Passkeys are light years ahead of 2fA in user experience. Why do you dislike them?
Security based on devices is one of the positive innovations of smartphones and perhaps the only area where they’ve improved over the desktop experience.
I very specifically don’t want my security tied to my device. Trying to migrate to new phones, and keeping things synced between a phone, desktop, and laptop is why I long ago moved to a password manager. Now, especially in the phone space, getting passkeys to function fully with a password manager ranges from “pain in the ass” to “not actually possible”.
I had a botched phone battery replacement once resulting in the phone getting replaced very unexpectedly. It was a nightmare trying to get everything back together because I stupidly used google authenticator, which is tied to the specific phone it’s on. Not tying it to the device is the way to go.
I didn’t consider the friction of integrating it into your existing process because I use a manual password manager. But who is saying you should replace a password manager with passkeys? It was always meant to be a parallel system.
Edit: I just wanted to add that people like you and I who have “solved” our credentials problems are a tiny minority. Passwords are shit. Just because we’ve grown accustomed to them doesn’t change that.
You’ll find that nobody has a problem with passkeys specifically. They have a problem with the implementation, and companies forcing passkeys onto users who don’t want or need them.
I don’t need passkeys because I use a password manager. My threat model requires that I can restore my password manager, all 2FA, and regain full access to all my accounts from anywhere in the world, even if a natural disaster occurs and all my devices are destroyed.
Passkeys and SMS 2FA are a direct threat to my threat model, and I can’t help but feel they’re designed to further entrench surveillance capitalism, and the invasion of privacy as a prerequisite for security.
Authenticator no longer works like that. You can now restore all of your 2fa codes by logging in to you google account and it’s been that way for almost 2 years now.
It was a rhetorical question. I think they meant that adding cloud backup wasn’t a very significant upgrade. That co fuses me because there’s very little a 2fa app needs to do. So I don’t get what else they would expect to be added.
It just doesn’t work for apps on Android, which is a bummer. For example the Playstation app login with passkey stored in Bitwarden simply doesn’t work for me.
Heard of so many people losing their phone. Then they try to log into something and the company (quite often google) says “I don’t give a fuck if you know your passwords I’m never letting you log into your account get fucked, don’t call I won’t answer”
Passkeys make plausible deniability more difficult. “This user name isn’t necessarily associated with my real world identity” permits some important good things.
The kicker is this used to be solved with passwordless webauthn, the same standard, until some morons decided that resident keys were the way to go (they aren’t)
Are you sure? TOTP secrets can be exported. I think passkey implementations explicitly prevent that. Unless I’m missing an option to export passkey creds, e.g. print them out.
That same disaster recovery feature (which I need) also helps avoid a future where every forum and avenue of dissent requires dis-repudiation via passkeys. It’s a weird nuance, ascribing a social effect to a simple ability to back up your keys without backing up your whole phone.
Passkeys can be synchronized, but aren’t intended to be exported raw as they’re meant to be used with a TPM / secure element chip or equivalent secure hardware to protect the key in use. Bitwarden can synchronize them.
Also, they intentionally create distinct keys per site, so you can’t link multiple accounts using the same passkey / hardware security key.
Passkeys are light years ahead of 2fA in user experience. Why do you dislike them?
Security based on devices is one of the positive innovations of smartphones and perhaps the only area where they’ve improved over the desktop experience.
I very specifically don’t want my security tied to my device. Trying to migrate to new phones, and keeping things synced between a phone, desktop, and laptop is why I long ago moved to a password manager. Now, especially in the phone space, getting passkeys to function fully with a password manager ranges from “pain in the ass” to “not actually possible”.
I had a botched phone battery replacement once resulting in the phone getting replaced very unexpectedly. It was a nightmare trying to get everything back together because I stupidly used google authenticator, which is tied to the specific phone it’s on. Not tying it to the device is the way to go.
I didn’t consider the friction of integrating it into your existing process because I use a manual password manager. But who is saying you should replace a password manager with passkeys? It was always meant to be a parallel system.
Edit: I just wanted to add that people like you and I who have “solved” our credentials problems are a tiny minority. Passwords are shit. Just because we’ve grown accustomed to them doesn’t change that.
You’ll find that nobody has a problem with passkeys specifically. They have a problem with the implementation, and companies forcing passkeys onto users who don’t want or need them.
I don’t need passkeys because I use a password manager. My threat model requires that I can restore my password manager, all 2FA, and regain full access to all my accounts from anywhere in the world, even if a natural disaster occurs and all my devices are destroyed.
Passkeys and SMS 2FA are a direct threat to my threat model, and I can’t help but feel they’re designed to further entrench surveillance capitalism, and the invasion of privacy as a prerequisite for security.
Authenticator no longer works like that. You can now restore all of your 2fa codes by logging in to you google account and it’s been that way for almost 2 years now.
Wow, almost 2 years, such advancement…
?? What’s that supposed to mean?
it means it shows how poor the user experience was until only two years ago.
It was a rhetorical question. I think they meant that adding cloud backup wasn’t a very significant upgrade. That co fuses me because there’s very little a 2fa app needs to do. So I don’t get what else they would expect to be added.
Bitwarden: “I’m literally right here”
Bitwarden+Firefox+Android. That combo doesn’t support passkey creation.
I’m using Bitwarden, Firefox, and Android and passkeys have been working fine for me.
What am I doing wrong?
Ah, shit. Really? This is exactly my setup.
It just doesn’t work for apps on Android, which is a bummer. For example the Playstation app login with passkey stored in Bitwarden simply doesn’t work for me.
Heard of so many people losing their phone. Then they try to log into something and the company (quite often google) says “I don’t give a fuck if you know your passwords I’m never letting you log into your account get fucked, don’t call I won’t answer”
Why would I want security based on a device? What security this offers greater than a 64 chars password + 2FA?
TOTP codes can be phished, hardware security keys and passkey can’t
I doubt that anyone that doesn’t use “password” as a password and who knows what 2FA is could be easily subject to phishing.
It literally just takes a slightly different domain name. Lots of infosec pros have been phished when not paying attention
Passkeys make plausible deniability more difficult. “This user name isn’t necessarily associated with my real world identity” permits some important good things.
The kicker is this used to be solved with passwordless webauthn, the same standard, until some morons decided that resident keys were the way to go (they aren’t)
Passkeys use unique keys per site for that reason
How does that protect against “only you could have logged in because this passkey is only on your phone”?
That’s literally no different from a regular password manager or having a 2FA TOTP code app set up for it
Are you sure? TOTP secrets can be exported. I think passkey implementations explicitly prevent that. Unless I’m missing an option to export passkey creds, e.g. print them out.
That same disaster recovery feature (which I need) also helps avoid a future where every forum and avenue of dissent requires dis-repudiation via passkeys. It’s a weird nuance, ascribing a social effect to a simple ability to back up your keys without backing up your whole phone.
Passkeys can be synchronized, but aren’t intended to be exported raw as they’re meant to be used with a TPM / secure element chip or equivalent secure hardware to protect the key in use. Bitwarden can synchronize them.
Also, they intentionally create distinct keys per site, so you can’t link multiple accounts using the same passkey / hardware security key.