this post was submitted on 11 Nov 2025
288 points (87.5% liked)

Technology

76774 readers
2439 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
288
Passkeys Explained: The End of Passwords (sentientrant.com)
submitted 1 day ago by sentientRant@lemmy.world to c/technology@lemmy.world
230 comments fedilink hide all child comments
 

Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.

But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.

I broke down how passkeys work, their strengths, and what’s still missing

(page 2) 50 comments
sorted by: hot top controversial new old
[–] Brokkr@lemmy.world 215 points 1 day ago (28 children)

While the lock-in issue is annoying and a good reason not to adopt these, the device failure issue is a tech killer. Especially when I can use a password manager. This means I can remember two passwords (email and password manager), make them secure, and then always recover all my accounts.

Passkeys are a technology that were surpassed 10 years before their introduction and I believe the only reason they are being pushed is because security people think they are cool and tech companies would be delighted to lock you into their system.

[–] hansolo@lemmy.today 93 points 1 day ago (1 children)

This is the only accurate take in the whole thread.

Passkeys solve "well, can't be fished" by introducing 2 new problems and never resolving super prevalent session hijacking. Even as a basic cost-benefit analysis, it's a net loss to literally everyone.

load more comments (1 replies)
[–] LuigiMaoFrance@lemmy.ml 38 points 1 day ago

Cops also love them because they make getting access to your entire phone including all accounts simple as cake if you use fingerprint/faceID to unlock your device.

[–] 4am@lemmy.zip 34 points 1 day ago (1 children)

Password managers store passkeys. They’re portable and not device-locked. Been using them on Bitwarden for like 2 years now.

load more comments (1 replies)
[–] smiletolerantly@awful.systems 36 points 1 day ago (7 children)

You can store Passkeys in open source password managers.

I don't know most of my passwords, so the step to passkeys doesn't feel like a big one. I also really like the flow of pressing Login; Bitwarden pops up a prompt without me initiating it; I press confirm. Done, logged in, and arguably more secure due to the surrounding phishing and shared secrets benefits.

[–] Brokkr@lemmy.world 31 points 1 day ago* (last edited 1 day ago) (7 children)

Sure, they probably work great when you have your *passkey manager on the device, but that's not when I need to have backup routes into my accounts. When using a new device, or someone else's, having even a complicated password that can be typed or copied-pasted has way more functionality.

As far a I can tell, using passkeys would only risk locking me out of my accounts. Everyone else is already effectively locked out.

[–] smiletolerantly@awful.systems 12 points 1 day ago

I can access my password manager via the browser from any device.

load more comments (6 replies)
load more comments (6 replies)
[–] umbrella@lemmy.ml 14 points 1 day ago (2 children)

its being pushed because corporations want to control your passwords with lock-in.

no way i'm using that garbage over my own manager with recallable plaintext passwords.

load more comments (2 replies)
[–] l_b_i@pawb.social 28 points 1 day ago (1 children)

I think they are being pushed because cool technology on paper. Whenever I read an article about them, I can't help but think about the human factors. How are passkeys created, often by a password or email. okay... that looks a lot like a password. Oh you lost the passkey, here lets send you one again. It stinks of a second factor without a first. Sure, the passkey itself is hard to compromise, but how about its creation. If your email is compromised I see no difference from passwords or passkeys.

[–] 4am@lemmy.zip 15 points 1 day ago (6 children)

They don’t email you a passkey, what are you even talking about?

[–] lmmarsano@lemmynsfw.com 2 points 1 day ago* (last edited 1 day ago) (1 children)

There are quite a few uninformed takes here & the number of upvotes they got for it is stunning. Lemmy. 😞

load more comments (1 replies)
load more comments (5 replies)
load more comments (22 replies)
[–] ICastFist@programming.dev 67 points 1 day ago (8 children)

Better title:

Passkeys: still trying to explain why it's worth the hassle when it isn't

load more comments (8 replies)
[–] kjetil@lemmy.world 110 points 1 day ago (16 children)

The biggest disadvantage:

Disadvantages of Passkeys

Ecosystem Lock-In – Passkey pairs are synced through each vendor’s respective clouds via end-to-end encryption to facilitate seamless access multiple devices.

More eggs in the American megacorp basket for more people, yay

[–] Doccool@lemmy.world 39 points 1 day ago (4 children)

Currently I use a FOSS (I think?) password manager, BitWarden, that supports passkeys. I use it across Mac, Windows and Android so I'm while my passkeys are locked yo the password manager, I am not locked to any of the aforementioned megacorps.

[–] SkaveRat@discuss.tchncs.de 22 points 1 day ago (2 children)

While I use and love bitwarden, it's not exactly foss. Although there is a foss implementation of their server backend

[–] AbidanYre@lemmy.world 27 points 1 day ago

Vaultwarden (the free server implementation) also supports passkeys.

load more comments (1 replies)
load more comments (3 replies)
[–] lmmarsano@lemmynsfw.com 2 points 1 day ago* (last edited 1 day ago)

That hasn't been true since password managers stored passkeys, which I've been doing for years. That objection goes into the trash. 🗑️

load more comments (14 replies)
[–] Engywuck@lemmy.zip 36 points 1 day ago (1 children)

No, thanks. I'll keep using password+2FA and I hope that passkeys never become "mandatory".

[–] TotalCourage007@lemmy.world 13 points 1 day ago (2 children)

Thanks to our dystopian hellscape we live in it'll become mandatory just like useless online ids. I hate having to explain passkeys to my family. Some fuckface suit who doesn't use it properly pushed for a portfolio addition.

[–] sonofearth@lemmy.world 2 points 1 day ago* (last edited 1 day ago) (2 children)

But what’s dystopian about passkeys? They are actually more secure than Password + TOTP. Phishing out a passkey is practically impossible.

load more comments (2 replies)
load more comments (1 replies)
[–] SaraTonin@lemmy.world 27 points 1 day ago (2 children)

The promise of passkeys when i first grad about them was that it would be quick and easy - that you wouldn’t need to enter a username or use 2fa. The reality appears to be that this is that it’s used ** as** 2fa

load more comments (2 replies)
[–] jobbies@lemmy.zip 27 points 1 day ago (1 children)

load more comments (1 replies)
[–] Zak@piefed.world 19 points 1 day ago (2 children)

I've been resisting using them and decided to set one on my rarely-used and unimportant Piefed account to try it out.

Saved to Bitwarden fine on my desktop browser. When I try to log in with a browser on my phone, it asks for my username and does nothing more after that dialog closes. While I'm not sure if this is a problem with Piefed, Bitwarden, or Firefox, I'm now disinclined to try it with anything important, especially if that thing might then discourage me from logging in with a password.

I recognize the theoretical advantages, but passkeys don't do much to solve problems I actually have. All my passwords look like @A#vVukh9c$3Kw4Cs8NP9xgazEuJ3JWE and are unique. Bitwarden won't autofill the wrong domain. I don't enter credentials in links from emails I didn't trigger myself immediately before. I haven't checked whether I can reliably backup and restore them in my Bitwarden vault.

[–] lmmarsano@lemmynsfw.com 2 points 1 day ago* (last edited 1 day ago) (2 children)

All my passwords look like @A#vVukh9c$3Kw4Cs8NP9xgazEuJ3JWE and are unique.

You're still transmitting the actual secret to the destination, so interception is a risk. Passkeys use asymmetric cryptography: no reusable secret is ever transmitted, only time-sensitive challenges that prove possession of the private key. Servers only store public keys, which aren't secret by design.

Passkeys have multifactor authentication built-in whereas passwords do not.

Passkeys can be more convenient than passwords. My password manager has my passkeys. At login, my password manager raises a passkey prompt that I simply confirm.

load more comments (2 replies)
load more comments (1 replies)
[–] CompactFlax@discuss.tchncs.de 19 points 1 day ago (4 children)

They’re device-bound certificate based authentication with some shiny bits.

Or they’re portable-via-certain-services certificate based authentication with some shiny bits.

Either way they’re new and try explaining that the user needs a new one for every device (or needs a new app to carry them around in) and that if the device dies, or the app dies, they lose it all. I have quite a few people in my life who can’t wrap their heads around using a password manager.

Personally, I find them irritating. My chosen password manager on iPhone doesn’t support them, so I need to have the iOS password vault turned on (yes, this is a dark pattern Apple has created to try to increase adoption of their password vault) to use them. Adoption needs to be much higher, interoperability needs to be better, and they need to put back the hint for which vault to use (which was removed early on to keep Microsoft and google from forcing chrome/edge vaults, but has the actual effect that chrome/edge tend to win the race over other options and means that the passkey prompt might be for a different app than the one that you prefer, leading to further user confusion)

[–] Triumph@fedia.io 22 points 1 day ago (4 children)

I really don’t want to turn my devices into hardware keys. I can’t imagine how difficult it would be to recover if, say, there was a fire or flood. Hardware breaks, gets lost, stolen. How about people who can’t afford multiple devices? What about the unhoused? How about if you get arrested and your one device gets confiscated- you can’t even give anyone else access to your data. What if you’re a good witness recording something and the police decide to make your device into evidence (or destroy it).

MFA? Absofuckinglutely. I’ll pass on passkeys, sorry.

load more comments (4 replies)
load more comments (3 replies)
[–] hummingbird@lemmy.world 24 points 1 day ago (3 children)

You missed some disadvantages. For example the UX and complexity are terrible.

load more comments (3 replies)
load more comments
view more: ‹ prev next ›