over a hashed version of you password when submitting a form.
Not the exact thing, but still.
What is the problem they’re trying to solve? I’m not sure to be honest. Is it leaked passwords/keys? No difference there, as all passwords are unique anyway with a password manager.
Is it ease of use? I hoped so too.. but nope.
Is it anonymity? I hopes so too, but just like “hide-my-email”, apps will detect it, and require all other missing info such as your real email, name etc.
I have Bitwarden for personal and now 1Password for work, so might hit the issue at some point.
You chose a worst case example and are comparing it with your best case example.
Virtually all sites have one passkey, tied to your vault of choice (Apple, Google, 1Password, etc). You make one, and you can use it everywhere.
Passkeys are a blessing for your regular Joe. No more easy phishing, and no passwords to forget. Often even no username to forget.
Apples-to-apples, passkeys rock.
I've had two regular Joes come to me because Google locked them out of their accounts (plus a third one with Apple) and they had important emails they couldn't get to. The "solution" in all cases ended up being a total loss and starting from scratch.
Now when Google locks them out of their account with no recourse (or, more likely, when their phone dies without backup) not only do their lose their email, but also every other service they ever signed up for.
Passkeys may be better when everything works right, but password managers are miles ahead when something goes wrong.
If regular Joe configured a TOTP and then ignores the huge warnings about not saving the backup codes, are you going to blame the service or him?
When Google and Apple block you, you stay blocked for good regardless of how many backup measures you provide. An Apple representative literally told me once that I needed to provide the phone number of the thief who stole my brother's phone if I wanted to regain access to iCloud; Google asked for my password and backup email only for their system to say "that's not enough to let you in, but there are no other methods so you're SOL".
Even in more "normal" situations, how much do I need to pay to get someone at Google to check my identity (possibly with official ID) and restore my account? Answer: None, because that's not a service Google offers - you can try to sign up for a paid plan, but even then there's no guarantee that they'll listen to you.
Any system that depends on FAANG companies is a system where you can find yourself locked out without recourse. I definitely blame the service.
Yes, that sucks. I have an old account at a FAANG they won't allow me to log in to despite me knowing the current password, my old passwords and the old e-mail. But it is partly my own fault because I changed the e-mail and phone number to a fake one.
I will say that getting locked out (= banned) by Google or Apple usually means you're doing something odd or even seedy. Of all the regular people I'm acquainted with, it hasn't happened to anyone, ever. And that's gotta easily be 100+ people. However people like dropshippers, grey hats, OF models etc etc any people with irregular cash flows or e-mail traffic definitely run a risk.
For example, nearly every visit to my Amazon orders page I am now greeted with a nearly full screen modal browser popup letting me know about passkeys and why I should switch to them RIGHT NOW. I politely declined - the first thousand times. I don't know if this is a site or browser issue and frankly I don't care anymore. It's spam at this point and I want nothing to do with it.
My hesitancy was rooted in concerns about potential issues pretty much what you just described so glad to know I was right.
Seems like passkeys use a very simple model where you are using a single device with a single browser or are somehow syncing across devices with some cloud service - and from your description it sounds like that doesn't even work.
No thanks - I'll stick with passwords. Did everyone forget about hardware tokens which are device and OS-independent and rely on no external infrastructre?
Unlike passwords, you can have multiple passkeys per account. You can have 5 passkeys for your amazon account if you use your amazon account on 5 different devices. If you lose device 4, or if it gets stolen, you can just delete passkey 4. The other ones are safe.
Or, you can use a syncing service like a password manager. Both solutions work!
If giant tech company with infinite money cannot handle it, why should I have more faith in the dozens of services I use to do better this time?
- I want to be able to share passwords for accounts with my family (some, but not all of them)
- I want to be able to load up my login information from whatever device I am currently working on; my phone, my home computer, my work computer, my wife's phone, etc
- I don't want to risk my phone breaking and losing access to all my accounts
Something like 1Password or Bitwarden fits all of that perfectly.
It's tied to vendor lock in. Which increases the ability of companies who develop certain technologies for the masses to increase the friction of interacting with things outside of the ecosystem. The argument is that if a user is unable to use an alternative, by hook or crook they will pay increasingly high subscriptions to access the services provided by that ecosystem. This increases a number on a spreadsheet, the only true compelling argument one could say
If you're referring to the inability to transfer passkeys across systems, that should be improving soon.
https://blog.1password.com/fido-alliance-import-export-passk...
https://arstechnica.com/security/2025/06/apple-previews-new-...
Then _soon_ I might reconsider using passkeys.
I'm not making changes to my security workflows now based on promises that the lock-in potential will be reduced as some unspecific point in the future.
[0] https://github.com/keepassxreboot/keepassxc/issues/10407#iss...
> - I want to be able to share passwords for accounts with my family (some, but not all of them)
This, but for another reason. To all those "I can do this with Keepass/Bitwarden etc", how can you share your Netflix password with your parents 100 miles away to use it in their smart TV? You cannot and will never be able to do it. Yes, passkeys improve security in some contexts but also tighten the grip of service providers.
I'm not sure that's a good example. I thought you currently only need to share your password if you want to let them use your Netflix account on their computer/phone/tablet. If you are just trying to set them up on their smart TV wouldn't you simply have them install the Netflix app on their smart TV, launch it, hit sign in, and then tell you the 8 digit confirmation code from the app, and then you would go to netflix.com/tv2 on your computer/phone/tablet, enter that code, and use your credentials to confirm?
So let's change it to you want to let your parents use your Netflix on their computer/phone/tablet. Netflix doesn't currently support passkeys, but we will assume they will at some point.
What you would do is something like this.
1. Tell them your Netflix account name.
2. Have them go through Netflix's procedure for logging in on a device that does not have a passkey when you have no other devices available that do have a Netflix passkey for your account. They are almost certain to have some way to do this.
3. Once they are logged in they can add a Netflix passkey to that device.
I doubt streaming services are looking to make passkeys the only way to authenticate devices though. Too much competition, and too many valid use cases for use outside of a personal device.
Like the millions of "terms of use" breached by the exact trillion dollar companies pushing for passkeys (Google, Microsoft) while training their AI models? Sounds like terms of use are entirely irrelevant in the first place.
Then see what happens if meta downloads an entire library and trains their AI with it.
Meta just figured the fine is worth the leap ahead in AI training, and I kind of agree.
Since when "you are not supposed to do it" works? :) Most videogames cannot be freely copied or modified/tampered with, according to their ToS; still, companies implement draconian DRMs/anticheat to block people from doing it anyway. This is the same situation.
I mean, it was an example. Replace it with an amazon account and the argument remains the same.
https://learn.microsoft.com/en-us/windows/apps/develop/secur... https://blogs.windows.com/windows-insider/2025/06/27/announc...
But one of the selling point is that they are supposed to help bog standard users be more secure. How many bog standard users do you see using a good password manager, despite how long we've been suggesting that they do. If they aren't going to use one for passwords they aren't going to use one to smooth the edges of passkeys use.
The built in password manager in iOS/MacOS also supports synchronizing passkeys across devices (via iCloud), and again, i'm not sure if you can share those passkeys between uses, but same argument as for 1password.
I’m a 1Password user. There are times I want to login with one of my personal accounts on my work laptop, auxiliary device I have, or family member’s device. On all these occasions, I’m not going to install 1Password and sync down my entire vault, just to delete it 5 minutes later. I simply reveal the password in my app and type it in. With passkeys there is no way to do this. It’s an edge case, but an important one.
I’d feel much better about passkeys if it wasn’t some mysterious thing locked away in a vault. If it’s effectively a public/private key pair, I should be able to see the private in my password manager and copy/paste it wherever I want, and however I want. If I could do this I would instantly understand what’s going on and be more accepting of it, though I’d expect I’d still run into some edge cases.
After entering your username, you select an option to use your other device to sign in and scan a QR code with it.
Are passkeys ubiquitous? It doesn’t feel that way. Tech demos are nice, but they’re just tech demos. When I’m doing my taxes I don’t want to find out I can’t download my data in TurboTax because I can’t login to my bank with a passkey via their app. Or maybe I want to use some old hardware, where the apps haven’t been updated with QR codes and passkeys, I guess I’m out of luck.
Too many edge cases. They are trying to sell passkeys as a magic way to login. I’m not going to entrust my ability to login to magic.
Also, scanning QR codes to authenticate feels very janky. Isn’t that why CurrentC failed? No one wanted to do a QR code dance with their phone.
No you don't, you want to share access, and the only way you can do it with passwords is by sharing the password itself. With passkeys you can have each person register their own passkey.
Do all using services allow this? Is it at least ad easy and straightforward as telling your trustworthy auntie your password?
I'm pretty sure I have my Android phone setup with a passkey for my Google account and also my Windows laptop.
Presuambly the same logic applies for a service that permits multiple passkeys. Each person would register a passkey on their device using the shared credential.
There in lies the issue. With passwords, it doesn't matter if the account supports multiple passwords. I can share the one I have
> Presuambly the same logic applies for a service that permits multiple passkeys. Each person would register a passkey on their device using the shared credential.
but can I simply share the passkeys without someone's permission (other than my own)?
Plus that doesn't really address allowing someone else in your family to log into your account "temporarily"; ie if you want them to check something for you.
I had this warning show up in the iOS Authenticator app like last week or something and it guides you through changing your iOS settings to instead use Edge as a password manager. As Edge is my browser of choice on my Windows PC and I already had it installed on iOS, this was a very minor inconvenience for me.
It's worth mentioning that even though I almost exclusively use Safari as a web browser on my iOS device, when filling in passwords on websites it seamlessly allows you to use any iOS configured password manager including Edge.
It's definitely a little weird that you now require Edge to also be installed for essentially the same functionally and Microsoft might be doing it to try push people to install Edge.
Edge allows multiple profiles, are all always available to store passwords? Can your IT department block the use of personal profiles if you’re logged into a company profile?
If you’re already saving passwords in an app, you’re being more secure than most users. A forced move to passkeys seems nuts when not all systems support them yet.
I’m also still concerned that passkeys seems more likely to fail the average user when they break or lose a device, compared to a decent password.
Really wish they worked on removing phone number verification before doing any other security/password thing.
Btw. this type of electronic identity solution are not Norway specific, I know all the other Nordic countries have them, and they are, as far as I know fairly popular in the rest of Europe as well.
The next step in progress is to bake in functionality that can guarantee interested parties that it is you operating the terminal at all times.
Over twenty years ago, many of us warned about the dangers of increased and unaccountable intelligence service power. We saw what the Patriot Act would create.
We joined the EFF and the ACLU, or renewed our memberships. Organizations at the time that focused more on actual deep philosophical issues and how they relate to our political world.
Obviously the Patriot Act has saved lives. Terrorist events and neglected victims are tragic and VERY emotional.
But today, immigrants and others are spending their own lives protesting the actions of ICE. Their own very limited time on this planet.
I'm not here to judge Immigration and Customs Enforcement. I'll take flak for that among liberals. Again, I'm not judging ICE. In many cases they've been falsely accused where there was clear evidence they weren't at fault.
No, what bothers me is immigrants, who already have difficult lives, and Generation Z, who have less economic security themselves, are the ones marching in the streets.
Twenty years from now, who will be working extra unaccountable and unbillable hours protesting in the streets because the DRM and secure computing systems being pushed through today are abused?
Even if most of that abuse is a show, meant to divide citizens and law enforcement. There are people out there working for free for that show.
Who will work more in the future?
And like not judging ICE, I'm not judging the countries racing and battling to deploy secure computing environments. Knox and TrustZone and TPM and whatever new things await us in the future. There are reasons both for safety and economic security I dont judge.
And there are dark patterns around software supply chain weaknesses and online safety and incentives to accelerate those issues to push through security architectures.
Other countries are doing it. I hate the fucking game theory solutions that it encourages.
But what I'm worried is that in twenty years who will be working for free because our secure computing environments are found unfair?
And unfair can be many things. Governments push values, even when it's not explicit. When I'm using my integrated cyberdeck or implants or just ambient room device, what am I missing? What is being pushed into or out of my vision or awareness?
That's twenty years in the future, what's forty years in the future? I won't be here, but you bet your ass I'm worried. Because the people who I fucking care about now working their asses off for free are being blinded about the upcoming digital wreck, like they were in 2001.
* I believe myself here, that's key.
This (or by phone) is how I've transferred: all family accounts, all small community accounts, some business accounts, many friend-shared accounts, and it's also how some people ensure accounts can be accessed if they die. It's not a small problem.
That said, passwords are actually so bad that anything would be an improvement over them. While a stealable passkey vault sync'd to your malware-infested Windows laptop is not ideal for security, it's sure better than typing your bank password into your favorite forum because you don't understand that website administrators can see your password when you type it on their site. (Not to mention phishing.)
I don't think passkeys are going to replace passwords any time soon, and I don't think freeloaders are even part of the equation here. You can share a passkey through Bitwarden just as easily as you can share a password.
Freeloaders already need to jump through hoops to share passwords and even then they're getting off easy; if streaming companies actually cared about catching freeloaders, they could stop the practice all together. What they're doing now is just signalling them that you're not supposed to and adding very minor annoyances to the mix.
https://support.apple.com/en-gb/guide/icloud-windows/icw2bab...
After you set up iCloud for Windows, you can use iCloud Passwords to access your passwords in Google Chrome or Microsoft Edge using a browser extension. You can also manage your passwords in the iCloud Passwords app.
Microsoft is just rapidly getting even worse lately.
I applaud Microsoft because a big player had to go all-in into passwordless authentication. I'm sure it won't be painless, but it might push others to adopt the approach eventually.
Hopefully this will entice people to switch to 1Password, but I’m pessimistic — it will most likely just convince people not to use password managers at all.
No idea who thought of this bad idea. Now I gotta move them all to Apple passwords or something else.
> We have partnered with 1Password to bring users a seamless plugin passkey provider integration in Windows 11.
after other details at least it does go to:
> If you are a credential manager developer, we invite you to integrate with Windows 11 to support customers in their passkey journey. To find out more about implementation detail, go to https://aka.ms/3P-Plugin-API.
The full info:
https://blogs.windows.com/windows-insider/2025/06/27/announc...
Now with passkeys, it seems we are just throwing all those arguments overboard and are saying 1 factor (something you have, e.g. hardware device) is enough. I've not read anywhere a good argument why.
Sometimes people have been arguing that the passkey should still be locked into e.g. another password manager with password, but that doesn't seem to be the case with most implementations, am I missing something?
That greatly reduces your risk if/when credentials gets leaked from the site in question. Public keys are meant to be public, and worthless by themselves.
As for your private key, that usually ends up in a secure enclave or similar HSM, which in turn is protected by a pin code and face or fingerprints.
The private key then becomes "something you know", and your biometrics are "something you have".
Think Trusted Computing. Soon it will be impossible to log in to some media streaming platform, for example, if you don't have a passkey sanctioned by an OS with a TPM. Then everything will be locked in and the only flaw will be our eyes and our ears.
HSM ensures that the device is actually the device it claims to be, as the key cannot leave the device, and by coupling it with biometrics, which is authentication, you prove to the device you are who you claim to be.
So by the device authenticating you, the device by extension can authenticate you against the remote site using a cryptographic challenge.
There is no vendor lock in however. You can use a password manager like 1Password to store passkeys, or even Apples keychain supports synchronizing the passkey across devices (including windows). KeepassX also supports passkeys, so it’s not limited to official vendors like TPM.
As for HSM, you can also use something like a Yubikey.
I was wondering why I couldn't just use a client cert (or better yet my ssh keys) and figured it would be something like that. It turns out I was right to invest zero time or energy figuring it out.
https://www.yubico.com/blog/10-things-youve-been-wondering-a...
https://www.yubico.com/resources/glossary/fido-2/#:~:text=Wh...
And yes, nitpicking :)
You literally leave your fingerprint on every surface you touch, and faces can be covertly photographed.
But other than that I agree. Especially now that these synchronise with iCloud, BitWarden, etc seems a no brainer you can just steal these and access everyone’s accounts in many cases with no extra 2nd factor.
This confuses me too.
That was my initial reaction too. I think the assumption is that the second factor is what-ever you use to unlock your device (a “something you know” if that is a password/pasphrase or “something you are” if that is biometrics).
I'm not convinced any of it is as more secure than user+pass as is being claimed. passkeys being device/AU dependent adds a bit of hardship to someone trying to hack your account, but people seem to be suggesting sharing passkeys between devices/AUs using their pasword managers which nullifies that effect?
That said, I don’t like them. I don’t really understand what happens when I run into edge cases, and that makes me nervous. That’s also true for 2FA in many cases.
So far my only passkey is for Amazon, I felt tricked into it, which I’m not happy about, though my password also still works. I’m opposed to this about as much as forced 2FA. I understand the security aspect, it Gmail randomly started to use their mobile app for 2FA, and now I’m afraid if I delete the app from my phone I’ll be locked out of my account, with the potential for excessive hoop jumping to get it back.
I read an article a while ago with the ultimately conclusion that passkeys don’t offer a major benefit to people who already use long, complex, unique passwords in a password manager. If this is the case, it seems this whole push is designed for people with terrible password habits, who definitely don’t understand what’s going on with passkeys, and I expect will find out once they hit an edge case and end up in a bad spot.
Agree with your other points, the whole passkey story is undeveloped and unclear yet.
There are also times when companies change their URL. Or their app using a different URL for their auth API than the website URL. If it’s obvious, the new URL can be added to the password manager to fix this. If it’s an API the user can’t see, this is much more difficult, especially if using a 3rd party password manager, it’s basically impossible. The only thing that made me aware of this, was when Apple introduced their password management and I could see all the login data if saved from various app. All kinds of URLs that were otherwise invisible to me.
What happens to a passkey in this case? Make a new account, start over?
Definitely stick to keeping passwords and passkeys in a password manager for portability. KeepassXC and Bitwarden (which can be self-hosted) work best for this in my opinion.
More information: https://support.microsoft.com/en-us/account-billing/changes-...
Does anyone know if this kind of anti-user attestation has been or can be deployed? I really can't understand why anyone would promote passkeys in good faith if that's the case.
[1]: https://github.com/keepassxreboot/keepassxc/issues/10407#iss...
What is Microsoft gaining from their push to passkeys? They knew this was going to piss off a lot of people, but they went ahead with it anyway. That makes me believe there's something else at play.
My experience with passkeys has been worse that my Bitwarden password auto complete, so needless to stay I'm sticking with my regular passwords on my Bitwarden (I know Bitwarden has Passkeys support. I don't want to use it)
The one with far more data gathering capability and generally less robust ability for the end user to assert control over it, and which is generally tied to a service contract that in many countries requires identity verification.
I think centralizing control is absolutely the core play for them.
All the Microsoft accounts in my Microsoft Authenticator broke when I restored onto the new iPhone. None of the non-Microsoft accounts stored in the same Authenticator app broke.
No, Microsoft, I don't trust you to manage passkeys for me.
Yes
0. Which Password manager(s)?
> just fine
1. Sync where and with whom?
2. And are you including or excluding export and/or import too?
You provide no evidence for your claims.
PKs are being used as 1 factor mechanisms. That's centralizing a whole lot of trust.
> You provide no evidence for your claims.
I don't think I'm interested in this conversation.
It's still 2 factors. Just with less hassle (and resulting in more security due to better UX).
I prefer passwords precisely because passkeys have achieved their design objectives. They are just not objectives that I share.
https://mobileidworld.com/apple-introduces-cross-platform-pa...
Absolutely. The problem with narrowly targeted security measures is they are a poor fit for nearly everything.
I'm typing this on my Firefox remote app. Everything is cached in it. It runs in a VM at home.
I suppose I am simulating having just one device.
> It actually sounds like the best way to use passkeys and still have control over them.
I belatedly recall that I tried to setup a Google passkey in a VM and was rebuffed. Google depends on Windows Hello for passkey presentation prompts - and Hello is disabled in an RDP session (ostensibly because facial rec won't be needed).
I poked at the problem for a while and couldn't find a workaround.
Hm, so then i need one for my account and one for every device where i use this account
> and b) stored on the device's secure enclave, where in theory you're never supposed to be able to export/exfiltrate them, only validate them
i heard that the new "device's secure enclave" is the cloud.
The WebAuthn _also_ allows device-bound keys, but they are not "passkeys".
True. WebAuth is good fit for a login that's tied to a user - and that user only logs into it from their workstation and maybe a laptop. There are better options when more flexibility is needed.
Happily, there are enough secure options that my phones will always be authenticator-free.
That seems to be counter to everything else I've heard about it so far. If that was the case, exporting would be easy, yet many password managers have had open feature requests for some time (1y+?).
I don't know what the truth is, but if you're right, there's definitely a lot of misinformation about it. Far more than correct info IME.
What is missing is the standardized interchange format for exported passkeys.
For example,
https://github.com/keepassxreboot/keepassxc/issues/10407
No batery, no authentication.
Why do i need an additional device ? A device controlled by another vendor.
This is literally the opposite of what Passkeys are.
You can just install Edge. From what I can tell, you don't even need to browse using Edge to use passwords.
If you don't use Microsoft Authenticator, nothing changes. If you do, probably because IT makes you, you've already seen the warnings about this.
I'm glad I don't use Microsoft crap but use everything self hosted so I can decide for myself what I want.
There is an app in the iPhone App Store called "Microsoft Authenticator" - is that what this story is about or is there a Windows feature with a confusingly identical name?
I'm trialing Winauth for some remote-only users. So far I'm happy with having the authenticator on Windows desktop.
ref: https://github.com/winauth/winauth
It's about where I draw the line though.
It's a massive hydra and it's most dependable output is onerous requirements. And the more of those we heap upon light duty users, the more reasonable it becomes to circumvent them.
In this scenario Winauth is how we placate the unreasonable overlord.
And my absolutely favorite thing was when it itself came in the way of seeing the 2FA code for a modal entry and you had the option on the screen to hide the modal for 10 seconds in order to remember the number underneath…
See screenshot here: https://ibb.co/5Wh05rsd
The outlook app on my phone (and I can't use any other method because it has been disabled), frequently looses authentication and I stop getting notifications about calendar events, emails ..., missed several meetings and important emails because of this.
When trying to login on my desktop/laptop I get told to confirm using either outlook, MS authentication app. Guess what often I have been locked out on those as well, so now I have to go through the dance of logging in using a sms code instead. It's sometimes even worse, even on mobile I get told to confirm from my authentication app/outlook, where I'm just trying to log in.
Authentication request often only come through to my phone on the 3rd of 4th try. So now logging in to check my email suddenly takes 2 min, because I'm trying to get the popup in the app, it doesn't appear, I need to cancel the request, restart ...
Just like the 5S / SE before it, corporations just sort of stopped testing that screen size, which leads to dumb UI gaffes like that.
Another classic is button or menu text getting truncated. Spotify had that problem on the SE too.
Also, Apple requires at least one AppleID password, that I need to keep entering at random intervals - usually when I update any device, but sometimes randomly when I buy stuff on App Store.
Also I still need a Mac user password, which is a different password, of course.
Why “of course”? No one is stopping you from using the same password there. Also, you can optionally turn on the option to be able to reset your Mac’s password with your Apple Account password.
(There is also an Apple Recovery password, but that's for encrypted recovery, a different thing, but that is very hidden and experimental.)
Username/password is much easier to grok (for developers and users) and while it absolutely has downsides, as a user, I can fully protect myself with username/password (unique password per site).
Passkeys might allow for fewer _user_ footguns but I worry there more _developer_ footguns. Also as a “power user”, I don’t want to deal with passkeys when I’m trying to automate something or scape my own data out of a website. It’s just another complication and I worry that anything edge-case-y (even approved methods) will break or have complications if you use passkeys (think app-specific-passwords when 2FA rolled out for gmail access).
Because of this I consistently decline passkey usage until such a time that I feel it’s better understood by the people implementing it.
That description makes little sense, and at least they could honor my paid business subscription (and back it up to there if they don’t trust iCloud).
And they don't expect me to have a different passkey per device, right? Otherwise I still need a password every time I login to a new device.
And so I'll still need a password/passkey manager that stores that.
Similar to a password there isn't a way to recover it if you forget it.
>And they don't expect me to have a different passkey per device, right?
You can have it show a QR code that you can scan with phone, using your phone as a passkey.
But dissimilar to a password in that you aren't ever expected to remember it, can't write it down, and in other ways.
> You can have it show a QR code that you can scan with phone, using your phone as a passkey.
I can't keep my phone in my safe and still use my phone.
Okay, so don't put it in a safe. The key is stored securely in your phone.
No it's not, what if I drop my phone in the ocean. Sure in terms of encryption, secure storage and so on, it's securely stored. It's just no physically secured.
That's what concerns people. What happens if I lose my devices? What happens if I need to access an account which has been secured by a passkey, but I don't have any of my other devices, what do I do then?
If you lose access to your phone, click "forgot password" and recover your account through your email address, the same way you would if you'd forget the combination to your safe.
In Microsofts case they want to use passkeys for Outlook.com as well, so their advise on using an email as recovery makes no sense. Then you can use security questions, which honestly is possibly worse than username and password. The last option is via a linked phone number, which security experts also advise against.
My complaint about passkeys stand, without non-digital way of backing them up, as easy as writing a password on a post-it and stuffing it in your sock draw, it can see it being anything that a major hassle.
For some things, e.g. Github, Facebook and things of that nature, fine, go with passkeys. For your email account, may not.
I need an analogue way to get access to my accounts.
If my phone gets crunched, I should be able to go to a secondary device or secure sheet of paper and restore full access to my password safe/accounts. Nothing should be tied to one piece of hardware.
It's why I despise having to use proprietary TOTP like Symantec for banking. If my phone breaks, I have to go through a recovery process. If I could backup my TOTP with a normal app, it wouldn't be a problem.
I do not think that word means what I think you think that word means.
While I understand they want to transparently replace passwords with passkeys for websites that support it, what happens with passwords for websites that don't support passkeys?
Also, if someone sleeps over this, they will just lose their passwords to random websites and have to go through account recovery flows?
The app has been warning about this for a while now. This might catch someone out of guard if they only use the app once a year for something bureaucratic, but I doubt a credential like that will be stored in Microsoft's authenticator app.
“Why GNU su does not support the `wheel‘ group
Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn’t know how to do that in Unix.)
However, occasionally the rulers do tell someone. Under the usual su mechanism, once someone learns the root password who sympathizes with the ordinary users, he or she can tell the rest. The “wheel group” feature would make this impossible, and thus cement the power of the rulers.
I’m on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.”
https://www.meisterplanet.com/journal/2004/05/09/richard-sta...
...But this article headline is insanely misleading by not mentioning it's being migrated to Edge. To the point where I'd call it a smear crafted for maximum clickbait shock value. Nothing is being wiped, it's just being moved to a different app. Sure, there's good reasons to not like that app (it's the Internet Explorer sequel after all), but the story here is not as extreme as implied.
I do not want any kind of password that relies on my phone, because phones break and can get lost.
So basically this forces me to change from a password to a PIN and this is supposed to be more secure?
If you weren't synchronising your passwords through the Microsoft authenticator app, you won't be affected at all. If you were, Microsoft has decided to be annoying and make you install their browser to get password autofill support back.
Microsoft prefers synchronising passkeys between devices because passkeys are immune to credential stuffing attacks, but you don't have to do what Microsoft wants.
Not sure what it has to do with Microsoft, however, but then again, I would never use Microsoft's Authenticator.
Yes. I used an alphanumeric pin: my password. The main malware entry point is the web browser.
Wonderful. The Remote Code Executor now takes care of your pass.... too. What can go wrong ?
One thing browsers are recognized for, it is their security record. /s
> Autofill via Authenticator ends in July 2025 You can export your saved info (passwords only) from Authenticator until Autofill ends. Access your passwords and addresses via Microsoft Edge at any time. To keep autofilling your info, turn on Edge or other provider. (Learn more)
not sure the full Android feature set, but MS is moving their iOS autofill provider to the Edge app, which doesn’t mean I have to use Edge to browse, just changes which app hosts the passwords. I can still fill them using the native mechanism for any password manager to provide passwords to any password field.
Microsoft is not forcing anybody to adopt passkeys as far as I can tell. Although overall people should because passwords are quite frankly a broken idea. Almost as broken as the idiotic janky “we just emailed/texted you a code” bullshit that most sites do now instead of TOTP.
The reason for missing information is that this is blogspam an older version of AI slop.
And passkeys are even worse because they're user hostile, dev hostile, and stuck in a walled-garden.
Passwords and 2FA (TOTP or passkeys or something else, with a recovery code mechanism), not just passkeys, or GTFO.
You can stop supporting new ones, but as soon as you destroy old ones YOU are a vulnerability, Microsoft.
How can I ever trust you to not delete secrets in future?
https://support.microsoft.com/en-us/account-billing/changes-...
There has to be some sort of cost benefits analysis for this as this will certainly piss a ton of people off especially the tech illiterate. Maybe passkeys are extremely simple but saved passwords being disallowed is a huge pain point.
The passwords have always been stored in your Microsoft account. Anyone who has their passwords there can just install Edge on their device and enable it as the autofill provider (no, that doesn’t require you to browse with Edge, just to log into it). This whole article is silly, as there is zero change to your ability to save passwords in your MS account or to autofill them on mobile.