Just in time for holiday tech-support sessions, here's what to know about passkeys.
See full article...
See full article...
Passkey technology is elegant, but it’s most definitely not usable security
- Thread starter JournalBot
- Start date
Scipio Africanus
Ars Centurion
Great writeup and agreed on all points.
I'm guessing having passwords as a fallback will exist for awhile, as this is still a new tech. It'll take time.
I'm also surprised at the sheer number of sites that only have SMS as a 2fa, not offering TOTP at all.
But yes, the vendor tie in thing I noticed as well. The first time I used a passkey, I let the browser save it. Big mistake. When I noticed Bitwarden offer to save passkeys, that was it for me, let the cross platform manager take over. But what are regular users going to do?
I'm guessing having passwords as a fallback will exist for awhile, as this is still a new tech. It'll take time.
I'm also surprised at the sheer number of sites that only have SMS as a 2fa, not offering TOTP at all.
But yes, the vendor tie in thing I noticed as well. The first time I used a passkey, I let the browser save it. Big mistake. When I noticed Bitwarden offer to save passkeys, that was it for me, let the cross platform manager take over. But what are regular users going to do?
Upvote
169
(173
/
-4)
I've skimmed quite a few of these articles and each time I come away feeling that I don't understand passkeys enough to want to use them. My main issue is that I don't understand what it is I must keep in order to keep access to my account (or to put another way, what it is I must not lose).
Upvote
527
(531
/
-4)
The biggest issue that still doesn't get enough mention is the vendor lock-in (clearly a feature for the big companies involved in the design..)
Say you've been using 1Password for years and have hundreds of passkeys saved.
Currently as far as I can see there's no easy, practical way to transfer all of those keys batch wise to a different password manager or completely different system.
This for me is a complete deal breaker because I refuse to chain myself to a single corporation.
The fact that it also seems impossible to provide an open source implementation that you can self-host and that will be accepted everywhere comes close second (and again clearly to the benefit of the large companies designing the spec).
Passwords have a whole lot of issues, but at least it's trivial to have an offline backup that I can use on any device without prerequisite.
Say you've been using 1Password for years and have hundreds of passkeys saved.
Currently as far as I can see there's no easy, practical way to transfer all of those keys batch wise to a different password manager or completely different system.
This for me is a complete deal breaker because I refuse to chain myself to a single corporation.
The fact that it also seems impossible to provide an open source implementation that you can self-host and that will be accepted everywhere comes close second (and again clearly to the benefit of the large companies designing the spec).
Passwords have a whole lot of issues, but at least it's trivial to have an offline backup that I can use on any device without prerequisite.
Upvote
329
(341
/
-12)
Fully agreed. As a support vendor I want clients to have the most secure form of access possible, but the number of variables and misleading (or obscure) system prompts they get along the way make this a support nightmare. At that point everyone becomes uncle Charlie.
Upvote
142
(144
/
-2)
Upvote
35
(41
/
-6)
I’m a pretty competent computer user who knows generally what I’m doing, but passkeys have never been explained well. When you wrote the article a couple of years ago saying we should all plough in I couldn’t understand how my phone was supposed to know what I’d set up on my laptop. It seems the answer is "it doesn’t and it’s all a total mess". I’ve set up a couple of passkeys and then had to fall back when device X suddenly becomes confused because I made the passkey on device Y. They are hopeless as a technology for even remotely normal people right now unless they literally only use one device.
Upvote
409
(412
/
-3)
BlueTooth Low Energy - so that scenario is simply holding two devices near each other. Apple does this with their earbuds.
Oddly, for device setup/transfer they still do a psychedelic test pattern with a picture taken by the other device, I would suppose for security purposes.
Upvote
69
(70
/
-1)
Upvote
117
(144
/
-27)
Thank you for this article. Passkeys have become a huge mess. The FIDO alliance really screwed up when they caved on the hardware security key requirement and created a system for passkeys to be stored everywhere with no good or consistent methods to manage them. So disappointing
Upvote
136
(149
/
-13)
Bottomline: passkeys still a no go. Old fashioned KeePass + self hosted db file is still king. For me anyway.
Upvote
230
(242
/
-12)
Another happy 1Password passkey user, also completely agree it's a mess.
Microsoft accounts are particularly nasty with this, happy to let you set up a 1Password passley but won't let you log in with it for some reason.
Biggest annoyance with 1Pass is you can't use it when first setting up a new device. Can't log into my Google account on my new Android until I have 1Password installed, can't have 1Password installed until I'm logged in with my Google account.
Edited for typos.
Microsoft accounts are particularly nasty with this, happy to let you set up a 1Password passley but won't let you log in with it for some reason.
Biggest annoyance with 1Pass is you can't use it when first setting up a new device. Can't log into my Google account on my new Android until I have 1Password installed, can't have 1Password installed until I'm logged in with my Google account.
Edited for typos.
Upvote
105
(106
/
-1)
I like U2F 2nd factor keys far more than passkeys.
It is fairly easy to understand, even for non-technical users, physical key plus username and password needed to login, they don't need a password manager.
I just feel passkeys are an optimization to far and will end up confusing a lot of people and leading to a lot of account lockouts.
It is fairly easy to understand, even for non-technical users, physical key plus username and password needed to login, they don't need a password manager.
I just feel passkeys are an optimization to far and will end up confusing a lot of people and leading to a lot of account lockouts.
Upvote
74
(83
/
-9)
My way of dealing with a lot of this thus far has been to have multiple passkeys for each given site, one for each device I want to log in from. Thus, Windows Hello is used on Windows where possible, Google has its own key for my phone, iPad has its own key, and my YubiKey (usually my primary auth solution) has one.
It's a bit of a nuisance, but it's vastly more sane than trying to manage passkey sync-- as the article notes, there are definite massive headaches for anyone trying to go down that particular route. Especially if you're in more than one ecosystem.
It's a bit of a nuisance, but it's vastly more sane than trying to manage passkey sync-- as the article notes, there are definite massive headaches for anyone trying to go down that particular route. Especially if you're in more than one ecosystem.
Upvote
79
(83
/
-4)
The requirement for a fallback is going to be a problem for wide adoption for any serious computer security forever. If you lose access to (either by mistake or bad luck) the keys to your car, or your house, or your business, are you willing for your car, house, or business, and everything in it, to be effectively gone forever? Of course not. If you lose your keys you can get the locks changed.
That’s what we’re asking people to be willing to accept for their various online accounts in order to get serious security without insecure fallback. And many of these accounts becoming almost as important to our lives as our houses, with personal photos, important documents, access to live sustaining services, among other things. For organizations and people with the resources and/or ability to plan and set up systems to minimize that risk of total loss, passkeys with no password fallback are great and necessary.
For the rest of us that are just living our lives and can’t afford to lose our iCloud, Google, or whatever account forever if we make a mistake, or just very bad luck, a password manager that supports passkeys is actually the correct security regime. It minimizes the risk of catastrophic loss from enemy action, while simultaneously minimizing the risk of catastrophic loss from human error. It’s the Pareto optimal default, if you ask me, and I have yet to find a convincing argument otherwise.
That’s what we’re asking people to be willing to accept for their various online accounts in order to get serious security without insecure fallback. And many of these accounts becoming almost as important to our lives as our houses, with personal photos, important documents, access to live sustaining services, among other things. For organizations and people with the resources and/or ability to plan and set up systems to minimize that risk of total loss, passkeys with no password fallback are great and necessary.
For the rest of us that are just living our lives and can’t afford to lose our iCloud, Google, or whatever account forever if we make a mistake, or just very bad luck, a password manager that supports passkeys is actually the correct security regime. It minimizes the risk of catastrophic loss from enemy action, while simultaneously minimizing the risk of catastrophic loss from human error. It’s the Pareto optimal default, if you ask me, and I have yet to find a convincing argument otherwise.
Upvote
166
(169
/
-3)
Mungus the Unhyphenated
Ars Tribunus Militum
- Add bookmark
- Featured
- #19
So... We've fallen into the same kind of trap with passkeys that we did with SSL certificates. A system that's fundamentally simple but is made opaque and confusing due to differing approaches to management and implementation on different platforms.
Passkeys themselves aren't had to understand. The difficulty arrives when software attempts to be "user-friendly" and hides too much from the end-user, or presents the system in a way that appears different from other common, competing implementations of the same tech. The technology itself isn't the problem. It's the inconsistencies in interfaces and UI design factors that make it harder to use than it has to be. We'll have them as a very good tool in the kit, but adoption will be slow and irregular because the learning curve is artificially steep and convenience is inadvertently negated.
There's probably an XKCD that fits this perfectly, but unfortunately, I have to get busy with work in a few minutes which prevents me from hunting for it...
Passkeys themselves aren't had to understand. The difficulty arrives when software attempts to be "user-friendly" and hides too much from the end-user, or presents the system in a way that appears different from other common, competing implementations of the same tech. The technology itself isn't the problem. It's the inconsistencies in interfaces and UI design factors that make it harder to use than it has to be. We'll have them as a very good tool in the kit, but adoption will be slow and irregular because the learning curve is artificially steep and convenience is inadvertently negated.
There's probably an XKCD that fits this perfectly, but unfortunately, I have to get busy with work in a few minutes which prevents me from hunting for it...
Upvote
85
(93
/
-8)
I agree completely, as I had the same worries initially. This article does briefly cover this however; Passkeys don’t (yet) replace passwords, but exist as an additional option.
So if you do create a Passkey for something, you still retain the option of logging in the same way you did previously even if you lose the Passkey.
—
Separately, when discussing a future with Passkeys alone, you can also have multiple distinct Passkeys for any given account (unlike passwords, which is one unique and distinct password, even if saved in multiple places), so long as you don’t lose all of the Passkeys, any one of them can be used to access your account.
I have Passkeys saved with a password manager synced to multiple devices, plus separate Passkeys synced with iCloud also available from multiple devices, also separate Passkeys saved with Google accessible from multiple devices. Every account I create a Passkey for, I actually create 3 Passkeys for - one for each Passkey syncing service. So long as I don’t lose access to all my devices, any one device can access the Passkeys using any one of those 3 services, ensuring I’m never locked out.
Upvote
22
(36
/
-14)
This is a massive annoyance with setting up a fresh Android device when your old one is dead. This has bit me on password managers and authenticator apps. I'm not sure what the solution is... some kind of whitelist of apps you can install before being logged into your Google account..?
Upvote
59
(59
/
0)
That sounds awful and trying to make that system work for my 70 year old parents seems nigh impossible.
And not to forget: You now better always lug at least two devices with you whenever you travel and God forbid something happens to both of them.
Upvote
127
(133
/
-6)
Excellent article highlighting the issues. 1Password makes it semi smooth, but Windows Hello is still going to pop up a lot. I find that I'm splitting the difference, with some things logging in on Windows Hello and others via 1Password. Not great, but it provides the least friction.
But the site implementation has been horrific. PayPal is a prime example. I have so keys there, but it rarely asks for them. The Yubikey seems to get prompted for the most. The key in 1Password, never. Other sites want you to click the Passkey button. Some, the support is half baked. One vendor it took months before they supported most methods we tested (Win Hello, Yubikey, 1Password, etc) Titan still fails during the registration confirmation.
I truly believe Passkeys are the future, but right now it's chaos.
But the site implementation has been horrific. PayPal is a prime example. I have so keys there, but it rarely asks for them. The Yubikey seems to get prompted for the most. The key in 1Password, never. Other sites want you to click the Passkey button. Some, the support is half baked. One vendor it took months before they supported most methods we tested (Win Hello, Yubikey, 1Password, etc) Titan still fails during the registration confirmation.
I truly believe Passkeys are the future, but right now it's chaos.
Upvote
32
(35
/
-3)
Passkeys are a pain sometimes. I can't get my older tablet to recognize my fingerprints and at night a face scan. So back to passwords. I also have as my main system a big windows PC with no ability to scan a face or finger ( I guess I should add a device). so again passwords for me. I use Bitwarden keeper. In the end I prefer a 2fa with an app like Auth to get authorization.
An aside about Bitwarden. I would like to "refresh" my master key but it is really hard with their info to see if I'm going to lose all my keys. I would not think so but...
An aside about Bitwarden. I would like to "refresh" my master key but it is really hard with their info to see if I'm going to lose all my keys. I would not think so but...
Upvote
16
(21
/
-5)
Fix't! Seriously, though, this is definitely devolving into a scrambled mess. And not the delicious kind of scramble you can get at a 50s themed diner. I think I have a passkey for 1 account, maybe 2. They haven't been offered very often as various accounts have been created in the last couple of years.
Upvote
16
(19
/
-3)
See: Credential Exchange Protocol
https://bitwarden.com/blog/security-vendors-join-forces-to-make-passkeys-more-portable-for-everyone/
Upvote
19
(21
/
-2)
QuarterSwede
Ars Praetorian
As an iOS/Windows/macOS user I agree that passkeys aren’t well understood or explained. However, in practice they work really well. When “scanning” a passkey QR Code iOS dutifully pops up a dialog to scan your face (or finger) and authenticates seamlessly. If you have more than one password manager it’ll ask which one to use first. Windows asks to have your PIN (or face scanning) to be input.
I will say that it’s backend is much more messy if you care about that type of thing, I don’t and haven’t had an issue with it causing a conflict.
Since passwords are being required to be longer and longer year after year, they’re fantastic for a balance of strength and usability.
I will say that it’s backend is much more messy if you care about that type of thing, I don’t and haven’t had an issue with it causing a conflict.
Since passwords are being required to be longer and longer year after year, they’re fantastic for a balance of strength and usability.
Upvote
-4
(20
/
-24)
The message I got out of this article is that my resentment towards passkeys has been entirely validated and I'll just continue to use my Bitwarden password manager with regular passwords since it works with Firefox and any and all websites.
Last edited:
Upvote
207
(215
/
-8)
- Add bookmark
- Featured
- #32
I don’t expect most people to use 3 different syncing services, but mostly used that to illustrate how Passkeys work.
For most people they’ll save their Passkey to iCloud or Google, and that’s that. All their passkeys are available from all their devices, and so long as they don’t lose access to all their devices or their Google/Apple accounts, they’re okay.
This could definitely be a problem if they only use one device, because that’s a single point of failure. Likewise it’s a single point of failure if they’re ever locked out of their Apple/Google accounts for some reason.
But a lot of ordinary people have at least a phone & something else (laptop, tablet, even their old phone), and they’d be perfectly okay with Passkeys. No need to travel with all devices, all the time, any one of them has full access to all Passkeys. Indeed it’s better if at least one is left behind, so there’s no risk of losing all their devices at once. Not travelling with all their devices is probably what most people would do by default anyway.
Setting them up is definitely more confusing than it’s worth right now, especially cross-platform as the article describes, but Passkeys themselves are excellent. For what it’s worth, once I set them up (where available) for my ~65 year old parents, they’ve worked seamlessly, and I’ve not had to play tech-support recovering forgotten passwords once.
Last edited:
Upvote
-8
(25
/
-33)
Certainly a refreshing change from the earlier article which was a bit too gung-ho for my taste.
For me, controlled synching is something I am yet to find in any password manager. By controlled I mean that if I create a credential (password, passkey, whatever) on device A, that credential is stored in the password manager's cloud as a backup but is never synchronised onto devices B, C and D etc unless and until I actually authorise it. Per credential. Case by case.
Basically, if I make a decision that I will always do banking at home on a desktop and never on my phone or tablet, I don't want the farnarkling password manager undermining my decision by making my banking credentials available to a thief if my phone is stolen and cracked.
There's no risk if a credential was never on the stolen device in the first place. I want my phone to have the bare minimum, rather than the complete set of keys to the kingdom, yet every password manager I've ever looked at doesn't seem to offer such a basic feature.
And that's if you can even find a decent write-up on a password manager's features. 1Password is a case in point. All I see on their web site is "buy me" marketing. If any hard facts exist, I can't find them.
If anyone knows of a password manager which provides this feature I'd love to know about it. In the meantime, I use a separate user account on my desktop so there's no possibility of banking credentials being "helpfully" synch'd without my knowledge.
For me, controlled synching is something I am yet to find in any password manager. By controlled I mean that if I create a credential (password, passkey, whatever) on device A, that credential is stored in the password manager's cloud as a backup but is never synchronised onto devices B, C and D etc unless and until I actually authorise it. Per credential. Case by case.
Basically, if I make a decision that I will always do banking at home on a desktop and never on my phone or tablet, I don't want the farnarkling password manager undermining my decision by making my banking credentials available to a thief if my phone is stolen and cracked.
There's no risk if a credential was never on the stolen device in the first place. I want my phone to have the bare minimum, rather than the complete set of keys to the kingdom, yet every password manager I've ever looked at doesn't seem to offer such a basic feature.
And that's if you can even find a decent write-up on a password manager's features. 1Password is a case in point. All I see on their web site is "buy me" marketing. If any hard facts exist, I can't find them.
If anyone knows of a password manager which provides this feature I'd love to know about it. In the meantime, I use a separate user account on my desktop so there's no possibility of banking credentials being "helpfully" synch'd without my knowledge.
Upvote
39
(51
/
-12)
That sounds promising.
Is there also any advance on getting a self hosted open source implementation working or is that a pipe dream?
Upvote
22
(22
/
0)
I can't speak in any informed way about any scenario other than my own, which is: Bitwarden on every possible combination of PC/Mac/iPhone and Firefox/Chrome/Safari. For me, Passkeys have always "just worked". Bitwarden handles them seamlessly across any OS/browser combination that I have tried.
Upvote
17
(20
/
-3)
I tried a passkey with a secondary Gmail account, saved in Bitwarden. Works fine from my desktop where I set it up.
But now I can’t log in from anywhere else without some hardware dongle I don’t have? I don’t always have the luxury of being able to install Bitwarden on every computer I use. Not impressed by the implementation nor the instructions and lack of warnings.
But now I can’t log in from anywhere else without some hardware dongle I don’t have? I don’t always have the luxury of being able to install Bitwarden on every computer I use. Not impressed by the implementation nor the instructions and lack of warnings.
Upvote
74
(75
/
-1)
I use Bitwarden and gave up on passkeys until they figure out how to implement them. I need it to be the same as using my password manager where I can set the OS and browser to use Bitwarden by default and not its own platform. I use MacOS, iOS, and Windows daily across both Safari and Firefox. Passwords are fine, they all know that Bitwarden is what to go to for saving and pulling passwords. Passkeys are a mess and until they work them out, a long random password + TOTP will be secure enough.
Upvote
57
(57
/
0)
We had this VERY thing happen a year ago. Really bad car crash, phone destroyed, laptop and tablet lost when car was towed away by police who emailed the location it was hauled away to.
Except now how do you get to said email when you've just been thrown upside-down having to buy a new phone after getting out of the hospital and not knowing where any of your belongings are? And how do you find your remaining belongings if you need them to log in to find them?
We were REALLY wishing that we could have just used something tied like SMS to the new phone that we could prove identity with photo IDs at Verizon's store to get the replacement phone/SIM card for the one destroyed.
Someone will surely say "but have backup codes"...well until after this happened, even as tech people we had never even HEARD OF backup codes, Google didn't point to them or encourage finding them, we weren't told or asked. They just kinda "in the background" magically set up MFA push to a Google phone when we got our first smartphones and we never gave it any thought because why would you?
Upvote
134
(138
/
-4)