Maybe I'm not getting it. Doesn't the problem start with ever deleting a passkey?
That is: how do you ever know you don't need it anymore?
Also, what is the alternative? Just a password that you store in the vault? Seems like deleting those gets you back to the same place (with all the disadvantage of a plain password).
Mainly that a service can't refuse passwords from Bitwarden, whereas in a few years you'll find yourself reading an article about how a bank in Luseristan has decided to require that their users sign in using Passkeys stored in an attested authenticator (not Bitwarden) running on an attested device (not any current Linux desktop).
Not to mention the challenges when (gasp!) a single user uses more than one device. Like, yes, some of us have both desktop computers and phones, thanks for asking.
This is why I refuse to let most sites set me up with passkeys. I’m considering making exceptions for the ones that usually get this stuff right (like GitHub).
markhahn|1 day ago
Also, what is the alternative? Just a password that you store in the vault? Seems like deleting those gets you back to the same place (with all the disadvantage of a plain password).
code-e|3 days ago
zetanor|3 days ago
DANmode|3 days ago
unknown|3 days ago
[deleted]
apothegm|3 days ago
This is why I refuse to let most sites set me up with passkeys. I’m considering making exceptions for the ones that usually get this stuff right (like GitHub).
timmyc123|3 days ago
pabs3|3 days ago