Seems to me the whole argument boils down to "they (the passkeys) are generally saved in proprietary non-communicating stores", which is fair. But then the problem is not the passkey, it's the fact that we (as usual) give all our stuff to corps. It's the eternal struggle of easy of use vs. better security.
I host my own vaultwarden btw š
Every time Iāve tried to understand passkeys I either donāt get it and itās scary to potentially be locked out or I do understand it and I still find it scary to potentially be locked out.
Even 2fa is tricky.
If my phone is stolen and I donāt have my laptop with backup codes, then Iām not getting into my accounts.
What if both are stolen or damaged at the same time?
Passkeys are basically passwords that you donāt send to the server. So they are safer against phishing.
Basically the server has a message. They will scramble it with your public key. And send it to you. Your private key unscrambles the message and then you send the message back to them. So if they receive the original message back. They know you are you. And they never got their hands on your private key at any point. Itās awesome.
2fa is an entirely different thing. And I do wish it was more standard how it works. Some places if you lose it you lose your account (bitwarden). Others you donāt (protonmail).
Everyone should use passkeys. 2fa you have to decide if your case warrants it.
Edit: example of passkeys:
Step 1: they have the message ācatā
Step 2: they encrypt it with your public key and it becomes āacmā
Step 3: they send you the encrypted message āacmā
Step 4: you decrypt the message āacmā into ācatā with your private key.
Step 5: you send them back the message ācatā
Only your private key would be able to decrypt something encrypted with your public key. So they now know you are you. And they never got a hand on your private key. Itās the same as a password except you never send it directly to the server.
Bitwarden has a passkey service + a paid totp service, so I can always use either to log into whatever within two clicks. Yeah it's less secure than a physical keychain but... Whatever, it's better than passwords and as easy to use.
In any case, if you atore the backup codes in a place where you can lose them, that's on you. Upload them into somewhere you control that has good privacy laws.
Do you memorize all of your passwords? If so, I take that to mean that you donāt use a password manager. Password managers - really, any app with 2FA - have this problem, too. But if you use a password manager and store your 2FA methods in it, then you only need to be able to regain access to your password manager.
If you use a cross-platform password manager with Passkey support, like Bitwarden, you can use it on any of your devices. In the event that you lose all of your devices, if you donāt have an Emergency Contact set up, you will need your password and one of the following to gain access to your account:
Access to your 2FA method
Access to your Recovery Code
If youāre in an enterprise using Duo 2FA, access to a Duo bypass code (contact your Duo admin to request this)
If you use security keys for 2FA, then you should have at least two - one that you keep with you and a backup that you keep in a safe place, like at home in a lockbox.
If you use a TOTP app to log in, or if you use security keys and want another backup, then making sure youāll have access to the Recovery Code should be your priority. You can write it down and keep it in a few different places - at home, in your car, in your locker at work, etc.. You can share it with someone you trust in person or over an encrypted channel (like Signal). You can store it on a flash drive, encrypted by a second password (which can be much easier than your primary password) or even unencrypted, if you generally keep the drive somewhere safe, disconnected from your computer. As long as you remember your password and can access your recovery code, youāll also be able to regain access to your account, including all of your passkeys.
Emergency Access requires someone else to have access to their Bitwarden account, but assuming you donāt both lose access, itās a pretty solid solution. When they request access, Bitwarden will send you an email allowing you to accept or reject their request. If you accept or donāt respond within the allotted āWait Timeā (which you configure: 1 day minimum, 90 days maximum) then theyāll be granted access. You also get a choice (when setting this up) to let them takeover the account (resetting your master password) or to just get read-only access.
Maybe you donāt like Bitwarden and want to use some other app, like 1Password, Dashlane, Roboforms, etc.. Whatever your choice, familiarize yourself with how to restore access to your account in an emergency. Then you only need to worry about that and not about how to get access to your passkeys that are on your Windows laptop or only synced to your Apple devices.
The problem with passkeys is that they're essentially a halfway house to a password manager, but tied to a specific platform in ways that aren't obvious to a user at all, and liable to easily leave them unable to access of their accounts.
Agreed, in its current state I wouldnāt teach someone less technically inclined to solely rely on passkeys saved by the default platform if you plan on using different devices, it just leads to trouble.
If you're going to teach someone how to deal with all of this, and all the potential pitfalls that might lock them out of your service, you almost might as well teach them how to use a cross-platform password manager
Using a password manager is still the solution. Pick one where your passkeys can be safed and most of the authors problems are solved.
The only thing that remains is how to log in if you are not on a device you own (and donāt have the password manager). The author mentions it: the QR code approach for cross device sign in. I donāt think itās cumbersome, i think itās actually a great and foolproof way to sign in. I have yet to find a website which implements it though.
The author mentions it: the QR code approach for cross device sign in. I donāt think itās cumbersome, i think itās actually a great and foolproof way to sign in. I have yet to find a website which implements it though.
The site doesnāt need to implement this; the browser handles that part.
I confirmed this works and logged into Github using Google Chrome on my work computer using a passkey stored in Bitwarden earlier today. I had to enable Bluetooth for Chrome, since Iād had it disabled, but then everything else was seamless.
I'd be interested in a discussion of his points here :) those sound like valid points he's making
edit: I think Iāve misunderstood the point of the article. He is saying passkeys are dangerous for people without password managers, therefore for most people passwords are still better (since most people don't use password managers). It's not so much a problem with passkeys, but the lack of password managers.
Even in the best case scenario, where you're using an iPhone and a Mac that are synced with Keychain Access via iCloud
Surely the better-case scenario would be using a password manager?
The article doesn't address the recommended use-case of passkeys + password manager, which makes it kind of irrelevant.
But that is exactly what he recommends, using a password manager - with one time email authentication for the first login as an extra step, right?
edit: I think I've misunderstood the point of the article. In a non-obvious (to me at least) way, he is saying passkeys are dangerous for people without password managers, therefore for most people passwords are still better.
But that is exactly what he recommends, using a password manager - with one time email authentication for the first login as an extra step, right?
Nope.
Using a cross-platform password manager with synced passkeys is different and much more secure than using a password manager with email TOTPs or sign-in links with emails that arenāt end-to-end encrypted.
And password manager adoption is much higher than PGP keyserver adoption, and if you canāt discover someoneās public key you canāt use it to encrypt a message to them, so sending end-to-end encrypted emails with TOTPs/sign-on links isnāt a practical option.
I use passkeys and find them great, mind you I know that you need at least 2 of them so you have a backup. I also use yubikeys at work and they are the same issue, you need 2 of them in case 1 breaks or gets lost.
Maybe the setup should be, make sure you have 2 passkeys on 2 different devices? but not in your password manager
Still, it makes adding new devices much more of a hassle.
Seems to me the whole argument boils down to "they (the passkeys) are generally saved in proprietary non-communicating stores", which is fair. But then the problem is not the passkey, it's the fact that we (as usual) give all our stuff to corps. It's the eternal struggle of easy of use vs. better security.
I host my own vaultwarden btw š
Every time Iāve tried to understand passkeys I either donāt get it and itās scary to potentially be locked out or I do understand it and I still find it scary to potentially be locked out.
Even 2fa is tricky.
If my phone is stolen and I donāt have my laptop with backup codes, then Iām not getting into my accounts.
What if both are stolen or damaged at the same time?
Passkeys are basically passwords that you donāt send to the server. So they are safer against phishing.
Basically the server has a message. They will scramble it with your public key. And send it to you. Your private key unscrambles the message and then you send the message back to them. So if they receive the original message back. They know you are you. And they never got their hands on your private key at any point. Itās awesome.
2fa is an entirely different thing. And I do wish it was more standard how it works. Some places if you lose it you lose your account (bitwarden). Others you donāt (protonmail).
Everyone should use passkeys. 2fa you have to decide if your case warrants it.
Edit: example of passkeys:
Step 1: they have the message ācatā
Step 2: they encrypt it with your public key and it becomes āacmā
Step 3: they send you the encrypted message āacmā
Step 4: you decrypt the message āacmā into ācatā with your private key.
Step 5: you send them back the message ācatā
Only your private key would be able to decrypt something encrypted with your public key. So they now know you are you. And they never got a hand on your private key. Itās the same as a password except you never send it directly to the server.
Bitwarden has a passkey service + a paid totp service, so I can always use either to log into whatever within two clicks. Yeah it's less secure than a physical keychain but... Whatever, it's better than passwords and as easy to use.
In any case, if you atore the backup codes in a place where you can lose them, that's on you. Upload them into somewhere you control that has good privacy laws.
Do you memorize all of your passwords? If so, I take that to mean that you donāt use a password manager. Password managers - really, any app with 2FA - have this problem, too. But if you use a password manager and store your 2FA methods in it, then you only need to be able to regain access to your password manager.
If you use a cross-platform password manager with Passkey support, like Bitwarden, you can use it on any of your devices. In the event that you lose all of your devices, if you donāt have an Emergency Contact set up, you will need your password and one of the following to gain access to your account:
If you use security keys for 2FA, then you should have at least two - one that you keep with you and a backup that you keep in a safe place, like at home in a lockbox.
If you use a TOTP app to log in, or if you use security keys and want another backup, then making sure youāll have access to the Recovery Code should be your priority. You can write it down and keep it in a few different places - at home, in your car, in your locker at work, etc.. You can share it with someone you trust in person or over an encrypted channel (like Signal). You can store it on a flash drive, encrypted by a second password (which can be much easier than your primary password) or even unencrypted, if you generally keep the drive somewhere safe, disconnected from your computer. As long as you remember your password and can access your recovery code, youāll also be able to regain access to your account, including all of your passkeys.
Emergency Access requires someone else to have access to their Bitwarden account, but assuming you donāt both lose access, itās a pretty solid solution. When they request access, Bitwarden will send you an email allowing you to accept or reject their request. If you accept or donāt respond within the allotted āWait Timeā (which you configure: 1 day minimum, 90 days maximum) then theyāll be granted access. You also get a choice (when setting this up) to let them takeover the account (resetting your master password) or to just get read-only access.
Maybe you donāt like Bitwarden and want to use some other app, like 1Password, Dashlane, Roboforms, etc.. Whatever your choice, familiarize yourself with how to restore access to your account in an emergency. Then you only need to worry about that and not about how to get access to your passkeys that are on your Windows laptop or only synced to your Apple devices.
Agreed, in its current state I wouldnāt teach someone less technically inclined to solely rely on passkeys saved by the default platform if you plan on using different devices, it just leads to trouble.
Using a password manager is still the solution. Pick one where your passkeys can be safed and most of the authors problems are solved.
The only thing that remains is how to log in if you are not on a device you own (and donāt have the password manager). The author mentions it: the QR code approach for cross device sign in. I donāt think itās cumbersome, i think itās actually a great and foolproof way to sign in. I have yet to find a website which implements it though.
The site doesnāt need to implement this; the browser handles that part.
I confirmed this works and logged into Github using Google Chrome on my work computer using a passkey stored in Bitwarden earlier today. I had to enable Bluetooth for Chrome, since Iād had it disabled, but then everything else was seamless.
I'd be interested in a discussion of his points here :) those sound like valid points he's making
edit: I think Iāve misunderstood the point of the article. He is saying passkeys are dangerous for people without password managers, therefore for most people passwords are still better (since most people don't use password managers). It's not so much a problem with passkeys, but the lack of password managers.
Surely the better-case scenario would be using a password manager?
The article doesn't address the recommended use-case of passkeys + password manager, which makes it kind of irrelevant.
But that is exactly what he recommends, using a password manager - with one time email authentication for the first login as an extra step, right?
edit: I think I've misunderstood the point of the article. In a non-obvious (to me at least) way, he is saying passkeys are dangerous for people without password managers, therefore for most people passwords are still better.
Nope.
Using a cross-platform password manager with synced passkeys is different and much more secure than using a password manager with email TOTPs or sign-in links with emails that arenāt end-to-end encrypted.
And password manager adoption is much higher than PGP keyserver adoption, and if you canāt discover someoneās public key you canāt use it to encrypt a message to them, so sending end-to-end encrypted emails with TOTPs/sign-on links isnāt a practical option.
According to Statista, 34% of Americans used password managers in 2023 (a huge increase from 21% in 2022), so itās not even like the best case scenario is rare.
I use passkeys and find them great, mind you I know that you need at least 2 of them so you have a backup. I also use yubikeys at work and they are the same issue, you need 2 of them in case 1 breaks or gets lost.
Maybe the setup should be, make sure you have 2 passkeys on 2 different devices? but not in your password manager
Still, it makes adding new devices much more of a hassle.