this post was submitted on 11 Nov 2025
290 points (87.6% liked)

Technology

76774 readers
3574 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
290
Passkeys Explained: The End of Passwords (sentientrant.com)
submitted 2 days ago by sentientRant@lemmy.world to c/technology@lemmy.world
231 comments fedilink hide all child comments
 

Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.

But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.

I broke down how passkeys work, their strengths, and what’s still missing

top 50 comments
sorted by: hot top controversial new old
[–] laranis@lemmy.zip 25 points 1 day ago (3 children)

Why do you have the 4-digit PIN? Well, it’s just to unlock the part of your device where the private key is stored.

And there is the problem I have with passkeys. With a password it is me authenticating to the service I'm using. Pretty straight forward (if you ignore the operating system, web browser, network protocols, etc., but that's part of using the tech).

With passkeys you've got this third party storing your keys that increases your attack surface. It could be your web browser, your OS, or some cloud provider that you're now relying on to keep your data safe. I get that for people whose password is "password123" or who aren't savvy enough to avoid phishing maybe this helps. But with decent opsec this overly complicates authentication, IMO.

To my point, later in the article:

Securing your cloud account with strong 2FA and activating biometrics is crucial.

What's that now? The weak point is the user's ability to implement MFA and biometrics? The same users who couldn't be bothered to create different passwords for different sites? You see how we've just inserted another layer into the authentication process without solving for the major weakness?

With my tinfoil hat on I suspect this push toward passkeys is just another corporate data and/or money grab -- snake oil for companies to get their tentacles tighter around your digital existence.

Happy to be proven wrong.

[–] needanke@feddit.org 9 points 23 hours ago* (last edited 23 hours ago)

How do you currently store your passwords? I would also consider that a third party with an adittional atack surface if you are considering the passkey location one.

Also your argument

(if you ignore the operating system, web browser, network protocols, etc., but that's part of using the tech).

is faulty. That is because passkeys exist in part to mitigate those atack vectors. Mitm, a compromised browser or client, etc. is less of an issue with passkeys. The information transmitted during an authentication can not be reused on another authentication attempt.

I don't agree on passkeys complicating things either. For me the authentication-flow is not more complicated then KeePasses autofill.

Assuming one can be 'tech savy' enough to not fall for fishing is bad. There are quite advanced attacks or you might even just be tired one day and do something stupid by accident.

What's that now? The weak point is the user's ability to implement MFA and biometrics? The same users who couldn't be bothered to create different passwords for different sites?

You don't expext the user to 'implement' mfa or biometrics. You expect them to use it. And most places where a novice would store passkeys don't just expect but enforce it. It is also way simpler to set up biometrics on one device compared to keeping with a good password strategy.

[–] Evotech@lemmy.world 11 points 1 day ago* (last edited 1 day ago)

Passkeys can't be phished.

That's the main point.

Phishing is a reeeeal pain. And something that needs to be solved. Not through training but with technology.

[–] sentientRant@lemmy.world 4 points 23 hours ago (1 children)

Today we use lots of accounts with unique passwords. Obviously these passwords have to be stored somewhere. So I disagree with you when you say it's a unique passkey thing.

Passkey has an advantage when it comes to phishing because it doesn't totally rely on human intelligence or state of mind.

From a personal experience my data was leaked online, not because of phishing or I was careless. but it was leaked from a well known third party site which I used. They were affected by a very serious breach. Many unlike me use the same passwords for their emails and stuffs. But in case of passkeys there isn't a shared secret. A breach will be useless.

[–] laranis@lemmy.zip 3 points 23 hours ago (1 children)

I think you're making my point. First, you're right that passkeys can't be phished. But access to the passkey manager can be. And now you've doubled your exposure to leaky third parties, once with the service you're accessing and another with the passkey manager.

[–] sentientRant@lemmy.world 2 points 18 hours ago

But the third parties actually have no access to your passkeys. The passkey stored are end to end encrypted blobs. So even if anyone gets hold of it, its useless. But a password for instance when leaked from 3rd party can be used easily as the server will have to decrypt the password at one point. So the means to decrypt the password will be at the server but passkeys aren't like that. The private passkey can be decrypted only on your device for signing the challenge. Basically your exposure was basically halved.

[–] lukaro@lemmy.zip 5 points 22 hours ago (3 children)

All I know is a few months back someone setup a passkey on a shared google account at my job and now nobody but knows what the password for our email is. I can use the passkey to sign in with my phone, but only I can do that.

[–] sfgifz@lemmy.world 1 points 1 hour ago

someone setup a passkey on a shared google account at my job

I can use the passkey to sign in with my phone, but only I can do that

[–] sentientRant@lemmy.world 3 points 15 hours ago

I think Google accounts are made usually for single user and thus passkeys. But may be you can try going to the share Google accounts security and there's an option skip password when possible. Disable it... May be it might work. I'm not sure tough.

[–] BradleyUffner@lemmy.world 2 points 20 hours ago

If you can sign in, you should be able to reset the password.

[–] NauticalNoodle@lemmy.ml 8 points 1 day ago* (last edited 1 day ago) (1 children)

if it undermines or circumvents my fifth amendment right not to testify against myself, then I'm not interested in ending the use of passwords.

[–] needanke@feddit.org 3 points 23 hours ago

You can set a pin on most passkey devices so that it doesn't serve the authentication without it.

[–] sudoer777@lemmy.ml 2 points 20 hours ago

I use Passkeys with Bitwarden in desktop Firefox, but for some reason I can't get them to work in GrapheneOS/Vanadium even though I have Bitwarden set as my password provider

[–] Korhaka@sopuli.xyz 15 points 1 day ago (1 children)

I don't want to boot up a fucking android VM to run some login app every time I need to log into an unimportant account that realistically I would have used "el-passwordo" for the password if it let me.

[–] Jakeroxs@sh.itjust.works 3 points 1 day ago (1 children)

You can use browser extensions, not sure why you'd think you'd have to run an android VM lmfao

[–] Korhaka@sopuli.xyz 4 points 1 day ago (2 children)

I just know the one my employer forces me to use can't be. Need to use the stupid microsoft app.

[–] Jakeroxs@sh.itjust.works 2 points 1 day ago

Not sure if that's actually a "passkey" in the same sense then, MS is doing its own shit for sure. I use vaultwarden/bitwarden and can save standard passkeys there no problem.

[–] needanke@feddit.org 1 points 23 hours ago

Then that is not what the article is about..

[–] nuko147@lemmy.world 22 points 1 day ago (2 children)

Tried Passkey in the past. I had many problems, especially could not understand why they must use my google account. Now my google account is gone, don't gonna go that rabbit hole again, i am happy with my Bitwarden and Aegis.

[–] Appoxo@lemmy.dbzer0.com 5 points 1 day ago* (last edited 23 hours ago)

Bitwarden does support access to access keys in (for example) firefox.
I have not tested outside of browser (firefox). So it may depend on if you use chrome or some other app.

Edit: Just got a suggestion inside the Amazon app (Android. Yes, I hate Amazon as well but I got a gift card and I hate it even more to give them a free of charge credit) to add a passkey. So it seems to work (semi-)reliable outside of a browser.

load more comments (1 replies)
[–] rekabis@lemmy.ca 26 points 1 day ago (1 children)

Just don’t take away passwords + TOTP 2FA for those of us who are actually using it correctly.

[–] lightsblinken@lemmy.world 1 points 12 hours ago* (last edited 12 hours ago)

lets just hold the line of "the answer is always username/password + second factor".

could be username/password + totp..

could be username/password + passkey..

if someone figures out my password, i dont lose everything..

if someone steals my passkey, i dont lose everything..

even if i do use the same password for everything, the second factor has it covered.

(nobody will ever guess my password of ******** anyway!)

[–] BilSabab@lemmy.world 6 points 1 day ago (1 children)

seems like too much messing around to make it a widespread solution.

[–] Appoxo@lemmy.dbzer0.com 5 points 1 day ago (1 children)

Acrually not really.
I do use it with my password manager.
Very convenient.

BUT, it's not hardware based so more suscepticle to attacks.

[–] BilSabab@lemmy.world 1 points 22 hours ago

i see. gotta try it out for myself

[–] lucille@piefed.blahaj.zone 16 points 1 day ago (1 children)

It seems like the idea behind having the passkeys synced through cloud platforms is to mitigate the device failure risk as much as possible, as any device logged into the cloud account could be used to access the passkey protected accounts. It seems a little short-sighted as it means that the passkeys are limited to AAL2 (as AAL3 requires it to be non-exportable), and depends on the security of the cloud account. The cloud account can't use anything as secure as a passkey, as it would reintroduce the device failure risk (meaning that your security has been downgraded from AAL3 to AAL2 for no reason).

It should also be noted that if the cloud account is not phishing-resistant (which it can't be for reasons stated above), then the accounts protected by passkeys aren't phishing resistant either, as the cloud account could be phished, which would lead to a compromise of the other accounts.

At AAL2 you could also just use a password and OTP, which doesn't have the vendor lock-in problems with cloud synced passkeys and has a wider adoption already.

In my opinion there is no need for cloud syncing, as device failure risk is negligible if you have a backup security key (as the failure rate of a single security key is already extremely low).

[–] Valmond@lemmy.world 3 points 22 hours ago

Yeah exactly, like make 3 engraved metal plates you can store here and there for recovery, not some stupid cloud account LMAO.

[–] HulkSmashBurgers@reddthat.com 60 points 1 day ago (8 children)

The eco-system lock-in makes this a non-starter for me. If I could store the private keys in something like a keepass vault (or that) and do the authentication magic from that I would consider it.

[–] partofthevoice@lemmy.zip 9 points 1 day ago* (last edited 1 day ago)

KeePassXC supports passkeys directly through the Browser Integration service.

https://keepassxc.org/docs/KeePassXC_UserGuide#_browser_passkey_support

There you go. Local, serverless passkeys in the software of your choice.

load more comments (7 replies)
[–] Brokkr@lemmy.world 220 points 2 days ago (53 children)

While the lock-in issue is annoying and a good reason not to adopt these, the device failure issue is a tech killer. Especially when I can use a password manager. This means I can remember two passwords (email and password manager), make them secure, and then always recover all my accounts.

Passkeys are a technology that were surpassed 10 years before their introduction and I believe the only reason they are being pushed is because security people think they are cool and tech companies would be delighted to lock you into their system.

[–] hansolo@lemmy.today 95 points 2 days ago (1 children)

This is the only accurate take in the whole thread.

Passkeys solve "well, can't be fished" by introducing 2 new problems and never resolving super prevalent session hijacking. Even as a basic cost-benefit analysis, it's a net loss to literally everyone.

[–] anomnom@sh.itjust.works 3 points 1 day ago

That’s what I worried, and then especially to computers that age out of updates (2 older MacBooks).

We end up having to reauthenticate on some other device at some point anyway and that means there’s still going to be a weak point.

Like with 2 auth sim jacking.

load more comments (52 replies)
[–] biotin7@sopuli.xyz 3 points 1 day ago

Yeah totally not going to be misused by corporations with proprietary cryptographic-algorithm

[–] tym@lemmy.world 6 points 1 day ago

hot take: end users will be more likely to adopt security keys (or device attested passkey which = security key). Physical security, out-of-bounds cryptography to defeat AitM attacks (fake landing pages where six digit codes are stolen and silently used in perpetuity by the bad actor)

source: my job is to try to get end users to put strong MFA on all the things.

[–] ICastFist@programming.dev 67 points 2 days ago (8 children)

Better title:

Passkeys: still trying to explain why it's worth the hassle when it isn't

load more comments (8 replies)
[–] kjetil@lemmy.world 111 points 2 days ago (22 children)

The biggest disadvantage:

Disadvantages of Passkeys

Ecosystem Lock-In – Passkey pairs are synced through each vendor’s respective clouds via end-to-end encryption to facilitate seamless access multiple devices.

More eggs in the American megacorp basket for more people, yay

load more comments (22 replies)
[–] Engywuck@lemmy.zip 36 points 2 days ago (5 children)

No, thanks. I'll keep using password+2FA and I hope that passkeys never become "mandatory".

load more comments (5 replies)
load more comments
view more: next ›