Passkeys are only good if they aren’t in a online password manager. They are better than TOTP 2FA in terms of security and phishing resistance. I see 2FA as a last resort when someone even gets into my password manager. Storing passkeys completely make this useless, as I’m sure anyone that can log into my accounts would’ve done so by getting a hold of my unencrypted password manager database. Unless android provides a real offline way of storing passkeys in the device, I am not interested alot.
Actual zero knowledge encrypted password managers with 2FA?
Keepass?
I wish all sites using 2FA would just support hardware keys instead of authenticator apps. It’s so much easier to login to a site by just plugging in my hardware key and tapping its button, than going to my authenticator app and typing over some code within a certain time.
It’s even sinpler than email 2fa or sms 2fa or vendor app 2fa.
For authenticator app you also can’t easily add more devices unless you share the database which is bad for security. For hardware security key you can just add the key as an additional 2fa, if the site allows it.
I always thought of passkeys as a convenient way to authenticate.
I am password-less on multiple services.
I have an authentication app on my phone that authenticate me when I am away of my computers. I have passkeys on my personal computer and another set of passkeys on my work laptop.
If I have to authenticate from your computer I simply use my auth app, click on “it’s a public computer” and I am good to go.
The dude discovered a butter knife and he tries to replace his spoon with it just to realize it doesn’t work well for eating a soup.
His “just use email” like that isn’t very obviously worse in every respect kind of undermines his whole premise.
The problem with passkeys is that they’re essentially a halfway house to a password manager, but tied to a specific platform in ways that aren’t obvious to a user at all, and liable to easily leave them unable to access of their accounts.
Agreed, in its current state I wouldn‘t teach someone less technically inclined to solely rely on passkeys saved by the default platform if you plan on using different devices, it just leads to trouble.
If you’re going to teach someone how to deal with all of this, and all the potential pitfalls that might lock them out of your service, you almost might as well teach them how to use a cross-platform password manager
Using a password manager is still the solution. Pick one where your passkeys can be safed and most of the authors problems are solved.
The only thing that remains is how to log in if you are not on a device you own (and don’t have the password manager). The author mentions it: the QR code approach for cross device sign in. I don’t think it’s cumbersome, i think it’s actually a great and foolproof way to sign in. I have yet to find a website which implements it though.
QR codes are good 50% of the time; when you’re trying to log in on a pc.
The reverse case is extremely annoyingCould you elaborate? I am assuming that everbody would have the password manager on their mobile phone with them, which is used to scan the qr code. I think that’s a reasonable assumption.
I agree that if you wanted the pc to act as the authenticator (device that has the passkey) it wouldn’t work with qr codes. But is that a usecase that happens at all for average people? Does anyone login to a mobile device that you don’t own, and you only have your pc nearby and not your own mobile phone?
I’m thinking of phone recovery, where you’re trying to get all your stuff back on a new device.
With a password manager, simply logging in will get you there and until passkeys can be synced automatically just like passwords this will need to be handled somehow.I hope I am not misunderstanding you. What you are worried about is passkeys in the password manager not syncing to new devices? They are though, with password managers that support passkeys like Bitwarden, ProtonPass, 1Password etc…
Currently using it on Bitwarden, if I log in to a new device, the passkeys are there.
Why not just passkeys with a “magic link” fallback though?
This is the same as forgotten password so ytf not
There was a related news recently, that bitwarden and other pw managers will be able to sync passkeys between devices. Won’t that solve these issues?
My thoughts exactly. I use Bitwarden and passkeys sync flawlessly between my devices. Password managers tied to a a device or ecosystem are stupid and people shouldn’t use them. This is true whether you use passwords or passkeys.
That said, we cannot blame users for bad UX that some platforms and some devs provide.
Bitwarden is not usable on Linux desktop, keeps asking for password. The password can’t be too short, so it takes some time to type it in. I turn off my computer when it’s not needed, so I would just need to type in the password when I turn it on again.
Anyone have a better solution?
Not in all situations. And in a way a user will not be aware of. The service or website can define what type of passkey is allowed (based in attestation). You may not be able to acutally use your “movable” keys because someone else decided so. You will not notice this until you actually face such a service. And when that happens, you can be sure that the average user will not understand what ia going on. Not all passkeys are equal, but that fact is hidden from the user.
I remain hopeful. Initially, when Keypass wanted to include a simple export option there was talk of banning them from using Passkeys.
For me, I’d prefer that everyone just adds biometric authentication techniques. A couple websites do this already and it’s great. Many devices have biometrics built in already and if this was widespread I’d certainly have no problem buying a fingerprint reader for my desktop computer.
That’s literally a passkey.