What are passkeys and why should I switch?

birds-swim

Okay, I've definitely been out of the loop for too long. What the hell is a "Passkey"? Is this a scam by the politicians and corporations? Or is it actually more secure than the good old Password+Authenticator combo that I'm used to?

I'm finding all my apps are pushing me to create a passkey for everything.

What does the GOS community think about Passkeys? Do you use them? Why? Or why not?

Dumdum

birds-swim
Bitwarden has blog posts explaining them:
https://bitwarden.com/blog/bitwarden-and-the-passwordless-revolution/
https://bitwarden.com/blog/how-do-passkeys-work/

Tldr: They are secure. Not a scam. Up to you to use them, but I'm not sure there's a reason not to.

de0u

birds-swim The situation is evolving. Here are two articles of potential interest:

Passkey technology is elegant, but it’s most definitely not usable security (Ars Technica, 2024-12-30)
Coming to Apple OSes: A seamless, secure way to import and export passkeys (Are Technica, 2025-06-12)

fid03

birds-swim I use passkeys whenever I can. They're usually more convenient to me, especially at work, where I no longer have to remember and type half a dozen diceware passwords in order to do my job, but can just use the security key they provisioned to me.

birds-swim

Dumdum Is Bitwarden responsible for inventing/creating them?

MineralWater

I think they offer a little better security.
But to use them conveniently you have to use a password manager with cloud service, and it shouldn't be from Google or Apple, it must be one running on all kind of OS.

Otherwise you have trouble each time you change your device, as you need to generate new passkeys.

Also, most websites/services who offer passkey, simultaneously keep the old username/password combo as a backup.

So if their server's are hacked, criminals can still take over accounts.

It only helps against phishing attacks, but that's better than nothing.

vodka

birds-swim Is Bitwarden responsible for inventing/creating them?

No.
Passkeys are just the branding name for WebAuthn credentials, it's FIDO Alliance and W3C developed.

Naudiz

I find Passkeys mostly pointless the way they are implemented in 99% of services as of today. Almost all of them let you create a Passkey as an alternative way of logging in only, while keeping other means of login, like username+password still active. So if your password is insecure or stolen, an attacker could still have access to your account by the regular username+password combo.

JollyRancher

Personally? Passkeys are mostly a joke.

Unless a service is willing to allow you to block the use of other login methods (password, for example) then the actual security level is equal to whatever the weakest method is.

If you use a password manager, creating and using unique strong passwords for a given site/service is pretty trivial and generally seamless.

2FA via authenticator app paired with a strong password, especially if the app is protected by biometrics, is top tier security with none of the downsides of passkeys.

Passkeys could be great but they need a lot of interoperability and UI work along with corporations actually taking security seriously.

Note that ANY entity that allows SMS 2fa either does not understand or does not care about offering a secure product.

GrouchyGrape

JollyRancher is top tier security with none of the downsides of passkeys.

TOTP is not phishing resistant, unlike passkeys.

JollyRancher Passkeys are mostly a joke.

I agree that the implementation of passkeys is often ridiculous and a "joke", often requiring something insecure like SMS as a fallback. However, that doesn't make passkeys themselves a joke.

Probably9857

A thing that I find annoying about passkeys is that some services (e.g., GitHub) skip your configured 2FA method when a passkey is used.

It seems to me that this actually reduces security by making my password manager a single point of failure.

Frostily7047

I guess until other less secure methods are allowed to be disabled, its a convenient feature.

Risk is with disallowing other authN methods, if people lose their device, or sell their phone (unless your passkey is kept securely in a.cloud vault?) Users will be.locked out of their accounts.

Yubico recommends at least 2 hardware tokens in case you lose one. But to the average user, its too complicated and inconvenient to use hardware tokens unless its their phone, but that comes with other drawbacks