Passkeys are light years ahead of 2fA in user experience. Why do you dislike them?
Security based on devices is one of the positive innovations of smartphones and perhaps the only area where they’ve improved over the desktop experience.
I very specifically don’t want my security tied to my device. Trying to migrate to new phones, and keeping things synced between a phone, desktop, and laptop is why I long ago moved to a password manager. Now, especially in the phone space, getting passkeys to function fully with a password manager ranges from “pain in the ass” to “not actually possible”.
I had a botched phone battery replacement once resulting in the phone getting replaced very unexpectedly. It was a nightmare trying to get everything back together because I stupidly used google authenticator, which is tied to the specific phone it’s on. Not tying it to the device is the way to go.
I didn’t consider the friction of integrating it into your existing process because I use a manual password manager. But who is saying you should replace a password manager with passkeys? It was always meant to be a parallel system.
Edit: I just wanted to add that people like you and I who have “solved” our credentials problems are a tiny minority. Passwords are shit. Just because we’ve grown accustomed to them doesn’t change that.
Heard of so many people losing their phone. Then they try to log into something and the company (quite often google) says “I don’t give a fuck if you know your passwords I’m never letting you log into your account get fucked, don’t call I won’t answer”
Passkeys make plausible deniability more difficult. “This user name isn’t necessarily associated with my real world identity” permits some important good things.
Passkeys are light years ahead of 2fA in user experience. Why do you dislike them?
Security based on devices is one of the positive innovations of smartphones and perhaps the only area where they’ve improved over the desktop experience.
I very specifically don’t want my security tied to my device. Trying to migrate to new phones, and keeping things synced between a phone, desktop, and laptop is why I long ago moved to a password manager. Now, especially in the phone space, getting passkeys to function fully with a password manager ranges from “pain in the ass” to “not actually possible”.
Bitwarden: “I’m literally right here”
Bitwarden+Firefox+Android. That combo doesn’t support passkey creation.
I had a botched phone battery replacement once resulting in the phone getting replaced very unexpectedly. It was a nightmare trying to get everything back together because I stupidly used google authenticator, which is tied to the specific phone it’s on. Not tying it to the device is the way to go.
I didn’t consider the friction of integrating it into your existing process because I use a manual password manager. But who is saying you should replace a password manager with passkeys? It was always meant to be a parallel system.
Edit: I just wanted to add that people like you and I who have “solved” our credentials problems are a tiny minority. Passwords are shit. Just because we’ve grown accustomed to them doesn’t change that.
Heard of so many people losing their phone. Then they try to log into something and the company (quite often google) says “I don’t give a fuck if you know your passwords I’m never letting you log into your account get fucked, don’t call I won’t answer”
Why would I want security based on a device? What security this offers greater than a 64 chars password + 2FA?
Passkeys make plausible deniability more difficult. “This user name isn’t necessarily associated with my real world identity” permits some important good things.