If all the passkeys are stored on a device, would a compromised device not be a single of point of failure similar to a password manager?
Yes. The point I think I didnāt get across that well is you need a password manager anyway and passwords add a lot of attack surface on top of that.
1 Like
Pasdkey does to a degree protect people from phishing, as long as they try their best not to be lazy and type password instead.
Password being a fallback reduced the effectiveness of passkey by 2/3, cause not only people might think a phishing site is legit and type their credential, the credentials can also leak through data breaches.
This is why I really like KeepassXC because I can lock that database with another password like biometric or hardware key (possibly one I store subdermally 
).
If I were to use Bitwarden for passkeys (I think they support it now) and sync it across devices, is there any benefit compared to randomly generated passwords + TOTP?
Yes, passkeys are phishing-resistant; you canāt be tricked into using them on a phishing site like with a password + TOTP. Websites also donāt store your passkey in the same way they store hashed passwords, so there is no risk of their database being hacked and your hashed passwords being cracked.
3 Likes
Wow, what a fascinating article. Thank you to whomever wrote it! I love taking a look at technology from a wider historical perspective.
3 Likes
Glad you liked it!
Flip side: there are a lot of scenarios - particularly in business - where you are managing other peopleās credentials. How do you use their credentials without syncing their entire passkey store to your device? If passwords ever go away, this is a concerning situation to be in.
You can share passkeys just like passwords inside the password manager. You can also have multiple passkeys per account so if they want to add their own passkey they can.
This is a great history of passwords and how we arrived at where we are. As written by one of the authors of the passkey standard, this is still true. We are still in āThe Enshittocene Periodā. My solokey continues to work fine and is hardware and operating system independent. This is as FIDO2/āwebauthnā as I get. I have no Google, Microsoft, nor Apple accounts. I barely use a mobile phone.
Every service I use still requires a username, password, and now my 2FA solokey. Iāll use passkeys when I can manage them like I mange my ssh keys and my own certificate authority. No service I use asks for a passkey nor to generate one.
In theory, I could use (from the FIDO Passkey standard):
Device-bound passkey*: bound to and used only on a single device (a security key)
, but I havenāt found anything that works like this on the command line (maybe skey OpenBSD).
Iām open to suggestions for FreeBSD or OpenBSD.
1 Like
Thatās good. I know this is possible with at least Bitwarden, but I donāt think you can do it with Appleās iCloud keychain and probably other passkey implementations? I know iCloud keychain is firmly locked to Apple devices, for example.
I also have some concerns about compatibility. Will passkeys work on Linux? On Firefox? Probably not Ladybird, yetā¦
Do they need OS-level support?
Every time I see a pop-up asking me to start using passkeys, I worry, āam I going to be able to sign in again if I say yesā¦?ā They seem like a similar trap to āSign-in with Googleā. Only using Bitwarden to store passkeys seems like the safest way.
I understand passkeys as an analogue to SSH keys. But they seem really complicated and I have so many questions and concerns about them. Iāve tried to read the docs, but I just kept getting more confused.
2 Likes
In the apple passwords app you can share passkeys. You can also airdrop them to other people. Right now theyāre working on the Credential Exchange Protocol to let you securely export passkeys and passwords between password managers so there shouldnāt be any issues once thatās implemented.
Yes they work on Firefox and Linux.
1 Like
Emmm, if passkeys are synced across devices, doesnāt it have the same pitfall as all password managers? a single repository of all passkeys stored on every device. (yeah I know itās E2EE but passwords in password managers are also E2EE) Itās still a single point of failure.
Yes, my point that Iād didnāt get across so well in the article is that you need a password manager anyway in order to have secure passwords, and passkeys solve most of the issues with passwords. So itās better to use passkeys than passwords overall.
Thanks. This is an awesome article even for the non-technical.
1 Like
Thanks!
Thats a nice write-up! I always thought one of the origins was from a guard bellowing āWhats the word to pass!ā from a medieval tower. 
Am looking forward to a time when I can use passkeys but I see three hurdles.
-
Low adoption rate with no incentive to adopt by most of the sites I use.
-
Inconsistent implementations are the norm. Every site that supports passkeys handles them differently. Even the older FIDO1 security keys arent implemented in a standardized fashion with major sites like Paypal only allowing 1 of them per account.
-
Passkeys are only as strong as the weakest 2FA the site supports and this too often means they also require Email or SMS text as backup.