Passkeys are a great idea, but everyone involved seems like they want the process to be as much of a pain in the dick as possible. So until the industry pulls it’s collective head out of its collective ass (not going to hold my breath on that one), it’ll be passwords+2FA for me.
It feels like everyone is trying to tie people to their platform. Oh, and also use the opportunity to force shit like “no custom ROMs or bootloader unlocking” on Android at the same time.
What’s wrong with passkeys? I’m in love with passwordless sign-in with yubikey, so much easier and faster than password + totp
It’s shitty user experience when forced to dig out my phone to authenticate myself to a site I barely give half a shit about.
Like I wouldn’t even have an account if it wasn’t forced, and now you assholes want my phone too?
I think you’re describing SMS passcode, totp or other such factors.
Passcode doesn’t require phone necessarily, but you can use it too
A lot of the stuff that has implemented passkeys so far are on mobile. And I mean the apps serving them out, not things you authenticate to.
BitWarden has a desktop extension and it also handles 2FA. No reason to be using a password, which is way less secure and can be extracted from a website DB via a hack.
Doesn’t the 2FA protect users still, if they only got the password?
In store my passkeys in my password manager, which has a desktop app to access passkeys. What are you using that you have to always use your phone?
Yes, extra security for your personal information is so irritating.
Security for who exactly?
If I don’t even want an account, it’s the “security” of the sites ad targeting data that IDGAF.
I don’t like how there isn’t a nice, cross-platform and secure way to sync my keys. Not all services allow multiple keys to exist at once.
The syncing of keys allows for much greater attack surface.
Its being worked on right now but the standard hasn’t been finalized yet.
Until exporting and syncing keys is properly implemented, passkeys can go kick rocks.
I mean I’m just using my yubikey for the keys, it’s traveling in my pocket everywhere and use it on any platform
Bitwarden syncs passkeys.
Until sites start disallowing youbikeys because it doesn’t make it impossible for you to backup your keys…
What is planned to happen.
Shouldn’t you still need 2fa, and use the passkey as the second auth?
The passkey is still protected with another factor, such as pin code or biometrics
Like when I login to my account, I put the yubikey to usb port, then browser asks me to unlock it using pin code, then I’ll touch the yubikey to confirm I’m in physical access to it, and only then it allows the authentication
In practice this takes about 2 seconds
I briefly looked into passkeys a while ago, but I think I remember really disliking them because they just seemed like another excuse for companies to lock you in.
Has this changed? With Bitwarden + passwords, I can change to any platform, any device, at any time, and instantly get all my creds moved over securely.
I don’t want to be in a situation where I’m locked into using Android, Chrome, iOS, or whatever because I can’t move my creds.
Bitwarden has passkey support! Syncs too!
Yeah I don’t think it’s the only password manager that allows PassKeys either. Plus, they’re more secure by design; the website never has to store anything that can be reversed to allow access. Bitwarden even lets you store multiple passkeys per site.
I do hate how it’s promoted as “locked to your device” though but i imagine that’s because (unfortunately) password managers aren’t used by a majority of users.
Hm, ok. Maybe it’s time to take another look.
Passkeys are light years ahead of 2fA in user experience. Why do you dislike them?
Security based on devices is one of the positive innovations of smartphones and perhaps the only area where they’ve improved over the desktop experience.
I very specifically don’t want my security tied to my device. Trying to migrate to new phones, and keeping things synced between a phone, desktop, and laptop is why I long ago moved to a password manager. Now, especially in the phone space, getting passkeys to function fully with a password manager ranges from “pain in the ass” to “not actually possible”.
I had a botched phone battery replacement once resulting in the phone getting replaced very unexpectedly. It was a nightmare trying to get everything back together because I stupidly used google authenticator, which is tied to the specific phone it’s on. Not tying it to the device is the way to go.
I didn’t consider the friction of integrating it into your existing process because I use a manual password manager. But who is saying you should replace a password manager with passkeys? It was always meant to be a parallel system.
Edit: I just wanted to add that people like you and I who have “solved” our credentials problems are a tiny minority. Passwords are shit. Just because we’ve grown accustomed to them doesn’t change that.
Bitwarden: “I’m literally right here”
Bitwarden+Firefox+Android. That combo doesn’t support passkey creation.
Heard of so many people losing their phone. Then they try to log into something and the company (quite often google) says “I don’t give a fuck if you know your passwords I’m never letting you log into your account get fucked, don’t call I won’t answer”
Why would I want security based on a device? What security this offers greater than a 64 chars password + 2FA?
Passkeys make plausible deniability more difficult. “This user name isn’t necessarily associated with my real world identity” permits some important good things.
Amazon fucking insisting every damn time I log in.
