Passwordless - Passkeys

Ice Tea

Ice Tea

Ice Tea

Soldato
Joined
1 Nov 2004
Posts
5,142
Opinions, are they fit for purpose yet?

From a quick read around some people find it daft that you still need to sign up to some sites with the conventional username,password and mobile number to access the Passkeys.
 
Last edited:
I use Yubikeys for my important accounts. One on my keyring, one on my desk.

For less important stuff I'm fine with using FaceID passkey on my phone.

Anything is better than username/password/phone.
 
When I first got an iPhone with Face ID I was blown away with how handy they are.

I use Bitwarden to manage everything and it’s seamless. Are they fit for purpose? I hope so :D
 
I think Apple (iOS and MacOS) is still the only platform that has a pretty decent implementation.

Google, I wouldn't trust them. Google Password Manager decided to nuke my passkeys for no apparent reason: https://redd.it/1fkuwb7

Bitwarden is pretty good now for a cross-platform solution. But consider that since you're now storing your passkeys in a service which is automatically synced to all your devices, on the surface this seems to be less secure than a traditional password manager + 2FA authentication app. If all my passkeys are in Bitwarden, now if my Bitwarden account is compromised the attacker immediately has the passkey and can log straight into services. Before if my BitWarden account were compromised then they would also need to steal my physical phone where my 2FA authentication app was, because those tokens were not automatically synced anywhere. You can probably try to replicate that with passkeys, but pretty much every service is pushing you to sync between devices automatically.
 
Bitwarden here also and yubikeys for important and key accounts

Still using 2FA also and aegis for that
 
Unless thing have changed recently i see that PayPal has annoyed Yubikey users as they only allow a single key to be used.
 
andshrew said:
I think Apple (iOS and MacOS) is still the only platform that has a pretty decent implementation.

Google, I wouldn't trust them. Google Password Manager decided to nuke my passkeys for no apparent reason: https://redd.it/1fkuwb7

Bitwarden is pretty good now for a cross-platform solution. But consider that since you're now storing your passkeys in a service which is automatically synced to all your devices, on the surface this seems to be less secure than a traditional password manager + 2FA authentication app. If all my passkeys are in Bitwarden, now if my Bitwarden account is compromised the attacker immediately has the passkey and can log straight into services. Before if my BitWarden account were compromised then they would also need to steal my physical phone where my 2FA authentication app was, because those tokens were not automatically synced anywhere. You can probably try to replicate that with passkeys, but pretty much every service is pushing you to sync between devices automatically.
Click to expand...

Best thing about Bitwarden is you can also store your 2FA seed on that also to let the attacker have extra easy access! :D

Anyway, yeah I've started to use passkeys on a couple of services - mostly to stop it bugging me to generate them.

I've found them to be largely pointless since I was using biometric unlock on bitwarden, but what they do seem to be better at is being more seamless in knowing what services they are applicable to.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom