Passkeys might really kill passwords

Until someone can explain to me how I can transfer, manage and control my passkeys without syncing them to some hostile corporation's cloud infrastructure, passkeys will remain a super hard sell for me.

You can use Bitwarden to store passkeys. Not sure if the self hosted solution has support for it yet though.
- I must admit that, despite reading about passkeys a bit, I still don't understand the actual practicalities. I seem to recall that Bitwarden can store keys, but can't generate them. If that's true, who generates the passkey?
- Vaultwarden does at least, I've been using it with passkeys for the last couple months and it's been great.
- 2024.1.2 released with self-hosted server passkey support.
  TBH though I would not trust myself to self host my keys to my digital life when the alternative is $40/year for the whole family. You may have a different perspective though.
- VaultWarden user here - yes you can now use your own self-hosted server to store passkeys and that's a gigantic game-changer. Just install the BitWarden add-on on a recent version of Firefox and voilà
I currently use Syncthing to keep my Keepass database updated on my phone, laptop, and home server. Any change anywhere is instantly sent directly to the other 2 devices.
- Yeah, I do the same but with nextcloud.
- this is the way
  you can even tweak folders to either send or receive only on some devices
  plus if you really want to be safe you can set file versioning and ignore deletes on a folder to make it strictly backup on more than one device
  no internet connection required, you can set it all on lan
  I think it is my favorite open-source project after Torvalds' creations
- Does KeePass support passkeys?
- Can you use SyncThing along with Nextcloud? I currently use Nextcloud to store my data, but the one part where it still lags a bit behind is on Android specifically (you need to manually sync certain changes).
Depends on where the line is as far as evil goes. Most of the popular password managers are now starting to support storing passkeys.
You can create passkeys on individual devices without cloud syncing them. This is a normal usage pattern. How exactly this will be handled depends on the implementation.
Browsers can save them and extensions like, KeepassXC, can behave like a passkey provider
- That's something, but isn't half the benefit meant to be storing them in the TPM? Also, that won't help if you're logging into a game or app, surely? Would love to be wrong on that, of course.
Enpass stores the passkey in their db, can be used cross platform and has browser extensions and local (or WiFi) syncing.
KeePass
Self hosted password keeper
- I already use KeePass, but as far as I know it doesn't do passkeys, only passwords?

I didn't like that they interviewed a corporate PR person instead of a real security expert. Sorry but that lady is just deflecting and spinning and missing so many important details to promote 1password.

Generally like the verge but this one was a bit lazy ngl - was there really no neutral or open source expert available?

corporate PR person instead of a real security expert
That's called an advertisement.

If only companies wouldn't be patronizing ass hats about it. A few sites deny storing passkeys in software wallets because of "security". So what, keep using my password is safer now? Fucktards.

Many websites only allow creating a passkey on mobile for example. I also created passkeys on quite a few sites that straight up removed the feature a few days after. I also never found a site that let you completely remove password authentication after adding a passkey.
- Even on mobile they are asshats. I have my password manager registered as the passkey wallet in iOS, so creating a passkey in PayPal for example fails.
- Didn't allow me to create one because it doesn't meet the Google's security thing (unlocked bootloader).
  Fun

Can somebody help me understand the advantages of passkeys over a password manager? Googling just brings up tons of advertising and obvious self promotion, or ELI5s that totally ignore best passwords practices using managers.

Passkeys work like a public/private key pair you’d use to secure SSH access to a server. You give the website a public key that corresponds to a private key generated on your local device. Unlike a password it’s not feasible to brute force and there’s nothing you have to remember which makes it more convenient for you to use. If a site is hacked and they gain access to the public passkey you use to authenticate, it can’t be used to authenticate anywhere.
It’s not really an alternative to a password manager, because you can use a password manager to generate and sync a single passkey between all your devices. In fact 1Password is a big proponent of passkeys and even maintain a big directory of sites that use passkeys.
- there’s nothing you have to remember which makes it more convenient for you to use
  Unlike my devices, I always have my brain on me. Devices are much more easily lost or stolen than memories. I often might want to access sites using my account from third party devices which I don't want to be able to use my accounts when I'm not using them.
  I just can't understand how using passkeys (or password managers, for that matter, massive single points of failure that they are) is supposed to be in any way shape or form more convenient than simply remembering a passphrase (which can easily be customisable for each site using some simple formula so that no two sites will share the same but it'll still be trivial to remember).
  Both password managers and passkeys seem like colossal inconveniences and security risks to me when compared to passphrases, frankly. And if you want extra security there's always two factor authentication (with multiple alternatives in case you don't have access to one of them, of course; otherwise you might as well delete your account).
Passwords are known (or accessible in a password manager) by the user and the user gives one to a site to prove they are who they say they are. The user can be tricked into giving that password to the wrong site (phishing).The site can also be hacked and have the passwords (or hashes of the passwords leaked), exposing that password to the world (a data breach).
With passkeys, the browser is the one checking that it's talking to the right site before talking by making sure the domain name matches. Passkeys also don't send a secret anywhere but instead use math to sign a message that proves they are the returning user. This security is possible because there is a public key and a private key. The user is the only one with a public key. The authenticity of the message is guaranteed by math by checking it with the public key that the user provided to the site when they registered their passkey. The site doesn't need access to the private key that the user has to verify the message so there's nothing sensitive for the site to leak.
In practical terms, instead of having to have your password manager autofill the username and password and then do some kind of second factor, it just signs a message saying "this is me" and the site logs you in.
- So it sounds like basically it's just client certificates?

We shouldn't be getting rid of passwords, or one time passwords, or two factor authentication, or single use codes. The point of security is overlapping features is what brings convenience and deterrence.

It's probably overkill for most people but I would love to have a system that lets me choose what combination of factors together work to login rather than just 'password and something else'. Something like A,B,C are on the account and you can use A+B or B+C to login. It'd be great for those who don't necessarily want to trust SMS-based one-time passwords (due to SIM swapping, theft, etc) if we could require something else along with it.
That said, the way passkeys are typically used satisfy multiple factors at once:
Password to unlock your password database that stores your passkey: something you know, the password + something you have, the database
Biometric to unlock your phone that has your passkey: something you are, fingerprint or face + something you have, the phone
- Forget about biometrics, they are way too insecure.
  Our cameras have reached a stage where we can replicate fingerprints from photos. 'What you are' is useless when we leave part of us everywhere. And furthermore, in parts of the world, authorities can force you to unlock your device with biometrics but not with passwords.
- SMS second factor is so bad! The really dumb thing in my opinion is the place that uses SMS to factor the most is banks. Now how dumb is that?
Years ago I worked for a company whose servers were in a highly secure facility. I had to pass through a “person trap” to get in, which required three independent things to get through: something you have, something you know, and something you are.
Imagine a booth about the size of a phone booth, with doors on both sides. To open the outer door you need a card key. Once inside the outer door closes. To open the inner door you need to put your hand on a hand scanner, then enter a PIN. Only then will the inner door unlock and let you inside. I was told that the booth also weighed you and would refuse to let you through if your weight was something like 10% different from your last pass through. That was to prevent other people from piggybacking through with you.
Lots of people think that’s all overkill until I explain that it’s all to ensure an authorized person, and nobody else, could get through. A bad actor could steal my card key & might guess my PIN, but getting around my hand scan & weight would be extremely difficult.
The closer we get to this sort of multi-layer authentication with websites the happier I am. I want my bank account, etc. protected just as well as that data center…
- Honestly that’s cool as heck
- Was it like this?

What if I lose my phone? What if you steal my phone?

Bitwarden supports passkeys, which are stored in your bitwarden vault. If you lost your device, as long as you can still access your bitwarden account, your passkey should still usable.

I can login with the same passkey on Firefox and Chrome using bitwarden. Too bad it doesn't work on mobile yet.

Ok so 2fa is based on things you know (passwords) things you have (devices), and things you are (biometrics).

I could see passkeys replacing the phone portion of a 2fa, but replacing a password? That can both invalidate the point of 2fa (verifies you have a device twice) and kill the benefits of having a password (if I lose my device I can still login, if it's stolen the attacker can't access all of my accounts).

Passkeys are protected by either your device's password/passcode (something you know) or your device's biometrics (something you are). That provides two factors when combined with the passkey itself (something you have).
The benefit of the password is only available if you know your password for your accounts or if you have a password manager. People can only remember a limited number of passwords without resorting to systems or patterns. Additionally, with many accounts now knowing the password is not enough to log in, you must either be logging in from an existing device or perform some kind of 2FA (TOTP, SMS, hardware security key, etc). So you already need to have a backup device to log in anyways. Same with a password manager: if you can have a copy of your vault with your password on another device then you can have a copy of your vault with your passkey on another device. Nothing gets rid of the requirement to have a backup device or copy of your passwords/passkeys if you want to avoid being locked out.
- People can only remember a limited number of passwords without resorting to systems or patterns.
  People also don't have a backup device though.
wouldn’t it be 3fa with biometrics also ? Thanks for your explanation btw
- Ideal MFA:
  Something you have.
  Something you know.
  Something you are.
  If getting married, add:
  Something blue.

Glad this is being discussed. Having worked adjacent to the authentication market, I have mixed feelings about it, though.

There are a few problems with passkeys, but the biggest one is that no matter what, you will always need a fallback. Yes, Apple promises a cloud redundancy so you can still log in even if you lose every device.

But that's just Apple's ecosystem. Which, for what its worth, is still evolving. So the passkey itself is phishing-resistant, but humans still aren't. Fallbacks are always the weakest link, and the first target for bad actors. Email, or sometimes phone and SMS, are especially vulnerable.

Passkeys in their current iteration are "better" than passwords only in that they offload the fallback security to your email provider. Meanwhile, SIM swapping is relatively ready easy for a determined social engineer, and mobile carriers have minimal safeguards against it.

Usability? Great, better than knowledge-only authentication. Security? Not actually that much better as long as a parallel password, email, or SMS can be used as a recovery or fallback mechanism.

I'm not saying passkeys are bad, but I'm tired of the marketing overstating the security of the thing. Yes, it's much more user-friendly. No one can remember reasonably complex passwords for all 100 of their online accounts. But selling this to the average consumer as a dramatic security upgrade, especially when so many still run passwords in parallel or fall back to exploitable channels, is deceptive at best.

But that's just Apple's ecosystem
Apple isn't the only one allowing redundancy, most popular password managers allow you to lose all your devices and still have passkeys securely stored in the cloud. And people who don't even know that password managers exists, aren't going to the early adopters of passkeys.
- I'd anticipate that most providers will do something similar. I just mentioned Apple because they've been pushing their "cloud backup" hard while still using SMS as a fallback.
  I'd be interested to hear which provider, if any, has managed to get around the usual (vulnerable) channels for recovery.
So you really need two independent devices with their own passkeys to back each other up.
- Not sure exactly what you're getting at, but any authentication model must be designed with the assumption that a user can lose all their devices, passkeys included. That's where fallbacks come into play. Even with Apple's system, you can recover your keychain through iCloud Keychain escrow, which (according to their help page) uses SMS:
  To recover your keychain through iCloud Keychain escrow, authenticate with your Apple ID on a new device, then respond to an SMS sent to a trusted phone number.
  While SIM swaps aren't super common, they're not the most difficult attack. Passkeys are strong against direct attacks, for sure. But if I can reset your account using a text message sent to a device I control, is it really that much more secure?
My view is that for most people who still use bad passwords it will be a huge upgrade. So even though I use super strong passwords, every service and bank has extra security features because they must cater to simple passwords. So you have to check your email for a stupid code and shit. Or worse, give them your phone number!! Which is an outrage because it's linked to my government id!!!
Passkeys raise the lowest security ceiling, meaning there should be less checks needed. That's what I'm excited about lol.

Passkeys feel so much more worse. It becomes one central point to lose everything.

it's objectively a downgrade to have to get my phone out just to sign into youtube. i broke my phone screen and couldn't sign into my damn bank until i got it fixed because they making me verify with a text. bullshit world these days
- And than there’s Google itself, notorious for blocking people’s accounts for nothing and offering zero recourse to get it back.
- Exactly, which is why passkeys are so good.
It certainly feels dangerous if forced upon users not aware of the trade-offs. For people already accustomed to using hardware keys, it's very much an improvement, as more services will support them too. The problem is in the awareness. On the other hand, people already treat regular passwords as throwaway data and expect services to just let them in, or even never log them out. In this scenario, maybe passkeys can still be an improvement: roughly just as much as enforcing using a password manager.
If you already have a central point to lose everything in the form of a password manager, is it any worse? What's the difference between a random password stored in your password manager that you don't remember versus a private key stored in your password manager that you're not expected to remember? You've always needed to make backups or have alternative ways to get in (recovery codes, customer support channels, etc), nothing about that has changed when going from passwords to passkeys. When passkeys are supported on sites, there can be no autofill issues (password or TOTP), no password complexity requirements, no worries about how they are hashing them on the server side, no phishing issues, etc. That's an improvement over the system we have now.
And for those that don't have a password manager, they are likely reusing passwords. Passkeys prevent the risk of password reuse and the risk of phishing.
- I use a password manager and the database is automatically synchronized to multiple devices. I use syncthing for that, but a public cloud would be fine as well, because it's encrypted (well, as long as the master password is strong enough)
- I export my passwords from my manager regularly and keep them on paper in a secure place. At worst, it would be massively annoying if the password manager somehow blew up. But you can't hack a paper. On the other hand, like some other person wrote, it's incredibly easy to break your phone screen and then you're screwed until you can fix it.
A huge amount of people use the same password everywhere.
It's much easier for someone to get your password than your phone.
- And it’s much easier for me to lose or break my phone than it is to lose my password.

I highly recommend using something like Bitwarden or 1password (which can manage both passwords and passkeys), and then generating a passphrase using a method like Diceware. If you're paranoid you might prefer rolling your own with Keepass but for most people that's going to be a lot of work. I think 1password's model is about as secure as you could hope for while still trusting a 3rd party. Definitely avoid Lastpass. In addition to widely reported breaches, they don't even fully encrypt your data; only the password portion is encrypted while usernames and site data are plaintext.

Just a heads up for anyone, bitwarden can be self hosted using vaultwarden. All of the bitwarden apps and extensions will work.
Also, for anyone already using their stuff, Proton Mail rolled out their password manager. I like it so far, the free edition is good.
- I just don’t trust myself enough to self host Bitwarden. It’s just too critical of a service for me to be willing to accept any mistake I might make in hosting it. Absolutely worth the $10/year (or $40/year for the whole family), to have some IT professionals and Azure doing the hosting.
Is keepass really a lot of work though? If you use xc you have a client that works in windows or Linux, the file itself can be hosted anywhere, I ran for years with it on a USB key. There's no accounts to create, you just download and go.
- It's definitely more work than just buying the service from someone that has a ready made app. I don't think it's a thing I would recommend to, for example, my parents. I know xc has some sort of form fill thing but it's not nearly as nice as the browser plug-ins made by the various password manager vendors.
- KeepassXC works on Mac, too and there's KeepassDX for Android.
Since 1P switched to subscription only (which is a dealbreaker for me), I switched to Strongbox. It's based on keepass, you can store/backup/host your own vault, and it also supports both passkeys and passwords. The UX is almost as good as 1P (few little minor annoying things, but no showstoppers for me). Been great so far.

For some reason I thought The Verge was better about having transcripts for their podcasts. I was kinda interested but not around 28 minutes of audio interested. 😞

Yeah, I get some people prefer that format, but I'm going to skip any article that's just a link to a recording.

Eh... No, thanks.

No.

That adds nothing to the conversation.
- Just my disdain for the idea that passwords will ever go away 😹

Tuta mail keeps prompting me for a passkey, and I don't know where to get what it wants. So I basically can't use it.

@Tutanota@mastodon.social

Will I be able to export/import a PassKey from a device?

By default the big three (Chrome, Safari, Edge) store them via their normal syncing processes (Google Passwords, iCloud Keychain, Edge's password manager). If you use a different password manager (e.g. Bitwarden) it's handled by their normal processes (cloud, syncing a database file, etc). I don't believe there is a way to export a passkey from most of these at the moment but you can almost always have multiple passkeys attached to an online account so you can always just add your new password manager to your account as another passkey.
There is a way to use a key backed by the hardware that is not exportable such as using a TPM or a physical USB security key but I believe that most are pushing the synced ones for the convenience of the end user.
Bitwarden plans to implement that.

This is the best summary I could come up with:

It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly.

But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys.

On this episode of The Vergecast, we bring in an expert: Anna Pobletts, the head of passwordless (best title ever?)

She’s convinced that passkeys are the future but also has some ideas on the right (and not-so-right) way to get started.

Vee weighs in on Fossil’s exit from the market, the rise of the smart ring, and much more.

If you want to read more on everything we discuss in this episode, here are some links to start with, beginning with passkeys:

The original article contains 241 words, the summary contains 131 words. Saved 46%. I'm a bot and I'm open source!

The way I intend to handle this is with my keypass password manager since the file database has to be synced manually. The way I handle this is one copy of the database lives on my phone, which is my primary device. Then I copy this database to a flash drive, and then copy it to my laptop. The update process goes something like update the credential on my phone and then a few months later, during my scheduled backup routine, copy the database to the flash drive and then copy the database over to the laptop. So the most I could lose is a few months worth of data instead of all of it. If my phone is ever stolen, I still have a copy of the database on both the flash drive and the laptop, which at most might be a few months out of date, but nothing severe.

I use Syncthing to automatically keep the database up to date and usable on all of my devices. Autotype on PC is such a nice feature I wouldn't want to miss (and it increases security on top of that).
- Syncthing is a good option too.
I just use Bitwarden and all that shit happens automatically.
- I know my way is quite unconventional, but I don't rely on any clouds whatsoever. If I lose my data, it's my damn fault.

People are making things more complicated than they already are. I simply keep my passwords and passphrases inside my memory.

P.S. My password is not 'Password123456'

There's no way for the average person to keep up with remembering unique, strong passwords for all the sites that require them.
You either have to write it down, save it in a password manager, reuse passwords, or have simplified passwords or patterns.
- My vote is password manager. You can use 1 really good password for it and as many stupidly good passwords anywhere else since youre likely auto filling or pasting it in.
  Just if your using it locally, remember to take a backup.
- There's no way for the average person to keep up with remembering unique, strong passwords for all the sites that require them.
  Passphrases with a simple formula to make them unique for each site.
  You just have to remember the formula, you get a strong unique password for each site.
  Easy and safe, and doesn't tie you to a single point of failure like a specific device or a password manager.
  Add two factor authentication on top (with multiple options, of course, otherwise you'll get locked out once you inevitably lose the second authentication method), and you can even safely use it from third party devices which you don't want to remember how to access your accounts.
- Assuming you have a strong base password you aren't concerned with being broken, you can use that, followed by a unique identifier for what you're logging into, so every password is essentially the same, but also unique. Something like, translate the lyrics to a song (say without me by Eminem) to first letters and punctuations, 2tpggrto,rto,rto, and add the identifier.
  2tpggrto,rto,rto-goog 2tpggrto,rto,rto-faceb
  This is essentially how I manage my passwords that I want to actually remember. Just make sure you're not SUPER obvious with how you make the identifier, perhaps -g0og or -f4c3b0ok. And no, I don't use that song lol.
How do you remember 70+ different password+username combinations?
Or do you just re-use passwords....
- I have a system of pattern for every new password. So I just have to remember the pattern of things (a pseudo algorithm) that I use to generate new password. I won't say that it's uncrackable. But, works for me. And I don't think anyone care enough to go after my passwords.
The real solution is to only remember one or two passwords and have widespread oauth adoption. Instead of having to sign up with every possible website and app, I should only need a couple of google/Facebook/apple/steam/github/Amazon/PayPal/whatever.
- But we need one that isn't using our logins to track where/what we are doing.

Vendors will use passkey implementations as vectors for lock-in. Guaranteed. Workplaces need to accept BYO.