Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
Nope.
Ok I see a lot if discussion on this topic but no one seems to have mentioned the main feature of the spec that makes them phishing resistant: presence detection. This is what makes FIDO resistant to credential replay. The spec is not perfect but it prevents most common phishing attacks.
The promise of passkeys when i first grad about them was that it would be quick and easy - that you wouldn’t need to enter a username or use 2fa. The reality appears to be that this is that it’s used ** as** 2fa
Most of the sites I’ve seen use it as the single auth source. That said, using multiple forms of authentication in a layered model only improves security.
Personally, I found that It works well with Microsoft, Paypal, Google, Shopify and Proton. I was really surprised to find the option on German government sites, worked there as well. Tested in Ungoogled Chromium and Librewolf. The only thing I find dissappointing is adoption
I like passkeys but ONLY as the second factor. Using them as the primary makes no sense in majority of cases.
I store the passkeys in my self hosted vaultwarden, they are a good replacement for auto inserting random passwords via text boxes.
Yeah totally not going to be misused by corporations with proprietary cryptographic-algorithm
seems like too much messing around to make it a widespread solution.
Acrually not really.
I do use it with my password manager.
Very convenient.BUT, it’s not hardware based so more suscepticle to attacks.
i see. gotta try it out for myself
Thanks for the great article! I had a question re: the top disadvantage you mention (lock-in).
Background: Although the on-device integration for Apple, Google, etc. use their cloud for E2E sync between devices, it appears KeePassXC using their passkey interception, discovery, and import procedures accomplish the same cross-device passkey implementation without needing a particular vendor cloud lock-in. As best I can tell, this meets the original standard’s sync fabric requirements (whether or not the big providers like it) and relies on platform-specific APIs mostly for interoperability.
Question: If KeePass has been able to implement their own sync this way, and the FIDO standard accommodates non-OS providers (e.g. browsers or PW managers), what is currently the biggest technical hurdle remaining for FOSS-based passkey providers?
Thank you… and Yes you are right… There could be many reasons like greed or could be risk management if you think from both ends of spectrum. It’s sad actually they are developed on the same FIDO2 but insists on being seperate which is weird… Also they feel that regular user wouldn’t be able to set up FOSS passkey provider or may be they lose control over encryption if they share with third party.
Yeah the counter-interoperability of proprietary expansions on FIDO standards sounds a lot like embrace extend extinguish to me. I know engineering standards generally require field revisions but these big corps have a track record of this behavior.
I can see how the FIDO standard’s dID requirement might be an issue at the org level, but even in the case of a fully custom/unknown rooted device they have provisions for using traditional security keys attached to one or more associated devices via USB/BT/NFC. Megacorp platforms might be first to facilitate adoption but the spec absolutely accommodates open provider integration.
I need to experiment with personal security passkey registration and authentication workflows to know how difficult it actually is in practice, but it looks like the equivalent of self-signed certificates are possible anywhere the user controls the stack like self-hosted intranetwork suites that are popular around here.
Thanks again for the write up!
It’s the never ending battle between what’s secure and what’s practical. In order to have widespread adoption, it has to be easy. In order to be secure it requires layers of complication.
It’s a yin/yang battle.
A bank vault with walls 2 feet thick, 24/7 surveillance and requiring a two key unlock mechanism is secure compared to a house door lock on a regular suburban bungalow, but is it very practical?
The level of digital security generally attainable is limited by how likely someone is to use it.
2FA using keys is the closest I’ve seen to a happy medium, but it has to be implemented correctly. If the private keys are sitting on a cloud server somewhere and it gets hacked, is it more secure? Maybe not.
Just like real defence, the walls are only as good as the foundation or weakest point.
What am I dependent on to access by stuff if I use a passkey? A smart phone?
No, you can store them in a password manager. That’s what I do. Doesn’t always work though. Sometimes my browser is prompted for the passkey instead, for reasons I don’t understand.
But what do you do with your Passkey in your password manager if you have to login on another device (you don’t own)?
You use something else. Preferably TOTP.
It seems like the idea behind having the passkeys synced through cloud platforms is to mitigate the device failure risk as much as possible, as any device logged into the cloud account could be used to access the passkey protected accounts. It seems a little short-sighted as it means that the passkeys are limited to AAL2 (as AAL3 requires it to be non-exportable), and depends on the security of the cloud account. The cloud account can’t use anything as secure as a passkey, as it would reintroduce the device failure risk (meaning that your security has been downgraded from AAL3 to AAL2 for no reason).
It should also be noted that if the cloud account is not phishing-resistant (which it can’t be for reasons stated above), then the accounts protected by passkeys aren’t phishing resistant either, as the cloud account could be phished, which would lead to a compromise of the other accounts.
At AAL2 you could also just use a password and OTP, which doesn’t have the vendor lock-in problems with cloud synced passkeys and has a wider adoption already.
In my opinion there is no need for cloud syncing, as device failure risk is negligible if you have a backup security key (as the failure rate of a single security key is already extremely low).
Yeah exactly, like make 3 engraved metal plates you can store here and there for recovery, not some stupid cloud account LMAO.
Tried Passkey in the past. I had many problems, especially could not understand why they must use my google account. Now my google account is gone, don’t gonna go that rabbit hole again, i am happy with my Bitwarden and Aegis.
You can now use thirds parties APIs for Passkey. I use ProtonPass on my part, it works great most of the time, but there are still some apps that have Google provider hard-coded.
Bitwarden does support access to access keys in (for example) firefox.
I have not tested outside of browser (firefox). So it may depend on if you use chrome or some other app.Edit: Just got a suggestion inside the Amazon app (Android. Yes, I hate Amazon as well but I got a gift card and I hate it even more to give them a free of charge credit) to add a passkey. So it seems to work (semi-)reliable outside of a browser.
I’ve been resisting using them and decided to set one on my rarely-used and unimportant Piefed account to try it out.
Saved to Bitwarden fine on my desktop browser. When I try to log in with a browser on my phone, it asks for my username and does nothing more after that dialog closes. While I’m not sure if this is a problem with Piefed, Bitwarden, or Firefox, I’m now disinclined to try it with anything important, especially if that thing might then discourage me from logging in with a password.
I recognize the theoretical advantages, but passkeys don’t do much to solve problems I actually have. All my passwords look like
#vVukh9c$3Kw4Cs8NP9xgazEuJ3JWEand are unique. Bitwarden won’t autofill the wrong domain. I don’t enter credentials in links from emails I didn’t trigger myself immediately before. I haven’t checked whether I can reliably backup and restore them in my Bitwarden vault.I self host vaultwarden, and use bitwarden clients everywhere. Passkeys are stored there
Passkeys to me, are a better way to insert login information. Some developers don’t think of passwords getting automatically filled in, so this autofill sometimes breaks. Passkeys might be a improved interface to integrate password managers. Also, sometimes 2FA keys from my bitwarden client gets copied into the clipboard, which sometimes overwrites the stuff I wanted to preserve in there. This does not happen with passkeys.
Hardly anyone supports it: https://www.passkeys.io/who-supports-passkeys
So to use it I will have to log in with my google/microsoft account everywhere? Thanks but no thanks.
I’ve used it with many sites not on that list. Including this one. It’s not comprehensive.
No, you do not need Microsoft/Google account.
The biggest disadvantage:
Disadvantages of Passkeys
Ecosystem Lock-In – Passkey pairs are synced through each vendor’s respective clouds via end-to-end encryption to facilitate seamless access multiple devices.
More eggs in the American megacorp basket for more people, yay
Your password hashes (assuming they even hash them) already live on their servers…
Currently I use a FOSS (I think?) password manager, BitWarden, that supports passkeys. I use it across Mac, Windows and Android so I’m while my passkeys are locked yo the password manager, I am not locked to any of the aforementioned megacorps.
I use BitWarden too. OS , device and browser agnostic is a win
But I imagine the vast amount of people will use whatever their platform is pushing, so Apple Google or Microsoft. And in 5 years time “3rd party passkeys” are not “secure enough” and blocked by the OS. (Ok that’s a bit tinfoil hat, but Google’s recent Android app developer verification scheme is fresh in mind)
While I use and love bitwarden, it’s not exactly foss. Although there is a foss implementation of their server backend
A cursory search lead to this thread from 2024 https://community.bitwarden.com/t/concerns-over-bitwarden-moving-away-from-open-source-what-does-our-future-hold/74800
where an employee stated
I’ll note that policy wise nothing changed. The referenced issue is a packaging bug, but the goal still is the dual licensing model, with the core being open source, and some (mostly enterprise) features being source-available.
Both the client and server are mostly open source. Some server features are paywalled. The alternative Vaultwarden server is fully open source, and much lighter on system resources.
Have there been any recent licensing shenanigans with BitWarden?
Vaultwarden (the free server implementation) also supports passkeys.
deleted by creator
KeePassXC has begun rollout of their own implementation, and I’m pretty sure they’re considered FOSS.
From a quick scan of the white paper, it appears they’re currently using on-device passkey discovery and otherwise “intercepting” passkey registration workflows, which I take to mean they aren’t originating the request as a passkey registrar. This may be the easiest method to satisfy FIDO’s dID requirements.
That’s not the biggest disadvantage “if used properly.” Any account you have should get a passkey on every device you own. Each device has it’s own passkey system. If you have an iPhone, yeah, you get an apple passkey, but then if you have a windows laptop, you have a microsoft passkey, a FLOSS system will have it’s own, and so on. You are already on whatever system would contain the passkey and can easily add different ones each time you get a new device.
The biggest issue is that most people use a small number of devices (including many who use 1). Passkeys work best if you have many devices, so if you lose one, you just use another to access your services. If you have 1, you need to use recovery codes (and people don’t save them).
A key for each service for each device is too impractical in real life.
Getting a new device would mean logging in to hundreds of services to link up the new device. Or somehow keep track of which services have keys with which devices. And signing up to a new service would mean having to remember to generate keys for a a handfull of devices, some of which might not be available at the time (like a desktop computer at home when you are out). Or you risk getting logged out if you loose the one device that had a key for that particular service.
I agree passkeys can make sense with something like BitWarden or KeyPassX. Something that is FOSS, and is OS and device agnostic, and let’s you sync keys across devices. And should have independent backups too. Sync is not backup.
This is a big one. Lock-in and the threat of provider blacklisting means it will remain a shortcut like SSO (“sign in with ____”) until we’ve established federated providers.On further reading, this may not be as far off as I thought. Passkey registration providers can be OS-level but browser and password manager based solutions were intended (overview from FIDO alliance). And it looks like KeePassXC has begun rollout of their own. If I’m reading correctly they currently “piggyback” off of an OS-based provider in various ways, so it’s not yet an end-to-end implementation, but these are early days.
You missed some disadvantages. For example the UX and complexity are terrible.
The passkey options I’ve come across so far are as close to push-button as I can imagine.
Do you mean from the developer perspective, like the complexity of the API/workflow?
Perhaps he means the process of setting it up. Or when it doesn’t work. Or when passkeys are lost. Or using another device. A lot of people’s complaints about passkeys aren’t really about when it works.
It’s valid I think, but also some people forget passwords can have similar experiences. For one, there seems to be this idea that if you lose your passkey you get locked out of your account forever. The recovery process should be no different than losing your password.
I could see that. I’ve only found a few in the wild (mostly just enterprise, niche tech-related, and big platform web apps) but there’s probably some clunky implementations out there I haven’t suffered through yet.
For one, there seems to be this idea that if you lose your passkey you get locked out of your account forever.
True, plenty in this thread even. IIRC there’s usually a recovery key process same as a typical authenticator MFA, sometimes other routes in addition like combining multiple other MFAs or recovery contact assignment. Regardless, completely losing PW manager access across devices would presumably be the more immediate crisis for most.
