Passkeys have way too many footguns for me. If I use my phone to sign in I'm going to accidentally create a passkey there on iOS embedded webview. When I use Google Chrome, the website won't give me any information for me to find where I stored the passkey. Was it in iOS keyring? Chrome? My Bitwarden? If I had any discipline around this it would make sense but if I accidentally double tap on the screen I've got a passkey and it's stuck on my phone.
I'm sure it's of use to many people but it's been no end of pain for me and it has really signaled to me what it's like to grow into an old man unable to use computers when I was once a young man who would find this easy.
> I'm sure it's of use to many people but it's been no end of pain for me and it has really signaled to me what it's like to grow into an old man unable to use computers when I was once a young man who would find this easy.
My only "good" solution for passkey UX is to make sure all my devices are Apple. Apple's password/keychain integrates reasonably well enough with Chrome, I can share passkeys with my cofounder easily in shared folder (he is also all-in on Apple ecosystem) and I can share passkeys with my work computer (different AppleID) for low-stakes things like news websites or Amazon.com (I work in IT security for the org, so I know exactly how much I can trust my employer)
I do also use Linux and Windows personally, and the passkey story is much worse there, particularly for Linux which doesn't seem to play well with my Yubikeys. Luckily, a lot of websites seem to have a "Scan this QR code with your iPhone" feature to complete the passkey authentication.
I like the concept of them, and I want them to work well purely so people stop using bad passwords. But nearly everywhere does it differently and weirdly and likely wrongly.
When I log into my Amazon account with a passkey, it then asks me for a 2FA code. The 2FA code is stored on the same device as a passkey, that step literally does nothing. After I do the 2FA code, it then prompts me to create a passkey. No! I have one. I signed in with one.
Some devices give me the option to use a QR code. I like that option usually, I can easily use my phone to authenticate. But sometimes i can’t get the QR code to appear. Support varies by OS, browser, and set of installed extensions. And there’s no easy way to control which of those three handles the passkey when something decides wrongly.
I had to troubleshoot something on someone else’s computer, and saw that they logged in to windows with a passkey and QR code. I’ve looked, and I can’t seem to set that up on my windows computer. There isn’t an option to and I have no idea why.
Passkeys on iOS and macOS actually work quite well in that regard. They get stored in your provider of choice across the web, web views, apps etc., at least in my experience.
Mine is Bitwarden, and that's available on pretty much all platforms, natively where available (except on macOS currently), as a browser extension otherwise.
For the rare instance in which I need to authenticate using a passkey on a computer where I'm not logged into Bitwarden, there's the cross-device CaBLE flow where I can scan a QR code with my phone and use Bitwarden to authenticate. This works across OSes and browsers.
Yup. I hate them. I get the problem they're trying to solve, it just seems like I have more work to do... and I honestly don't even follow what is going on sometimes.
I recently moved to a new computer and it's just an AUTHHELLSCAPE.
I just use iOS' wallet for all of it, the only exception being if its something I 100% need to open outside of my iphone / macs. Then I go for BitWarden, turns out I dont need any apps to open outside of that sandbox, I am okay only opening these up on Mac. I can always type my password on Linux. That's what bitwarden is for anyway.
Embedded webviews are the stupidest thing ever. Yesterday I got halfway through a checkout process, had to go back to another app to check something, and then the webview simply disappeared so I didn't bother finishing the checkout. This was on Android
Usually I open it in Chrome but for some reason I didn't realize it was a webview this time
>If I had any discipline around this it would make sense but if I accidentally double tap on the screen I've got a passkey and it's stuck on my phone.
The problem is not with passkey rather system such as iOS keeps a tight lid on how files are uploaded and retrieved from the device. There is a real disconnect between desktop and mobile file system now days.
For this reason I am avoiding it like a plague. It is an additional way to fingerprint your activity and the scenarios where you migrate your passkeys from a device to another seems not really well "oiled"
This story of a user deleting their passkey doesn't seem plausible to me. They don't remember why they have a specific passkey for a messaging app? Surely recognizing the app that stores so many memories is enough not to delete the passkey. And why are they "cleaning up" their passkeys in the first place? Yes I put "cleaning up" in quotes, this metaphor, suggesting that a long list of unused passkeys is dirty in some way is inappropriate.
If an app has a billion users, how many do you expect will delete their passkey for no reason? Is this more important then end-to-end encryption for everyone?
If deleting one's passkey for no reason was a thing, I'd expect a real story about a real user, rather then a made-up scenario.
The essay has a condescending attitude towards the normie computer user who can't possibly be expected to know, but it's precisely the normie computer user who would never get the stupid idea of "cleaning up" their passkeys in the first place -- that's something only a nerd with a neurotic attitude to their computer would do.
This past weekend I watched as my mom discovered the password manager in Chrome, and started deleting every entry she couldn't immediately recognize. "Why is this here? I don't need this"
Despite me pleading that they got there for a reason, and takes zero storage, she was confident she didn't need these passwords. So I can totally see her deleting passkeys; my mom is basically Erica, there need to be very explicit implications stated for every action presented and not assume innate understanding
It's more likely for them to accidentally be deleted (or otherwise lost access): in my experience approximately zero users actually understand where their passkeys are stored, and they can be all over the place: the number one question I get is 'why can't I log in?' because they've accepted a passkey setup dialog on one machine without really reading it and now can't log in on another. Sometimes it's on the same machine but in different contexts. No passkeys should be considered something that the average user is going to reliably hold onto (in large part because the industry has been so keen to foist them on users but not very keen at all to educate them on how they work. This also makes them a lot less useful from a security point of view because it means you can't get rid of the recovery process, which tends to be the weaker link).
I consider myself pretty sophisticated with passkeys (I wrote a toy implementation of WebAuthN once to understand them better), and yet I still get tripped up by this sometimes: Not via intentional deletion, but accidental overwriting.
As far as I understand, there are several ways to enforce per-account passkey uniqueness via WebAuthN, but every once in a while, some site will somehow not realize that I have a passkey for them available already, they will offer to create a new one for me, and my password manager (Bitwarden) will do this by overwriting the old/existing passkey.
Now consider a synchronization hiccup (updating my password manager storage and the relying party's backend is not atomic), and I could totally see my passkey get lost.
the problem so far is UI and incompatibility across devices, OSes etc.
I am a big fan of Passkeys and the idea of using PRF for E2E encryption, but I wouldn't implement that as now, there is almost zero control over where those passkeys are, how I can recover them, how I manage them. Whenever I have to switch computer (mandatory policy at work), or phone (mandatory obsolence) or if I want to work across OSes (Mac for work, Windows for fun), everything falls apart, incomprehensible interfaces, inexistent transparency and control. And I'm a pro user that has actually studied how the standard works.
I'm afraid that it'll take some few more decades before we will get rid of passwords, if ever.
Mom can't figure out what they are or how to use them. They bind you to your device/iCloud/Gaia account so if it gets stolen/banned you're out of luck (yeah yeah multiple devices and paths to auth and backup codes, none of that matters). It's one further step down the attested hardware software and eyeballs path. Passwords forever, shortcomings be damned.
> As of October 2025, passkey login has been fully rolled out and is now required for members with Health Savings Accounts (HSAs) and Reimbursement Accounts (RAs) who use the HealthEquity Mobile app and web experience.
The FAQ is a little misleading by saying WHEN your account has a passkey this and that, but reality is that after October they made them completely mandatory, no bypass, no exceptions. 100% coverage.
Oh, and by the way, passkeys have been broken on PC/Linux when using Firefox for months:
> There Was A Problem: We encountered an error contacting the login service. Please try again in a few minutes.
Neat. You have to use Chrome or Edge.... For months, after making it mandatory...
>They bind you to your device/iCloud/Gaia account so if it gets stolen/banned you're out of luck
This is the biggest myth/misconception I see repeated about passkeys all the time. It's a credential just like your password. If you forget it, you go through a reset flow where a link is sent to your email and you just setup a new one.
And if it happens to be your Gmail account that you're locked out of, you need to go through the same Google Account Recovery flow regardless of whether you're using a password or a passkey.
Also a password could be the passkey, the passkey protocol is basically a way to send to a server an authenticated public key. The client could deterministically convert passwords to key-pairs and authenticate with those
Nothing in this post is specific to passkeys; it reads like advice to not encrypt data. There’s no way to prevent some users from losing their encryption key anyway. Whatever warnings you include, even when software doesn't connect to the internet and just encrypts local files, someone will write to support that they forgot their password and ask you to "reset" it.
How many people are doing a spring cleaning of unused passkeys in their password managers? We're talking like a kilobyte of data, nobody needs to delete these things in any kind of normal circumstance.
Sure, it would be great if users would store 5 copies of their encryption keys, with one in a lockbox on the bottom of the ocean. But that's just not going to happen at any kind of scale, so an automatic way of putting encryption keys in a replicated password manager makes sense. And compared to how people normally handle end-to-end encryption keys, it's going to result in a lot less loss data in practice.
I don't know about spring cleaning, but it's pretty easy to delete by accident if you connect to the browser or OS when setting up instead of the password manager.
That said, I've been assuming I could have multiple passkeys per site and that's turning out to not always be something websites behave sanely about.
Most password managers implementing passkeys only allow one passkey per account entry, and I've ended up with multiple passkeys per site, while the site only supports one (and deletes the others upon creating a new one), so I've been in the exact situation of not knowing which entries are safe to delete before.
This is usually due to relying party and possibly password manager bugs, but it does happen.
I thought the point of passkey security is that you don't have to send the private key around, it can stay on your device. Different passkey per device. Lose or destroy a device, delete that passkey and move on.
> "Even if there were explanatory text, Erika, like most users, doesn’t typically read through every dialog box, and they certainly can’t be expected to remember this technical detail a year from now."
Passkeys are a step in the right direction, ironically for the exact reason the author advises caution. We've been telling people to "store your backup key somewhere safe" for the best part of a decade now, and your average Erika hasn't got on well with that at all. Locking themselves out and losing data left, right and centre.
If you've worked at any kind of scale you'll know well that a certain percentage of users will lose their data with E2EE, full stop. It's just different from everything else they've ever used. These are the same people who'd be lost without the "forgot password" link, and there's no shame in that. That's just the reality of it. And passkeys can help people like this to not lose their keys.
If the product is truly E2EE, the best options right now are the passkey implementations baked into Chrome or Apple. Windows, as ever, needs a bit of work, but the password managers seem to be picking up the slack well enough. We also need to educate people that with true E2EE there is no "forgot password" email. Passkeys and the tooling around them still have a ways to go, but we're getting there.
If the user deletes passwords they're shown the same exact message. The only saving grace for passwords is that you can remember them, but are you also suggesting to not use generated passwords?
I think the distinction is that a passkey is meant to be used for authentication (logging in), and is usually not the only way you can authenticate. If you delete your password, passkey, or 2FA method, you can still go through a "forgot password" flow.
Encryption is different. If you encrypt data with a generated password and then delete it, you're toast, and passkeys are no different. I think the author is arguing that users may not even realize that the passkey itself is needed to decrypt, possibly because they're so associated with login.
Generated passwords can be useful, but they come with challenges like management and security. It's better to adopt approaches like password managers or biometrics to enhance usability while maintaining security.
This is why I haven't started using passkeys. Managing them is looks complicated and I don't understand the ramifcations of what I'm doing.
Also a style nit, it's OK to use "he" or "she" pronouns in a contrived narrative. The "they/their" usage really detracted from the clarity of the example.
It's obviously okay to use he or she - not sure why it wouldn't be. I'm confused why you have a problem with the author's choice not to - I don't see any clarify issues caused by it.
I don't think I would have even realized why I felt tension reading if you hadn't mentioned this. They/their wasn't confusing at all but, giving the hypothetical user a name was the weird part. I realize now I was expecting some other user to enter the scenario the whole time. Alice and Bob style. When I got to the end, I felt like I missed something. If there's just one, "the user"/"they"/"their" is fine.
Security is important, security is important, security is important — I keep emphasizing this point.
But for me, that statement only really applies to people who genuinely understand security.
I personally bought two YubiKeys, understand the associated risks, and store my credentials on those YubiKeys.
However, many people today do not realize the risks involved. They casually store these things in places like a keyring and then never manage them properly.
That does not necessarily mean they are secure. On the contrary, it can become another kind of danger, because once you start using passkeys, the level of access and authority tied to them is significant. If they are lost or leaked, the consequences can be disastrous.
I am glad to see that the industry is paying more attention to security, but at the same time, I believe these more specialized aspects should be aimed at people who actually have the relevant expertise.
Passkeys do have a learning curve. For ordinary users, they often just click through a few prompts and end up binding themselves to a system without really understanding what happened.
On top of that, with modern systems relying on encryption and TPM, once a computer runs into serious problems, many people simply have no way to recover their data.
For the average user, 2FA is already sufficient.
It is conundrum that passkeys were designed to help the majority as they are frictionless (like passwordmanagers etc) but fail in reality.
Even those that have 2 devices they don't have them all the time.
Another overlooked issue is that some banks etc don't allow for 2 devices as login or 2FA. Even if it allowed one needs to keep the spare device always updated. Either Govt needs to build a common API that one can use directly through google pay or apple pay - so that only one app is needed to be kept up to date.
to be honest, I wouldn't mind if google/Apple can take all my private data and passkeys hold them - but at least then if I lose the phone - and I show my ID they should allow me to setup my new phone. But that is also not possible. (I am discounting the awful AI bans)
You're thinking about hardware authenticators, not Passkeys. Passkeys are definitionally synchronized and backed up in the cloud (otherwise you just have a sparkling WebAuthN authenticator).
Proprietary clouds and sync backends create their own set of problems, but they do solve the availability issue of always having to register at least two different security keys with each service.
> to be honest, I wouldn't mind if google/Apple can take all my private data and passkeys hold them
That's exactly what you can do today!
> I show my ID they should allow me to setup my new phone.
You have to show them your phone number, which for better or worse is our age's "showing ID", but then you can indeed get back in.
Somewhat related, i recently ran into the issue, after i created an account on Confer.to [1] on my Desktop, i couldn't login on my iPad / iOS with Proton Pass and/or Bitwarden.
The error message was: "Error: "Authenticator did not return a PRF result — this passkey probably isn’t PRF-capable."
So i now have an account, but can only use it on my Desktop.
(can't change to a password login either, it's Passkeys only...)
[1] end-to-end encrypted AI, developed by Moxie Marlinspike, the founder of Signal: https://confer.to/
Sounds like the website did a shitty job at implementing passkeys. I’ve read through the guides and done it myself and yes there are a lot of gotchas and they’re all avoidable.
Passkeys to me come across as a part solution to a valid problem. Education is part of the solution. Treating the user as too dumb to understand why they need strong passwords or passkeys is important.
I actually despair about when my family members are forced into passkeys and then lose access to their accounts because they get a new device.
I use passkeys from keepasxc because the native workflow for passkeys is opaque and easy to misunderstand what you are actually doing. And it's predicated on having an account with big us tech companies.
> I actually despair about when my family members are forced into passkeys and then lose access to their accounts because they get a new device.
Both iOS and Android sync passkeys to their respective cloud accounts by default. (Of course, losing access to that account, sharing one across family members and causing confusion etc. are still concerns.)
The real problem is lock-in, as this effectively often prevents entire families from switching from iOS to Android or vice versa. I'd encourage anyone managing their family's tech setup to pick a platform-agnostic passkey implementation such as 1Password or Bitwarden for that reason.
Maybe we could add an extension to webauthn that adds a reason to a passkey. Then, the credential manager can warn the user better why deleting the passkey would be a bad idea.
This give much more conscious control to the user knowing that they are explicitly encrypting which file with which passkey. Additionally, you can just download the page and serve it via localhost so that you always have control of the relying party for your passkey.
Probably everything else is debatable, I do agree with one thing though, the cat is indeed out of the bag. It would have been probably a really good use case if the scope was limited to only hardware based security keys for enterprise users only.
Rolling it out for OS platforms, software based authenticators just muddies the water. You cannot even provide any guarantees around it being phishing resistant anymore.
I love the idea of hardware keys, and would absolutely use them for the essential stuff (email, domain registrar, bank) but they're just too expensive, while plain old TOTP 2FA is free and provides 99% of the benefits for my use case. TOTP also has a much better workflow in my experience, but this isn't that big of a problem for the things I'd consider essential, but it would be annoying if I were to use a hardware key for everything.
I can buy 6-8 physical keys for the front door of my house for the cost of one Yubikey. Even though there are options at half price, that then gets eaten into by the need to have two or three of them, since a backup is not optional for this sort of use case. I can't imagine convincing one's parents to buy 'a key for your email account' will be easy when the old way mostly 'worked fine' and was free, meanwhile the new one will cost them a non-trivial amount of money. It's an easy flow if you're their sysadmin, but I wouldn't want to throw my parents into the deep end of hardware keys and have to explain to them that they don't need the expensive one, but still have them be discouraged by the mere existence of 100+ dollar options for what should be damn-near throwaway hardware.
Passkeys somehow manages to have a worse workflow than both though.
I was looking into this to start using this. Because it’s quite user friendly to not let the user worry about all the details that involve encryption of data.
I guess informing them is a good way to start. Are there any other tips on how this can be improved?
On a similar note mooltipass can export an encrypted backup of passkeys.
That said platform should support multiple passkeys so if you lose access to one you arent screwed over.
Another way to say this is that you have to have an account recovery process and you need to think about how your encryption interacts with account recovery.
Is it possible to disable passkey support in Chromium and have it tell websites that feature is unsupported? So you no longer get prompted to create them? (On a global or per-site basis)
I don't want any cloud service to be my passkey provider. I'm not comfortable establishing that kind of dependence on a company I don't trust.
I'd be content to keep passkeys in a datastore that I control, and which I can inspect and manage on my own (including backup, restore, and ideally even daily migration to a "hotspare" device).
As more websites adopt passkeys, I find myself continually being nagged to adopt them. Although their intent is benign, the companies use dark UI patterns like not respecting my choice after I've said NO (there isn't a "Never" option, just a "Skip for now"), and they continually shove the unwanted reminders in my face every time I login.
My concern is eventually I'll accidentally hit the wrong button and create an unwanted passkey that's now tied to my machine/cloud account/vendor service in a way I don't control. I'm fact, I'd bet product managers are counting on that manipulation (nag the user until they concede) to brag about adoption rates and get raises.
My browser is supposed to me my agent, so I think it's a valid question - and related to this topic - to ask if there's a way to turn off the unwanted functionality.
> What we actually need is for the WebAuthn spec to include a signal that tells credential managers "this passkey is load-bearing for encryption, not just auth" so they can surface appropriate warnings before deletion. Right now credential managers treat all passkeys identically.
This feels more like CYA/shifting the blame for me. If a service is designed so that I will lose all my data if I lose the passkey, then a "yo, don't lose that passkey, like, ever!" warning is the minimum, but doesn't solve the problem.
I found the initial suggestion "don't ever use passkeys for encryption of persistent data" more reasonable.
(Or what the sibling comment describes: Design the encryption in such a way there is an alternate key that could be used for decrypting)
I think the idea behind PRF was something like "use this as one of several keys", never as "use this the only key". I don't think this was explicitly called out in the specs, though.
> this passkey is load-bearing for encryption, not just auth" so they can surface appropriate warnings before deletion
That sounds like a reasonable idea, but still doesn't help with the case of a completely deleted/destroyed authenticator, e.g. a lost Apple/Google account or Yubikey.
The only viable solution to me for mass adoption is restricting (by recommendation, since there's no way to programmatically enforce it) PRF to scenarios where it's only one out of several ways to get access back. Some password managers do this, e.g. they encrypt their master secret under a PRF-derived key, but this is not the only way/place to get to the master secret, and they also encourage printed key backups etc.
100% of the arguments against using passkeys for e2ee data apply to using passkeys as credentials.
(Unless they are not credentials, and you can loose them then do a password reset via a phishing prone channel like email and SMS. Supporting this eliminates any possible user benefit of passkeys.)
In addition to the arguments in the article, when used as credentials, they are an obvious trojan horse allowing large websites to completely hijack your operating system.
Don’t believe me? Try logging into a bank or using rideshare/parking/ev charging with degoogled android. This is where passkeys are taking PCs, and it is their only purpose.
> Don’t believe me? Try logging into a bank or using rideshare/parking/ev charging with degoogled android.
What does root detection and other device attestation have to do with passkeys? Passkeys (at least Google's and Apple's) don't support device attestation.
arjie|1 day ago
I'm sure it's of use to many people but it's been no end of pain for me and it has really signaled to me what it's like to grow into an old man unable to use computers when I was once a young man who would find this easy.
nerdsniper|5 hours ago
My only "good" solution for passkey UX is to make sure all my devices are Apple. Apple's password/keychain integrates reasonably well enough with Chrome, I can share passkeys with my cofounder easily in shared folder (he is also all-in on Apple ecosystem) and I can share passkeys with my work computer (different AppleID) for low-stakes things like news websites or Amazon.com (I work in IT security for the org, so I know exactly how much I can trust my employer)
I do also use Linux and Windows personally, and the passkey story is much worse there, particularly for Linux which doesn't seem to play well with my Yubikeys. Luckily, a lot of websites seem to have a "Scan this QR code with your iPhone" feature to complete the passkey authentication.
snailmailman|1 day ago
When I log into my Amazon account with a passkey, it then asks me for a 2FA code. The 2FA code is stored on the same device as a passkey, that step literally does nothing. After I do the 2FA code, it then prompts me to create a passkey. No! I have one. I signed in with one.
Some devices give me the option to use a QR code. I like that option usually, I can easily use my phone to authenticate. But sometimes i can’t get the QR code to appear. Support varies by OS, browser, and set of installed extensions. And there’s no easy way to control which of those three handles the passkey when something decides wrongly.
I had to troubleshoot something on someone else’s computer, and saw that they logged in to windows with a passkey and QR code. I’ve looked, and I can’t seem to set that up on my windows computer. There isn’t an option to and I have no idea why.
lxgr|1 day ago
Mine is Bitwarden, and that's available on pretty much all platforms, natively where available (except on macOS currently), as a browser extension otherwise.
For the rare instance in which I need to authenticate using a passkey on a computer where I'm not logged into Bitwarden, there's the cross-device CaBLE flow where I can scan a QR code with my phone and use Bitwarden to authenticate. This works across OSes and browsers.
duxup|1 day ago
I recently moved to a new computer and it's just an AUTHHELLSCAPE.
shaky-carrousel|1 day ago
cedws|1 day ago
https://cedwards.xyz/passkeys-are-not-2fa/
giancarlostoro|1 day ago
weird-eye-issue|1 day ago
Usually I open it in Chrome but for some reason I didn't realize it was a webview this time
ezfe|1 day ago
This is not an issue on iOS, I can’t tell how what you’re describing could happen.
zenmac|1 day ago
The problem is not with passkey rather system such as iOS keeps a tight lid on how files are uploaded and retrieved from the device. There is a real disconnect between desktop and mobile file system now days.
EnPissant|1 day ago
madduci|1 day ago
amadeuspagel|1 day ago
If an app has a billion users, how many do you expect will delete their passkey for no reason? Is this more important then end-to-end encryption for everyone?
If deleting one's passkey for no reason was a thing, I'd expect a real story about a real user, rather then a made-up scenario.
The essay has a condescending attitude towards the normie computer user who can't possibly be expected to know, but it's precisely the normie computer user who would never get the stupid idea of "cleaning up" their passkeys in the first place -- that's something only a nerd with a neurotic attitude to their computer would do.
petee|1 day ago
Despite me pleading that they got there for a reason, and takes zero storage, she was confident she didn't need these passwords. So I can totally see her deleting passkeys; my mom is basically Erica, there need to be very explicit implications stated for every action presented and not assume innate understanding
rcxdude|1 day ago
lxgr|1 day ago
As far as I understand, there are several ways to enforce per-account passkey uniqueness via WebAuthN, but every once in a while, some site will somehow not realize that I have a passkey for them available already, they will offer to create a new one for me, and my password manager (Bitwarden) will do this by overwriting the old/existing passkey.
Now consider a synchronization hiccup (updating my password manager storage and the relying party's backend is not atomic), and I could totally see my passkey get lost.
dariosalvi78|1 day ago
I'm afraid that it'll take some few more decades before we will get rid of passwords, if ever.
Telaneo|1 day ago
The same reason they're cleaning up their Windows or system32 folder.
akersten|1 day ago
Better title.
Mom can't figure out what they are or how to use them. They bind you to your device/iCloud/Gaia account so if it gets stolen/banned you're out of luck (yeah yeah multiple devices and paths to auth and backup codes, none of that matters). It's one further step down the attested hardware software and eyeballs path. Passwords forever, shortcomings be damned.
Someone1234|1 day ago
https://www.healthequity.com
> As of October 2025, passkey login has been fully rolled out and is now required for members with Health Savings Accounts (HSAs) and Reimbursement Accounts (RAs) who use the HealthEquity Mobile app and web experience.
https://help.healthequity.com/en/articles/11690915-passkey-f...
The FAQ is a little misleading by saying WHEN your account has a passkey this and that, but reality is that after October they made them completely mandatory, no bypass, no exceptions. 100% coverage.
Oh, and by the way, passkeys have been broken on PC/Linux when using Firefox for months:
> There Was A Problem: We encountered an error contacting the login service. Please try again in a few minutes.
Neat. You have to use Chrome or Edge.... For months, after making it mandatory...
jesseendahl|1 day ago
This is the biggest myth/misconception I see repeated about passkeys all the time. It's a credential just like your password. If you forget it, you go through a reset flow where a link is sent to your email and you just setup a new one.
And if it happens to be your Gmail account that you're locked out of, you need to go through the same Google Account Recovery flow regardless of whether you're using a password or a passkey.
reddalo|1 day ago
It's super sad to see all kinds of websites offering you to add a passkey when you log in.
mgrandl|1 day ago
utopiah|1 day ago
Isn't it why good practice is to bind at least 2 hardware passkeys and/or have recovery codes?
Sure someone can steal your phone/laptop/yubikeybio but then you can use the NitroKey you have at home in your drawer to recover your account.
pabs3|1 day ago
afiori|1 day ago
lxgr|1 day ago
Then don't use Apple's/Google's/whatever Gaia is as your passkey provider?
> Mom can't figure out what they are or how to use them.
Then do something nice for your mom and set her up with Bitwarden, 1Password or KeepassXC, which prevents the platform lock-in.
> It's one further step down the attested hardware software and eyeballs path.
None of the synchronized passkey implementations, which big tech has been pushing lately, support attestation, so this is just FUD.
Yubikeys do, but fortunately they don't seem to have the (non-enterprise) weight to make it mandatory for all passkeys.
dchest|1 day ago
Good advice at the end, though.
shepherdjerred|1 day ago
orbital-decay|1 day ago
johncolanduoni|1 day ago
Sure, it would be great if users would store 5 copies of their encryption keys, with one in a lockbox on the bottom of the ocean. But that's just not going to happen at any kind of scale, so an automatic way of putting encryption keys in a replicated password manager makes sense. And compared to how people normally handle end-to-end encryption keys, it's going to result in a lot less loss data in practice.
Glyptodon|1 day ago
That said, I've been assuming I could have multiple passkeys per site and that's turning out to not always be something websites behave sanely about.
lxgr|1 day ago
This is usually due to relying party and possibly password manager bugs, but it does happen.
bo1024|1 day ago
seanieb|1 day ago
Passkeys are a step in the right direction, ironically for the exact reason the author advises caution. We've been telling people to "store your backup key somewhere safe" for the best part of a decade now, and your average Erika hasn't got on well with that at all. Locking themselves out and losing data left, right and centre.
If you've worked at any kind of scale you'll know well that a certain percentage of users will lose their data with E2EE, full stop. It's just different from everything else they've ever used. These are the same people who'd be lost without the "forgot password" link, and there's no shame in that. That's just the reality of it. And passkeys can help people like this to not lose their keys.
If the product is truly E2EE, the best options right now are the passkey implementations baked into Chrome or Apple. Windows, as ever, needs a bit of work, but the password managers seem to be picking up the slack well enough. We also need to educate people that with true E2EE there is no "forgot password" email. Passkeys and the tooling around them still have a ways to go, but we're getting there.
halapro|1 day ago
bensyverson|1 day ago
Encryption is different. If you encrypt data with a generated password and then delete it, you're toast, and passkeys are no different. I think the author is arguing that users may not even realize that the passkey itself is needed to decrypt, possibly because they're so associated with login.
bad_username|1 day ago
You can remember a strong generated password if it's a pass phrase. Better "rememberability" with the same amount of entropy.
hrmtst93837|1 day ago
SoftTalker|1 day ago
Also a style nit, it's OK to use "he" or "she" pronouns in a contrived narrative. The "they/their" usage really detracted from the clarity of the example.
ezfe|8 hours ago
bad_username|1 day ago
kgwxd|1 day ago
unknown|1 day ago
[deleted]
dennysora|1 day ago
whyagaintango|1 day ago
Even those that have 2 devices they don't have them all the time.
Another overlooked issue is that some banks etc don't allow for 2 devices as login or 2FA. Even if it allowed one needs to keep the spare device always updated. Either Govt needs to build a common API that one can use directly through google pay or apple pay - so that only one app is needed to be kept up to date.
to be honest, I wouldn't mind if google/Apple can take all my private data and passkeys hold them - but at least then if I lose the phone - and I show my ID they should allow me to setup my new phone. But that is also not possible. (I am discounting the awful AI bans)
lxgr|1 day ago
Proprietary clouds and sync backends create their own set of problems, but they do solve the availability issue of always having to register at least two different security keys with each service.
> to be honest, I wouldn't mind if google/Apple can take all my private data and passkeys hold them
That's exactly what you can do today!
> I show my ID they should allow me to setup my new phone.
You have to show them your phone number, which for better or worse is our age's "showing ID", but then you can indeed get back in.
DavideNL|1 day ago
The error message was: "Error: "Authenticator did not return a PRF result — this passkey probably isn’t PRF-capable."
So i now have an account, but can only use it on my Desktop. (can't change to a password login either, it's Passkeys only...)
[1] end-to-end encrypted AI, developed by Moxie Marlinspike, the founder of Signal: https://confer.to/
peterspath|18 hours ago
ezfe|1 day ago
ifh-hn|1 day ago
I actually despair about when my family members are forced into passkeys and then lose access to their accounts because they get a new device.
I use passkeys from keepasxc because the native workflow for passkeys is opaque and easy to misunderstand what you are actually doing. And it's predicated on having an account with big us tech companies.
lxgr|1 day ago
Both iOS and Android sync passkeys to their respective cloud accounts by default. (Of course, losing access to that account, sharing one across family members and causing confusion etc. are still concerns.)
The real problem is lock-in, as this effectively often prevents entire families from switching from iOS to Android or vice versa. I'd encourage anyone managing their family's tech setup to pick a platform-agnostic passkey implementation such as 1Password or Bitwarden for that reason.
ezfe|8 hours ago
People forget and reset passwords all the time. Passkeys are no different, except now they'll lose them less.
OJFord|1 day ago
(Or at absolute minimum don't force them on unsuspecting users, make them opt-in, not opt-out frequently at random times (Amazon!!!).)
Pesthuf|8 hours ago
dansjots|1 day ago
https://news.ycombinator.com/item?id=46895533
This give much more conscious control to the user knowing that they are explicitly encrypting which file with which passkey. Additionally, you can just download the page and serve it via localhost so that you always have control of the relying party for your passkey.
[0] https://words.filippo.io/passkey-encryption/
sandeepkd|1 day ago
daft_pink|1 day ago
ezfe|8 hours ago
Obviously passkeys do not bind a user to a specific device in any other context.
unknown|1 day ago
[deleted]
exabrial|1 day ago
They were secure, scalable, and they were simple to explain to my parents ("This is a physical key for your email account; like your front door key").
Telaneo|1 day ago
I can buy 6-8 physical keys for the front door of my house for the cost of one Yubikey. Even though there are options at half price, that then gets eaten into by the need to have two or three of them, since a backup is not optional for this sort of use case. I can't imagine convincing one's parents to buy 'a key for your email account' will be easy when the old way mostly 'worked fine' and was free, meanwhile the new one will cost them a non-trivial amount of money. It's an easy flow if you're their sysadmin, but I wouldn't want to throw my parents into the deep end of hardware keys and have to explain to them that they don't need the expensive one, but still have them be discouraged by the mere existence of 100+ dollar options for what should be damn-near throwaway hardware.
Passkeys somehow manages to have a worse workflow than both though.
unknown|1 day ago
[deleted]
peterspath|1 day ago
I guess informing them is a good way to start. Are there any other tips on how this can be improved?
unknown|1 day ago
[deleted]
jgb1984|1 day ago
ezfe|8 hours ago
cadamsdotcom|1 day ago
They’ll teach us what we need to know to create something that will do what they’re trying to do.
unknown|1 day ago
[deleted]
lxgr|1 day ago
pibaker|1 day ago
See also: Bluetooth.
kkfx|1 day ago
miladyincontrol|1 day ago
unknown|1 day ago
[deleted]
wmf|1 day ago
hbogert|1 day ago
Borealid|1 day ago
It's Play Services that does not support this combination, likely to shepherd you towards Google acoount usage. Alternate Android apps work fine.
darkhorn|1 day ago
ezfe|1 day ago
rkagerer|9 hours ago
rkagerer|5 hours ago
I don't want any cloud service to be my passkey provider. I'm not comfortable establishing that kind of dependence on a company I don't trust.
I'd be content to keep passkeys in a datastore that I control, and which I can inspect and manage on my own (including backup, restore, and ideally even daily migration to a "hotspare" device).
As more websites adopt passkeys, I find myself continually being nagged to adopt them. Although their intent is benign, the companies use dark UI patterns like not respecting my choice after I've said NO (there isn't a "Never" option, just a "Skip for now"), and they continually shove the unwanted reminders in my face every time I login.
My concern is eventually I'll accidentally hit the wrong button and create an unwanted passkey that's now tied to my machine/cloud account/vendor service in a way I don't control. I'm fact, I'd bet product managers are counting on that manipulation (nag the user until they concede) to brag about adoption rates and get raises.
My browser is supposed to me my agent, so I think it's a valid question - and related to this topic - to ask if there's a way to turn off the unwanted functionality.
Paddyz|1 day ago
[deleted]
xg15|1 day ago
This feels more like CYA/shifting the blame for me. If a service is designed so that I will lose all my data if I lose the passkey, then a "yo, don't lose that passkey, like, ever!" warning is the minimum, but doesn't solve the problem.
I found the initial suggestion "don't ever use passkeys for encryption of persistent data" more reasonable.
(Or what the sibling comment describes: Design the encryption in such a way there is an alternate key that could be used for decrypting)
lxgr|1 day ago
> this passkey is load-bearing for encryption, not just auth" so they can surface appropriate warnings before deletion
That sounds like a reasonable idea, but still doesn't help with the case of a completely deleted/destroyed authenticator, e.g. a lost Apple/Google account or Yubikey.
The only viable solution to me for mass adoption is restricting (by recommendation, since there's no way to programmatically enforce it) PRF to scenarios where it's only one out of several ways to get access back. Some password managers do this, e.g. they encrypt their master secret under a PRF-derived key, but this is not the only way/place to get to the master secret, and they also encourage printed key backups etc.
hedora|1 day ago
(Unless they are not credentials, and you can loose them then do a password reset via a phishing prone channel like email and SMS. Supporting this eliminates any possible user benefit of passkeys.)
In addition to the arguments in the article, when used as credentials, they are an obvious trojan horse allowing large websites to completely hijack your operating system.
Don’t believe me? Try logging into a bank or using rideshare/parking/ev charging with degoogled android. This is where passkeys are taking PCs, and it is their only purpose.
So, “Don’t use passkeys” would be a better title.
lxgr|1 day ago
What does root detection and other device attestation have to do with passkeys? Passkeys (at least Google's and Apple's) don't support device attestation.
inkysigma|1 day ago