What do you think of passkey password managers?

Hi everyone,

I’d like to know what you think of passkey password managers?

I have 2 Yubikey keys that I use mainly as backup access to my Bitwarden account in case I lose my phone and my Aegis authentication application (file stored on drive).

I’d like to know if it makes sense to create passkeys in Bitwarden or to continue authenticating with Aegis and keep my physical keys in case I lose this solution?

Thanks in advance.

Translated with DeepL.com (free version)

Passkeys should be avoided until there is a FOSS implementation for them.

7 Likes

Hang on, I thought passkeys were just the implementation of a known FIDO2 standard? Was something recently discovered that seem off or suspicious?

@HauntSanctuary
the standard is open, and microG has partial reimplementation

but like right now the only browsers on Android you can use regular security keys or Passkeys are official Chrome or Firefox with official Google Play Services on the system too

whereas TOTP just works regardless and on desktop U2F/FIDO/etc doesn’t require anything special

6 Likes

It sounds like a browser implementation issue rather than passkey itself?

Would that be a fair statement?

It sounds like passkey is ok for just desktop use but not for mobile and that sort of ruins the point of interoperability.

3 Likes

I thought the newest AOSP version included passkey support through the credential manager API. Isn’t that the case?

1 Like

So if I understand mobile, it’s no, but on the computer, it’s okay?
I was mainly asking the question for computer use.

I’d say if passkeys are compatible with the password manager and browsers you’re currently using already, go ahead and use them. I wouldn’t switch to proprietary or otherwise less desirable browsers or password managers just to take advantage of them.

Passkeys are going to provide additional security features (e.g. phishing protection) over TOTP, but of course so will the physical keys you already have, and any MFA is better than nothing.

6 Likes

Currently, you can’t use a passkey to access Bitwarden, but you can store passkeys into BW and use them on some, but not all, platforms.

For people who use security keys to access BW, they usually use this as the primary 2FA because it is unphishable. Unless you need access on some platforms that don’t support any of your keys, then TOTP 2FA should be treated the same as your 2FA recovery code: if you are prompted to use it, you should be very suspicious that you might be getting phished, so some people would just drop this method of 2FA and rely on the 2FA recovery code as a backup.

As far as storing passkeys into BW is concerned, I think they are working out issues of how to work with browser’s/OS’ implementation, and the stored passkeys’ accessibility on mobiles appears to be questionable / not possible on some. There is no compelling reason to store passkeys in password managers unless they make it available for the different platforms you use. Meanwhile, you may be able to safely use your WebAuthn FIDO2 keys as the passkey storage device that are cross-platformed already. The only “drawback” (really an advantage in some situations) is your device bound passkeys aren’t backed-up, where as your PWM’s passkeys are synced across platforms, including the cloud, although you can’t make your own exported backups.

Also, meanwhile, at least Microsoft appears to be changing how they intercept passkey registration/authentication requests, which might break PWM’s implementations, so you may also suddenly find the passkeys stored in PWM temporarily useless.

I personally would recommend people with FIDO2 keys to just stick with using the keys for passkey storage for a while, unless you want to experiment with this. 25 passkeys (for Yubikey) per device aren’t currently bad because of the low number of websites supporting it. Wait until the dust settles.

I’m confused, I thought the point of a passkey was that it was directly linked to your physical hardware. Doesn’t keeping one in your password manager kind of turn it into another password? Or am I way off here?

1 Like
2 Likes

Awesome! Thanks for the link.

1 Like

Security keys also work on GrapheneOS with Sandboxed Play Services on Vanadium and some other apps like Bitwarden

1 Like

Storing passkeys in a password manager sounds just as bad as storing 2FA codes in them.

If we’re going to store passkeys in our cloud-based password manager that has the ability to bypass 2FA. Why even bother separating our TOTP codes in a TOTP app on a separate device?

Indeed why bother separating 2fa codes from the password manager ! I save the 2fa next to the password. It soon much faster and less frustrating when you can autofill the 2fa.

Not all accounts are created equals. Some are more important then others.
Not sure of 2fa is available in this privacy guides forum, bit if it was, I would save it in the password manager. I would do the same for passkeys for this website.
Passkeys registration across devices would absolutely be a pain when you need to handle 50 accounts. I would save most of the in the password manager. Only the most critical account with passkeys would be saved manually to my devices.

Hello. I create passkeys with Brave browser and I am not sure where are they stored? Are they stored in Google Passwords or maybe on device itself? What happens if device is lost/stolen/wiped? I met some services where you won’t be able to login if passkey is lost, so you have to enable 2fa for alternative login method.

Depends on which password manager you use. Do you use Brave’s password manager or just react to a popup from another PW manager?

Then you hopefully have synced them either to the cloud or some other device. Use device encryption and lock the device before you leave it, to make sure no-one can extract them from your device.

That seems to be google passwords. Other browsers (Firefox for example) are also able to use same passkeys to login to sites. So passkeys are not stored in Brave. I just not sure is it google passwords or something different. Maybe even the question is irrelevant at all and passkeys are specific to device, not account, so syncing passkeys is pointless and loosing device means you need to log in to create new passkey for new device.

So passkeys can not replace passwords, they just do login process simplier?

Yet where is the list of stored passkeys on device?

You are now specifically referring to Android. And I deem the pros of using it much higher than the cons. So politely disagreeing here.