> websites which [...] also want to know how the passkey is being handled by the user’s device to keep their accounts safe
This is exactly where passkeys go too far. "to keep their accounts safe" is always the excuse used to reduce the freedoms of users. Web sites have no business deciding how things are handled on user devices but it's precisely what passkeys enable. The boundary of control of a website used to stop at the interface between the site and the user. Now that boundary will extend to the devices. The idea of property and ownership is attacked again. The device is not something the user owns and has full control over but something that is a gateway to access content controlled by the big Internet companies.
Knowing this, how long until Netflix, Disney other content providers (sorry I don't know which ones are popular right now) demand use of a passkey originating form a device with a Trusted Platform (aka Untrusted User) Module ? This is part of a long plan initiated years ago with Windows TPM requirements, Microsoft account requirements. The gap between closed and open platforms will widen and the path is clearly to apply the Smartphone model where everything is closed, controlled, DRM'd, to other computers. We're lucky the IBM PC architecture was an open one but the war on that is on.
Yep the whole tpm thing and the device constrained nature they have envisioned is the major drawback.
But no they have to live in their secured enclave or on a dongle so that you can't copy them between devices because nothing ever happened to a device.
As if the rest of the users system is compromised the user can't be tricked into providing access to their account.
And no one ever "recovered" someone else's account.
The main benefit of passkeys is that they are keys you don't have to send them over the wire. The main risk of having them on disk encrypted purely in software is that a compromised system can lead to the keys getting stolen.
Their trusted platform bulshit doesn't really escape that threat though, instead of stealing your keys the attacking malware can just get access to your service and maybe even enroll their own key.
If you tried to login to a website and you got two requests to allow the use of your key one after the other would you really have the wherewithal to say no wait a second I just gave permission for that key to be used, the second request is obviously from malware on this computer that's trying to gain access to my account.
That's ignoring that the malware can just read everything you are reading.
The whole tpm obsession is security theater on top of a power play
> But no they have to live in their secured enclave or on a dongle so that you can't copy them between devices because nothing ever happened to a device.
I'm actually fine with this. It's like how SSH private keys are supposed to be handled: generated on the device, and never supposed to leave it.
The proper way of doing Passkeys is to have several Passkeys enrolled in your account, so that you always have a trusted device to access your services. Now, if the service doesn't allow multiple Passkeys per account that IS a problem.
I've seen this argument many times, but I don't understand it. Can you explain a scenario where this would be an issue? So, Netflix makes me log in with a passkey that comes from their own hardware, instead of my password manager. What's the danger there, beyond the fact that this seems to me extremely unworkable because I'd just never sign in?
The danger is that you now can no longer use netflix without they're approved hardware? Of course, that's essentially already the case with netflix, but this becomes dicey when services that actually matter take this approach.
> Web sites have no business deciding how things are handled on user devices but it's precisely what passkeys enable.
On the contrary, their operators can decide whatever they like, but I won't be visiting them if they go the passkeys route. I can live w/o Netflix or Disney just fine.
Losing your device and not having any passwords is like losing your fingerprints.
>Device loss scenarios
>Users are largely unsure about the implications for their passkeys if they lose or break their device, as it seems their device holds the entire capability to authenticate. To trust passkeys as a replacement for the password, users need to be prepared and know what to do in the event of losing one – or all – of their devices.
>Backing up and synchronising passkeys with a Credential Manager makes it easier to recover access to them compared to other existing second factor options. However, this relies on the user having prepared their Credential Manager account for recovery. Users need help in understanding and implementing the right steps so they can feel ready to go passwordless and use passkeys without extra worry and hassle.
Also requires the device allows backup of passkeys. The infamous post where keepass was threatened if they were to continue to allow users to backup their own keys.
The person there requested that KeePassXC don't let users export their keys in plaintext, which seems reasonable. He asked that the software encrypt the keys with a user-selected password before exporting, so someone stealing the files wouldn't have the keys to literally all of the user's sites. That doesn't seem unreasonable to me.
Just not having the right device with you is crippling. IMO Passkeys need more work. I'd really like to see accounts support multiple passkeys. I'd prefer biometrics that are device independent. I just don't like the idea of replacing something someone can steal (a password) with something else someone can steal (a phone).
The problem with passkeys is that device/OS and browser vendors (or more specifically: Apple, Google and Microsoft) are trying to use it as an excuse to lock in users.
There is no reason a passkey can’t be portable - even the so called “device bound” credentials these vendors are claiming prevent export are actually implemented as credentials synchronised throughout their own ecosystems - i.e multi device.
NOTHING in the FIDO2/WebAuthn spec forbids user controlled portability.
It’s just bigtech trying to make it harder to leave their ecosystems - and when passkeys become widely adopted you won’t be able to log into those sites/apps without some form of recovery on a case by case basis should you decide to switch from Apple to android, windows to Mac, etc.
“Passkeys are the future of authentication” …this is not the future I hope….When Google, Microsoft and a lot of other B*G-Tech companies promote Passkeys, you know it is not done to protect your security and privacy.
I agree. I use Bitwarden on my Samsung Android phone and also on my Linux desktop. Bitwarden currently supports passkeys on almost all the apps on my android including firefox. The same passkeys which i used to login on my phone can be used on my Linux desktop where i use Firefox with Bitwarden extension. What's now possible was not even possible at the start of this year. I haven't switched everything to passkeys but i can see it as an alternative to passwords now(passwords really shines in some areas too).
I read about Passkey comittee being against open source passkey managers during start of this year (can't reference it, sorry) but with open source password/key managers already supporting passkeys, i don't think it turned out to be true.
> I read about Passkey comittee being against open source passkey managers during start of this year (can't reference it, sorry) but with open source password/key managers already supporting passkeys, i don't think it turned out to be true.
Tim Cappalli is thoroughly misguided throughout that discussion, but he's not threatening anything. Okta lets users require attestation, but it will never, ever force attestation on anyone.
So the same passkey is being used on multiple devices, rather than different devices (actually applications) having distinct passkeys.
Doesn't that defeat one of the centrals aims of passkeys? In what ways is your setup different than random passwords in bitwarden - what's the additional security?
Other than that they shouldn't have a big advantage for a more professional user with unique, long, and random passwords. For the common user it should be a great upgrade, giving all these advantages with better UX.
The password manager has become the device (and offers some assurance if the device is lost, as you can log into the manager on another device). I agree definitely isn't the original vision of passkeys (having a different passkey on every device, stored in separate password databases?), but it makes more sense for my cases.
But afaik you still can't move Passkeys from Chrome or Safari to any other credential manager.
I was vaguely under the impression that there was a ton of push-back again import/export flows in general, that the CEP was going to be the only supported path. And it requires that your Credentials Manager have a public endpoint to send your credentials to. Which doesn't force but radically ups the challenge for individuals to self host or manage things themselves, will drive Passkeys to remain service provided only.
With governments upping their right to snoop, immoral intercept, it's hard to have too much hope that Passkeys can remain trustable & respectable. If the UK passes a law saying they can access all your keys, the odds are not in your favor that Google is going to make a Signal like stand & tell the UK to buzz off. It's unfortunate that these giant massive enterprises are so big are so many products all in one, because if there was a healthy Chrome business not tied to thousands of other profit lines, maybe Chrome would dare have some backbone & tell their majesty to go stick it where the sun don't shine. But these companies are so big that even the most immoral outrageous ridiculous laws end up being accepted. Passkeys seems like a huge painted target; maybe the next 15-20 years go by with no one trying to get in the cookie jar, but it seems inevitable that the moral rot and illegitimacy of governments will stoop down to making this good idea untenable & a joke, in a long enough time scale. Especially with the service-provider-only ecosystem that's being engineered and imposed here.
Websites can choose to not accept your passkey manager ("accept" not "block" since it will obviously be enforced as whitelist). What could possibly go wrong ? If only there was a similar example with an existing system like TOTP and a big company like Steam..........
Link unrelated https://github.com/keepassxreboot/keepassxc/discussions/9591
Eventually get debanked and go live in the woods ig
> Users are largely unsure about the implications for their passkeys if they lose or break their device, as it seems their device holds the entire capability to authenticate. To trust passkeys as a replacement for the password, users need to be prepared and know what to do in the event of losing one – or all – of their devices.
> Backing up and synchronising passkeys with a Credential Manager makes it easier to recover access to them compared to other existing second factor options. However, this relies on the user having prepared their Credential Manager account for recovery. Users need help in understanding and implementing the right steps so they can feel ready to go passwordless and use passkeys without extra worry and hassle.
The benefit to the user of a passkey is that they don't have to remember passwords ("what you have" and not "what you know"). But if you lose what you have, you're screwed. There's no straightforward way to mitigate this.
Proposed solutions I've seen just add an extra layer of "what you know," but this just changes the security back to "what you know" if it supersedes the passkey.
Readit News
This is exactly where passkeys go too far. "to keep their accounts safe" is always the excuse used to reduce the freedoms of users. Web sites have no business deciding how things are handled on user devices but it's precisely what passkeys enable. The boundary of control of a website used to stop at the interface between the site and the user. Now that boundary will extend to the devices. The idea of property and ownership is attacked again. The device is not something the user owns and has full control over but something that is a gateway to access content controlled by the big Internet companies.
Knowing this, how long until Netflix, Disney other content providers (sorry I don't know which ones are popular right now) demand use of a passkey originating form a device with a Trusted Platform (aka Untrusted User) Module ? This is part of a long plan initiated years ago with Windows TPM requirements, Microsoft account requirements. The gap between closed and open platforms will widen and the path is clearly to apply the Smartphone model where everything is closed, controlled, DRM'd, to other computers. We're lucky the IBM PC architecture was an open one but the war on that is on.
But no they have to live in their secured enclave or on a dongle so that you can't copy them between devices because nothing ever happened to a device.
As if the rest of the users system is compromised the user can't be tricked into providing access to their account.
And no one ever "recovered" someone else's account.
The main benefit of passkeys is that they are keys you don't have to send them over the wire. The main risk of having them on disk encrypted purely in software is that a compromised system can lead to the keys getting stolen.
Their trusted platform bulshit doesn't really escape that threat though, instead of stealing your keys the attacking malware can just get access to your service and maybe even enroll their own key.
If you tried to login to a website and you got two requests to allow the use of your key one after the other would you really have the wherewithal to say no wait a second I just gave permission for that key to be used, the second request is obviously from malware on this computer that's trying to gain access to my account.
That's ignoring that the malware can just read everything you are reading.
The whole tpm obsession is security theater on top of a power play
I'm actually fine with this. It's like how SSH private keys are supposed to be handled: generated on the device, and never supposed to leave it.
The proper way of doing Passkeys is to have several Passkeys enrolled in your account, so that you always have a trusted device to access your services. Now, if the service doesn't allow multiple Passkeys per account that IS a problem.
And then suddenly you're debanked.
On the contrary, their operators can decide whatever they like, but I won't be visiting them if they go the passkeys route. I can live w/o Netflix or Disney just fine.
Your PII will leak off their platform anyway.
Arbitrarily?
I’ll die on that hill.
>Device loss scenarios
>Users are largely unsure about the implications for their passkeys if they lose or break their device, as it seems their device holds the entire capability to authenticate. To trust passkeys as a replacement for the password, users need to be prepared and know what to do in the event of losing one – or all – of their devices.
>Backing up and synchronising passkeys with a Credential Manager makes it easier to recover access to them compared to other existing second factor options. However, this relies on the user having prepared their Credential Manager account for recovery. Users need help in understanding and implementing the right steps so they can feel ready to go passwordless and use passkeys without extra worry and hassle.
Most accounts seem to. Personally, I think I've only found one or two out of around 25 that I've added passkeys to that would not let me add more.
There is no reason a passkey can’t be portable - even the so called “device bound” credentials these vendors are claiming prevent export are actually implemented as credentials synchronised throughout their own ecosystems - i.e multi device.
NOTHING in the FIDO2/WebAuthn spec forbids user controlled portability.
It’s just bigtech trying to make it harder to leave their ecosystems - and when passkeys become widely adopted you won’t be able to log into those sites/apps without some form of recovery on a case by case basis should you decide to switch from Apple to android, windows to Mac, etc.
Nice read https://techrights.org/n/2025/05/02/Passkeys_Are_Vendor_Lock...
I read about Passkey comittee being against open source passkey managers during start of this year (can't reference it, sorry) but with open source password/key managers already supporting passkeys, i don't think it turned out to be true.
Here's an Okta employee threatening to use the attestation (anti)feature of passkeys to block open-source implementations, because they allow you to export your passkeys: https://github.com/keepassxreboot/keepassxc/issues/10407#iss...
because they allow you to export your passkeys in plaintext, for easy stealing.
"Information wants to be free" should not apply to passwords!
Doesn't that defeat one of the centrals aims of passkeys? In what ways is your setup different than random passwords in bitwarden - what's the additional security?
Other than that they shouldn't have a big advantage for a more professional user with unique, long, and random passwords. For the common user it should be a great upgrade, giving all these advantages with better UX.
But afaik you still can't move Passkeys from Chrome or Safari to any other credential manager.
I was vaguely under the impression that there was a ton of push-back again import/export flows in general, that the CEP was going to be the only supported path. And it requires that your Credentials Manager have a public endpoint to send your credentials to. Which doesn't force but radically ups the challenge for individuals to self host or manage things themselves, will drive Passkeys to remain service provided only.
With governments upping their right to snoop, immoral intercept, it's hard to have too much hope that Passkeys can remain trustable & respectable. If the UK passes a law saying they can access all your keys, the odds are not in your favor that Google is going to make a Signal like stand & tell the UK to buzz off. It's unfortunate that these giant massive enterprises are so big are so many products all in one, because if there was a healthy Chrome business not tied to thousands of other profit lines, maybe Chrome would dare have some backbone & tell their majesty to go stick it where the sun don't shine. But these companies are so big that even the most immoral outrageous ridiculous laws end up being accepted. Passkeys seems like a huge painted target; maybe the next 15-20 years go by with no one trying to get in the cookie jar, but it seems inevitable that the moral rot and illegitimacy of governments will stoop down to making this good idea untenable & a joke, in a long enough time scale. Especially with the service-provider-only ecosystem that's being engineered and imposed here.
> Backing up and synchronising passkeys with a Credential Manager makes it easier to recover access to them compared to other existing second factor options. However, this relies on the user having prepared their Credential Manager account for recovery. Users need help in understanding and implementing the right steps so they can feel ready to go passwordless and use passkeys without extra worry and hassle.
The benefit to the user of a passkey is that they don't have to remember passwords ("what you have" and not "what you know"). But if you lose what you have, you're screwed. There's no straightforward way to mitigate this.
Proposed solutions I've seen just add an extra layer of "what you know," but this just changes the security back to "what you know" if it supersedes the passkey.