What are passkeys and why should I switch?

birds-swim

Okay, I've definitely been out of the loop for too long. What the hell is a "Passkey"? Is this a scam by the politicians and corporations? Or is it actually more secure than the good old Password+Authenticator combo that I'm used to?

I'm finding all my apps are pushing me to create a passkey for everything.

What does the GOS community think about Passkeys? Do you use them? Why? Or why not?

Dumdum

birds-swim
Bitwarden has blog posts explaining them:
https://bitwarden.com/blog/bitwarden-and-the-passwordless-revolution/
https://bitwarden.com/blog/how-do-passkeys-work/

Tldr: They are secure. Not a scam. Up to you to use them, but I'm not sure there's a reason not to.

de0u

birds-swim The situation is evolving. Here are two articles of potential interest:

Passkey technology is elegant, but it’s most definitely not usable security (Ars Technica, 2024-12-30)
Coming to Apple OSes: A seamless, secure way to import and export passkeys (Are Technica, 2025-06-12)

fid03

birds-swim I use passkeys whenever I can. They're usually more convenient to me, especially at work, where I no longer have to remember and type half a dozen diceware passwords in order to do my job, but can just use the security key they provisioned to me.

birds-swim

Dumdum Is Bitwarden responsible for inventing/creating them?

MineralWater

I think they offer a little better security.
But to use them conveniently you have to use a password manager with cloud service, and it shouldn't be from Google or Apple, it must be one running on all kind of OS.

Otherwise you have trouble each time you change your device, as you need to generate new passkeys.

Also, most websites/services who offer passkey, simultaneously keep the old username/password combo as a backup.

So if their server's are hacked, criminals can still take over accounts.

It only helps against phishing attacks, but that's better than nothing.

vodka

birds-swim Is Bitwarden responsible for inventing/creating them?

No.
Passkeys are just the branding name for WebAuthn credentials, it's FIDO Alliance and W3C developed.

Naudiz

I find Passkeys mostly pointless the way they are implemented in 99% of services as of today. Almost all of them let you create a Passkey as an alternative way of logging in only, while keeping other means of login, like username+password still active. So if your password is insecure or stolen, an attacker could still have access to your account by the regular username+password combo.

JollyRancher

Personally? Passkeys are mostly a joke.

Unless a service is willing to allow you to block the use of other login methods (password, for example) then the actual security level is equal to whatever the weakest method is.

If you use a password manager, creating and using unique strong passwords for a given site/service is pretty trivial and generally seamless.

2FA via authenticator app paired with a strong password, especially if the app is protected by biometrics, is top tier security with none of the downsides of passkeys.

Passkeys could be great but they need a lot of interoperability and UI work along with corporations actually taking security seriously.

Note that ANY entity that allows SMS 2fa either does not understand or does not care about offering a secure product.

GrouchyGrape

JollyRancher is top tier security with none of the downsides of passkeys.

TOTP is not phishing resistant, unlike passkeys.

JollyRancher Passkeys are mostly a joke.

I agree that the implementation of passkeys is often ridiculous and a "joke", often requiring something insecure like SMS as a fallback. However, that doesn't make passkeys themselves a joke.

fid03

JollyRancher 2FA via authenticator app paired with a strong password, especially if the app is protected by biometrics, is top tier security with none of the downsides of passkeys.

JollyRancher Unless a service is willing to allow you to block the use of other login methods (password, for example) then the actual security level is equal to whatever the weakest method is.

Following that logic, 2FA via authenticator app is equally as useless as passkeys.

Probably9857

A thing that I find annoying about passkeys is that some services (e.g., GitHub) skip your configured 2FA method when a passkey is used.

It seems to me that this actually reduces security by making my password manager a single point of failure.

JollyRancher

GrouchyGrape
Phishing resistance is a function of the user. Don't share your 2fa codes, ever. It is never the appropriate action. And if someone asks for it, its a scam.

I call passkeys mostly a joke because 1) basically all of the implementations are a mess and 2) that essentially everyone who offers passkeys doesn't allow the disabling of other methods and thus the security is equal to whatever the weakest level is.

Frostily7047

I guess until other less secure methods are allowed to be disabled, its a convenient feature.

Risk is with disallowing other authN methods, if people lose their device, or sell their phone (unless your passkey is kept securely in a.cloud vault?) Users will be.locked out of their accounts.

Yubico recommends at least 2 hardware tokens in case you lose one. But to the average user, its too complicated and inconvenient to use hardware tokens unless its their phone, but that comes with other drawbacks

GrouchyGrape

JollyRancher Phishing resistance is a function of the user.

This is incorrect. At the moment, true passkeys are near phishing-proof. Meaning, if I try to use my Microsoft passkey to login at fakemicrosoftonline.com, it'll fail. It simply won't work. Aka, I can't be phished. However, let's say fakemicrosoftonline.com simply asks for my TOTP code. No problem, I enter it in and they're passed along to authenticate the attacker instead of me. I've been phished.

Yes, the user should know better, but that's not what I'm arguing. I'm arguing that the method itself (passkeys) are inherently much more secure than any other method.

JollyRancher basically all of the implementations are a mess

I agree with this for most mainstream consumer products. However, in the enterprise world, it's pretty consistent and works as intended/designed.

JollyRancher essentially everyone who offers passkeys doesn't allow the disabling of other methods

See my point above. Seems to mostly affect consumer/mainstream services. Enterprise services work fine for the majority of them.

JollyRancher the security is equal to whatever the weakest level is

Completely agree, this makes it extremely frustrating when you can't disable less secure methods. I'm looking at you, Proton...

WestQuester

GrouchyGrape Completely agree, this makes it extremely frustrating when you can't disable less secure methods. I'm looking at you, Proton...

I was excited when passkeys came to Proton, but when I set it up, it disabled my 2FA for my username/password login, and yet still left username/password as an option for logging in!

So either way I have to have a username/password login, but do I want one with 2FA or without? What a horrible implementation.

fid03

Passkey adoption is still far from universal. It makes sense to make users familiar with a new authentication method before making account recovery harder than it currently is for most services.

Weak account recovery methods are not a function of the passkey technology itself. Passkeys in themselves are proven to be much more phishing-resistant than traditional MFA – scientifically there is no doubt about this. Services that choose to go fully passkey-only for user accounts and remove weak recovery options can offer a much more secure option than if they offer traditional MFA and remove weak recovery options. Here are a couple articles I pulled from my notes that demonstrate how attackers now bypass traditional MFA:

1
Blancaflor, E. B., Duldulao, J. O., Espeño, J. V. E., Patag, G. S. M., Theresa Menor, M., & Intal, G. L. (2025). Advanced phishing techniques: Analyzing adversary-in-the-middle and browser-in-the-browser attacks in modern cybersecurity. Cybernetics and Information Technologies, 25(1), 55–77. https://doi.org/10.2478/cait-2025-0004

2
Intelligence, M. T. (2022). From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud. Microsoft Security Blog. https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/

Where I work, the IT department is in the process of rolling out security keys to all users, with password and traditional MFA fallback options getting more heavily restricted/scrutinized. For admin accounts it's no longer possible to recover your account after losing your security key without identifying yourself: have to physically go to your boss to get a new key that passes the attestation check. Think they have recognized how much they stand to lose if an attacker bypasses MFA to access their systems. Even with security measures such as conditional access policies it's not impossible.

I admit I think it's unlikely that most services will remove weak account recovery options in the foreseeable future; likely too afraid of losing customers/users because they didn't guard their passkeys well enough and lost them. But possibility is there. Account recovery can also be made significantly harder without legit users losing access forever, such as increasing the wait period between requesting recovery and then being granted access, and so on.

GrouchyGrape

WestQuester interesting. For me, it simply left and requires TOTP as a fallback. Which sucks, but is better than completely disabling MFA like your case. I'd reach out to support.