[9dev]

Well, passkeys come with another very interesting property: they make it entirely useless to obtain the database of user credentials from services. It only contains public keys specific to a single service, so you cannot use them anywhere else. Additionally, private keys are stored on secure storage in client devices (or need to be decrypted themselves using a second factor), so there’s pretty much 0% risk of mass credential leakage.

[secabeen]

> they make it entirely useless to obtain the database of user credentials from services. It only contains public keys specific to a single service, so you cannot use them anywhere else.

This is also the case for anyone using unique passwords per site, which is the standard for password vault users. Not much of a win there.

> Additionally, private keys are stored on secure storage in client devices (or need to be decrypted themselves using a second factor)

Also exactly the same as password vaults, but we still stress about Lastpass losing their encrypted vault DB.

I agree that Passkeys appear to bring the benefits of Password Vaults to people not currently using them in a fairly easy way. However, I worry about access to those passkeys when access to the Passkey provider is lost/revoked.

[9dev]

No, you misunderstood me. Passkeys remove the incentive to attack auth infrastructure in the first place, because a database of WebAuthn credentials isn’t useful to criminals compared to a database full of password hashes. This isn’t about the handful of tech-savvy users who know how to protect their privacy anyway, but all the others which constantly reuse their insecure passwords and won’t use password managers.

[Dylan16807]

> Also exactly the same as password vaults, but we still stress about Lastpass losing their encrypted vault DB.

The stress was because Lastpass databases were only partly encrypted and the encryption was not based on random keys.