Passkey has been introduced by Apple and increasingly by Google and other services. Some supporters of passkey argue that it is a more secure way to replace passwords altogether.
On the other hand, there are those who complain about the current design and UX of passkey, and there are those who still strongly support the password option.
I find passkeys to be more secure than passwords, at least in some aspects, but I also find passwords easier to deal with. I am curious how it is viewed in this community that is so passionate about privacy.
Will passkeys completely replace the use of passwords on the web in the future, or will the password option also remain persistent?
If the passkey cannot replace the password, what is the passkey missing?
Passkeys are both more secure and more convenient. They should ideally replace passwords one day but the way they’re being implemented now isn’t great, because most sites don’t let you delete your password.
I agree with security part, but so-so agree on convenience part though…
NOT AT ALL! It’d be complete disaster security wise if not sth else. Passwords and passkeys will coexist in the way that user will have a choice. What will change is passkeys will become major way of protecting our accounts.
Thats good question
What I find most irritating when dealing with passkeys is lack of the ability to rotate them. Meanwhile, its trivial to bulk rotate passwords (for example on multiuser server-env)
From my understanding, good passwords are better then passkeys. Passkeys are for users who will never bother to use a password manager and have an individual strong password per website/app/software user.
No passkeys are still better. They’re based on public key cryptography, so they don’t rely on the service provider to securely store them, basically eliminating data breach issues that passwords have. They don’t rely on the user coming up with their own password and remembering it, or janky password manager autofill and autogenerators for passwords. They can’t be phished, even if your password is excellent if you go to discuss.pr1vacyguides.org and put in your password, you’ve been phished. With passkeys that won’t work at all.
Deleting passkeys is possible, ofc, but, there is still no good, well-designed UI to manage bulk actions with passkeys. If you have multiple passkeys and want to delete them, you have to go one-by-one.
Why not give admins this option?
All I want to say is that passkeys are still WIP and shouldnt be used as the only solution available. Rather as backup way of login. At least till they reach product maturity.
especially for mobile and stuff they’ll remain for a while. The alternative I think is going to be Security Keys, where you use your phone or password manager to authorize accounts or QR Codes(maybe)
Probably not. My passkey for my google account just never saved in my password manager, and I lost it… Leading me to have to reset it, luckily I had TOTP, so it wasn’t that hard to remove… But still… Not a great first experience for passkeys
I think that such a motto as “Passkeys will replace passwords” is a hyperbole that is common in transitional periods when new standards are added.
Passwords and passkeys are different authentication schemes, and each has its own strongness and weakness. Passwords are inherently problematic as knowledge authentication and passkeys are inherently problematic as possession authentication. They are not in conflict or one is absolutely superior to the other, and the choice should depend on the individual’s envisioned use case and threat model.
Most people have no problem replacing passwords with passkeys. So the motto that passkeys make passwords obsolete is widely accepted. However, there are some people who still find themselves in situations where using a password gives them an advantage in terms of security and privacy. As long as they need them, passwords will remain. Perhaps passwords will not disappear in my lifetime
I hope not. It’s fine as optional 2FA, but passwords are fine. A passkey is yet another device that needs to be bought, has to be carried around and could be lost, stolen and can break.
Maybe a middle ground could be reached where similar functionality (e.g. to prevent phishing) could be implemented by the OS or the browser itself? Browsers already have builtin password managers, I don’t see how/why this wouldn’t be possible if there is interest.
Sure, I meant something that is available for the end user… Unless there are software-only implementations available currently? If so, do you have a client that you recommend?
Eh I don’t know about that. May be true for the most part, but it depends on one’s setup.
You can though. You can scan a QR code or sync them up with your password manager. If you were following decent password practices then you’d be using a password manager anyway and your password would be long and random so it would be even less convenient to log in a lot of times with traditional passwords than with passkeys.
I just tested with Bitwarden and Proton Pass passkey:
I registered a test account with passkeys (there’s no passwords) on https://www.passkeys.io/ successfully with Bitwarden and Proton Pass. Both now have the test accounts with passkeys on their vaults.
On my android 14 device, I installed both apps and could sign in successfully with passkeys on both apps. At each test, each app is set as “preferred app” for autofill and passkey.
However, on my old android 10 device, I selected the option “Use a different device” > “Use a different phone or tablet” > A QR code occurred > I scanned QR code with my android 14 device > It then just stucked at “connecting with your devices”, no progress being made and finally it stopped at the screen “devices couldn’t connect”.
I tried many times, even paired both devices with bluetooth > No success.
I searched on internet about the issue, and I found kind of similar thread (they say The android phone times out on "Connecting with your device" to say "Devices couldn't connect.):
Please read again. I don’t set passkey on my android 10 device. I set my passkey on my android 14 device.
I was trying to sign in to the website on my android 10 device via the option of “Use a different device” > “Use a different phone or tablet” . That’s when I use my android 14 device, which sets Bitwarden/Proton Pass as 3rd-party provider for passkey to authenticate that signing-in.
And this is also just a test. Please, don’t jump in to the aspect of security support here. I’m just trying to do the sign in to a different device, it could be android 13 which still is in security support but no 3rd-party passkey support.