[dontTREATonme]

My first experience with passkeys was eBay. They implemented them 3-4 years ago, and my password manager, Dashlane picked up on it. They offered to save it and I wouldn’t have to enter a username or password. Great, seemed to work. Until I needed to login on another device and then Dashlane saved that passkey too, but each passkey was tied to the specific device… only it wasn’t clear when I logged in which passkey I should choose, and chose the wrong one and it doesn’t work. After having like 6 different passkeys for eBay I gave up. Now I always decline to use passkeys. They don’t work, idk who uses them but as a fairly tech savvy user, without a very complex setup (chrome, with Dashlane installed) if it’s not working for me it’s probably just not working.

I’ll also add. I don’t have a good mental model for what a passkey is or how it works. And again, like most users if I don’t really understand what’s going on I’m just not gonna bother with it. For all the complexity that it takes to implement secure login with a username and password, most of it is hidden from the user, with passkeys it feels like they’re shoving all the complexity front and center, but not explaining any of it.

[_Algernon_]

The only way passkeys make sense is in terms of vendor lock in. If you stick with a single vendor (ie. Google or Apple) to manage them for you, it kinda works if you ignore edge cases (eg. how to recover if phone breaks).

So the motivation for why big tech wants them is clear. They've just not managed to make a compelling case for why anybody else should want them.

The only way pass keys become a widespread thing is if they force the issue by removing password authentication, and I don't see that happening any time soon.

[diggan]

> The only way passkeys make sense is in terms of vendor lock in.

This is what I've figured as well, and even if my password manager claims "eventually we'll support it, once it's available" (https://blog.1password.com/fido-alliance-import-export-passk...), I've been putting it off until the implementation is actually in place.

But the question is when that'll be. Last I've heard about the whole "Risk of lock-in from export blocking" is:

> The general vibe is supportive and language has been added to this effect, though it looks like we haven't done a public working draft in some time so I don't think that's externally visible yet. Also usual caveats about in-progress work subject to change.

https://github.com/fido-alliance/credential-exchange-feedbac...

I guess time will tell. But for now, considering the history of lock-in on the web, it's best to stay away from Passkeys for now, until they figure out a proper way of avoiding it.

[trollbridge]

Bitwarden is the one vendor that doesn’t do lock in (since you can export your passkeys). Which also means you can back them up.

The rest of the platforms give you zero ability to export or back up your passkeys, which makes them worse than useless.

[Longhanks]

Apple also announced passkey import and export is coming this fall with iOS 26 (and their other OSes): https://developer.apple.com/videos/play/wwdc2025/279/

[diggan]

> We'll explore key updates including [...] and the secure import/export of passkeys

Have they shared any details about if this is actually cross-provider/platform import/export? I feel like if Apple doesn't outright share those details, they're talking about import/export within the Apple ecosystem.

[dcow]

No, in this case it is actually an industry standard: https://fidoalliance.org/specifications-credential-exchange-...

[yellow_postit]

Let’s see — Apples track record of interoperability isn’t great unless dragged by regulatory bodies. Managing private emails at scale to migrate away from Apple for instance is wildly painful.

[dcow]

There is an industry standard being deployed for passkey (and other credential) import/export so that everything will work together seamlessly. Most players are waiting for that so there aren’t N different formats floating around that only work with subsets of other PW managers, which is a real problem now.

[EvanAnderson]

I'll believe it when I see it. So far I'm with the "Passkeys are for vendor lock-in" crowd and keeping my distance from them.

[l11r]

Apple already implemented Import/Export according to FIDO standard in their iOS 26: https://developer.apple.com/videos/play/wwdc2025/279/?time=1...

Standards themselves:

https://fidoalliance.org/specs/cx/cxf-v1.0-rd-20250313.html

https://fidoalliance.org/specs/cx/cxp-v1.0-wd-20241003.html

[diggan]

re Bitwarden Passkeys export/import, I found this:

> Q: Are stored passkeys included in Bitwarden imports and exports?

> A: Passkeys are included in .json exports from Bitwarden. The ability to transfer your passkeys to or from another passkey provider is planned for a future release.

https://bitwarden.com/help/storing-passkeys/#passkey-managem...

But I'm not sure I understand the last part, how is the "ability to transfer your passkeys to another passkey provider" planned for a future Bitwarden release, if the Passkeys are already included in the export data? Wouldn't that be up to other Passkey providers to implement the import? Or is the export data not complete enough for an import?

[Uvix]

Yes, other providers could theoretically import Bitwarden’s proprietary format. Bitwarden’s reference to a future release is regarding the standardized import/export of passkeys that is in development: https://fidoalliance.org/fido-alliance-publishes-new-specifi...

[dyml]

I work at bitwarden and I can confirm this. While technically you have the data, any other app need to support our json format (which they totally can, our code is open source) - but CXP (the standard) is happening this year so we’re planning on using it.

[signal11]

1Password are working with Microsoft to integrate more with Windows’ passkey APIs.

The real test will be, how easy is it to move passkeys from say 1Password to Keepass XC (open source). It’s on my todo list.

For now, 1P’s passkey support appears to work quite well with all the sites I’ve tried. I’ve got multiple devices (Linuxes, macOS, Windows) and passkeys just work. I like the fact that 1P is cross platform, but after all it too is proprietary.

[diggan]

> how easy is it to move passkeys from say 1Password to Keepass XC (open source). It’s on my todo list.

AFAIK, there is no export from 1Password with Passkeys yet, so maybe better to put it in your calendar to check back in 6 months or so.

> passkeys just work

Yeah, I'm not doubting that, but I cannot reasonable base my core authentication on something that locks me to one service, that just feels to irresponsible. Hence the wait for proper import/export before spending any time on this :)

[jgalt212]

Truth. With passwords, you don't even need a service open or closed. You can just write them down on an air gapped piece of paper.

[signal11]

This so many times. The cryptography around passkeys is great. An operational consequence that a lot of people seem to miss is lock-in.

I know passkey vendors will say they’re working to make interoperability easier in 2025, and that’s true. Equally the number of users who’ll take advantage of this interop will be a rounding error. The net effect will be even more platform entrenchment.

[dcow]

Unless people use weak passwords today, all their passwords are scattered across various browsers and system autofill, unless they use a PW manager deliberately, in which case they’re “locked in”.

One of the couterpoints here is that while good security might have you adopt one password manager vendor, that vendor is not necessarily the same as your platform vendor. Traditionally this is a way to fight vendor lock in.

[recursive]

You can export your passwords. I've done it and switched vendors.

[hedora]

It is trivial to migrate from lastpass to bitwarden. I’m not sure about all other permutations of password managers though.

[signal11]

There are open source password managers with decent interop. The interop is very crusty csv export / import, but hey, it’s not Hotel California.

With passkeys, the concern is that the platform vendor will become the password manager for a lot of people … Android users will use Google’s built in password mgmt tools, iOS users will use Apple’s. This makes switching that much more difficult.

[hshdhdhj4444]

> if you ignore edge cases (eg. how to recover if phone breaks)

I really see this language around passkeys a lot.

How is losing your phone, phone breaking, etc considered an edge case?

It’s common enough that Apple has a whole app called Find My.

Phones falling into toilets led to a whole meme about putting them in rice to fix them.

And even before Find My existed as an app Apple had equivalent functionality available online within a couple of years of the iPhones introduction.

[noirscape]

> The only way pass keys become a widespread thing is if they force the issue by removing password authentication, and I don't see that happening any time soon.

I mean, that's what Microsoft is doing here, no? They're changing their password manager to only accept passkeys, not passwords and to block off autofill functions. Granted, right now they're the only vendor to do this, but that's a pretty risky precedent to create.

[trollbridge]

More likely is MS Authenticator loses its already minuscule market share.

[chronogram]

It is massive in corporate. I think it's the most used authenticator. On the Play Store alone it's got 2 million app reviews, Google Authenticator 579 thousand, Authy has 86 thousand. The download count seems to stop at 100M+ so I can't compare that.

[WorldMaker]

Microsoft is (re-)splitting their 2FA app from their Password Manager. The Password Manager is moving exclusively back into the Edge app. It will still provide autofill inside the Edge app. It may even get autofill (again) into other apps.

If anything this seems a move to get users to use more Edge than to use more Passkeys.

[xlii]

For myself it’s a very good secondary auth in alternative. E.g. I register with a vendor, create strong password in password vault and then create a passkey.

Passkey is convenient for log in (and also - quick) but worst case scenario I still have passwords. I wouldn’t trade in passwords completely but I prefer passkeys to OTPs.

[egberts1]

THIS!

Worth my point for this emphasis.

Can concur.

[brazzy]

Passkeys absolutely make sense from a security (and in theory also UX) POV. Handling logins for dozens of services is either very insecure (reuse), has even worse vendor lock in (federated ID), or has pretty bad UX (password manager).

In practice, unfortunately the UX gains are not realized because interoperability is unsolved, because vendors have little motivation to solve it and eliminate the lock in.

[karel-3d]

I like this part from Register article

> When I click “add key,” three different bits of software compete for my attention.

> First up is the password manager, offering to store a passkey. (This is the first time passkeys have shown up in this process – you can begin to see how a casual user might be getting confused.) I don’t want the password manager to be involved in this case, so I dismiss the window.

> Next up, a window appears from macOS asking me if I would like to use TouchID to “sign in” (to what? – I am already signed in to the website) and to save a passkey. Again, note the different terminology. When I dismiss that window, it is time for the browser to have a go, offering me four ways to save a passkey, including finally the option to store it on the hardware token. I insert the USB key and proceed.

> I think we can all agree that this is a confusing experience, with three different systems fighting to be the One True Place To Store Passkeys, along with the inconsistency of terminology (passkeys or security keys) and use cases (password replacement or strong second factor?)

> It’s like every piece of software wants to “help” but there is noone looking at the system-level behavior where these different bits of software interact with each other and the end user. I’ve encouraged my wife (a social scientist not a computer scientist) to adopt a password manager and 2FA, and she’s very willing to follow my lead, but the confusion of terminology and bewildering arrays of options frequently (and understandably) leads to complete frustration on her part.

https://www.theregister.com/2024/11/17/passkeys_passwords/

[dcow]

I’ve been in charge of a 3rd party authenticator passkey implementation twice and both times the platform (be that chrome or apple) unfairly leveraged their position to push their solution above 3rd party options. Apple, in its most recent update, finally allows the user to disable iCloud keychain so it’s not an option always getting in their way if they use something else like 1pass or bitwarden. Chrome still puts themselves first before allowing the user to see the list of “other” authenticators to use, which isn’t serviceable as an other.

[lucumo]

> Until I needed to login on another device and then Dashlane saved that passkey too, but each passkey was tied to the specific device… only it wasn’t clear when I logged in which passkey I should choose, and chose the wrong one and it doesn’t work.

I'm not sure if that has changed since years ago (when you last tried), or that that is a Dashlane thing. In any case, that's not how it is now. I've stored them in 1Password. I can use them on any 1Password-enabled browser, and on my Android. They're slightly easier than password flows, and much easier than MFA flows.

> I’ll also add. I don’t have a good mental model for what a passkey is or how it works.

It's a public and private key-pair. You keep the private key, the server gets the public key on registration. When you login the server sends a challenge. "You" encrypt it with the private key and send it back. The server uses the public key to verify and boom, you're logged in.

[scrollaway]

I remember being a kid on the internet 20-something years ago, understanding how passwords worked, and thinking the whole of the internet must be crazy for accepting a "pinky-promise we don't store that secret password you're sending us in plaintext, let alone use it for nefarious purposes" as the status quo.

I then discovered SSH and how it worked, asked in some public forum why there isn't a way to log in to websites using an ssh keypair, and was ridiculed for it.

Ah well, glad times change.

[pmontra]

I defend against that scenario by letting my password manager generate a different random password for every site. It defends also against sites handling passwords in terribly wrong ways, hacks, leaks, etc.

[diggan]

> I then discovered SSH and how it worked, asked in some public forum why there isn't a way to log in to websites using an ssh keypair, and was ridiculed for it.

In an alternative universe, the web standardized something like "tripcodes but cryptographically secure" which would keep any secrets out from servers, and we'd just be dealing with signed data.

One could always dream :)

[brazzy]

Client certificates are a thing and can in principle be used for authentication on websites. Not 100% sure that was possible 20 years ago, but Istrongly suspect that it was.

The problem is the UX around handling the certificates. Password are nearly impossible to beat in terms of "works everywhere without requiring any support infrastructure".

[skydhash]

Even with SSH, you need access to the console when things went awry. But that’s easier to secure as you need to be physically present in front of the machine, or go through your cloud provider’s security mechanism.

But that’s only inconvenient when you want access back. Most B2C don’t care about you enough to offer those processes.

[hedora]

That’s a poor mental model for how it works.

If it was just a private key that I had, then import/export would be trivial.

[lucumo]

KeepassXC seems to have included that for two years now: https://github.com/keepassxreboot/keepassxc/pull/8825 (I don't use Keepass, so I can't attest to how well it works.)

There's a JSON example of an export on the page. It shows nicely what's stored on your machine.

It's a non-standardized format, because a standard is still being worked on. I think most vendors are just waiting for that. The FIDO Alliance has a news message about it: https://fidoalliance.org/fido-alliance-publishes-new-specifi...

In the article they mention they are not just going to support exporting passkeys, but also passwords and other credentials. The goal is to create a secure exchange format for that. They have published drafts of the standards.

[clysm]

It is that trivial. The problem is vendor lock-in and no common, defined way to export/import them securely (which is going to change soon).

[wavemode]

Perhaps eBay themselves were restricting use of a given passkey to a specific device

[AJRF]

I have a degree in computer science, 10 years experience in some complicated fields and I can’t figure out PassKeys.

They are woefully designed and implemented, wish we just cut our losses with them and stopped pushing them.

Tuck them away in settings, not on the default login path.

[kjuulh]

I felt the same when implementing OpenID connect flows according to spec. It uses the browser in creative ways ;) Especially the device flow, absolutely insane complexity for what it is.

[tallanvor]

They're just public/private keypairs that are generated either by a device (whether it's part of you phone, computer, or hardware key), browser, or password manager. I do agree that it can be a bit of a pain when it comes to multiple managers trying to offer to save/respond to a passkey, but otherwise it's a fairly straightforward exchange.

[AJRF]

> They're just public/private keypairs that are generated either by a device (whether it's part of you phone, computer, or hardware key), browser, or password manager

Now imagine saying that sentence to a person outside tech

[fragmede]

Why would you give the technical explanation to a person that doesn't want the technical explanation? To the person outside of tech, passkeys are just your phone has a really good password and fills it out for you. Just use that and don't bother having to remember (and forget) another password.

[AJRF]

> To the person outside of tech, passkeys are just your phone has a really good password and fills it out for you

Except that is _not_ true, there is an entire thread of people saying they are unintuitive and hard to understand!

[decimalenough]

A monad is just a monoid in the category of endofunctors, what's the problem? Ape holders can use multiple slurp juices on a single ape, so if you have 1 astro ape and 3 slurp juices you can create 3 new apes.

[escapecharacter]

CVS keeps pushing them for their pharmacy login. So annoying.

[sydbarrett74]

Agree. The UI/UX is atrocious at present. The concept has flaws, but IMO it substantively raises the floor security-wise.

[Al-Khwarizmi]

Glad to know I'm not alone. My story is more or less the same (except without password manager). One day I was logging into my ancient Yahoo mail account that I use mostly for unimportant/throwaway things and spam, and I was offered a passkey. I accepted. Next time I logged in I was in a different computer (I regularly use 4-5 computers apart from my phone) and it didn't work. Later, in the original computer, it didn't work either... I guess because I updated something or whatever, no idea, I didn't bother to find out. I'm back to the password now, after having logged in successfully with a passkey exactly zero times after setting it up.

I also don't have a good mental model of how passkeys work. I could get informed. But why should I bother? I'm a busy person. Passwords have worked for me for more than 25 years, and passkeys seem much more fussy and inconvenient (what if I'm traveling and connecting from a random computer in an hotel/airport? I imagine I'll be expected to do something with my phone, as modern cybersecurity seems to be based on trusting everything to the phone -if it gets stolen, bad luck- but what if I have no battery?). I guess I'll have to find out if they force them on us, but if I (a CS PhD and professor) have to actively find out in order to use them, it's going to be chaos with regular users.

[ajdude]

I hate passkeys, only because it seems like every few months I'm trying to help ream them out of my grandmother's computer because she can no longer login to her yahoo email. I've told her countless times, stop saying yes for passkeys but she somehow inevitably gets them enabled on everything while on her desktop and then can't figure out how to access it from her phone.

[teekert]

I think Proton Pass just stores one key for all devices? Not even sure! But it does work anywhere without the experience you had: I go to a website I have saved, it pops up, I click and am logged in.

Not sure if Proton does the device specific stuff under the hood (and hides it well), or if they are abusing the system by simply sharing the private key over all devices? (That is misuse right? Idk, I had the same experience with BitWarden). The keys should be device specific right? That's the 2fa replacing magic.

I too, have no idea. And I too am a bit disappointed it is so difficult to understand what happens. I do believe I can just export the keys and import somewhere else (i.e. Proton <-> BitWarden), which would suggest one passkey per account... Hmmm... Also, I believe it's just Google and Apple that try to make this a walled garden, it wasn't designed to be like that.

[dchest]

> The keys should be device specific right?

No, they can be synched. There are different types of passkeys, synched and device-bound (for YubiKeys, etc.)

Hope this clears up the confusion (haha).

[teekert]

Ah but why are they better than classic credentials then? I thought they were device specific and thus "2fa build in". I thought you'd have to approve every new device from an existing one? But indeed I never saw that in action...

[recursive]

Because you can't export them.

[teekert]

Pretty sure I could with VaultWarden. For Proton indeed it seems to be an open issue. In theory it should be doable right? It's not like "impossible because of the spec" or something?

[xmgplays]

The difficulty of exporting them is kinda the point(sorta). The benefit of passkeys is that the average user is less likely to hand them over to a scammer, because they literally can't/don't know how, whereas everyone and their mother knows how to give a scammer their password/username and the funky numbers in the email they just got.

[recursive]

> It's not like "impossible because of the spec" or something

It could be, but I don't know if it is. One of the design points is that they are cryptographically un-phishable or something to that effect.

The ability to export directly conflicts non-phishability, at least in theory. I've heard conflicting information about what precisely is allowed or possible.

[djvdq]

I don't have this problem. I'm using passkey probably on only 1 website (github) but it's working without any issues on all my devices. Maybe it's a password manager issue? I'm a bitwarden user

[qwertox]

Well you have your passkey stored in Bitwarden, which may weaken its security, since it's a software-only solution.

The idea of passkeys is that they are supposed to be tied to a hardware device. And this leads to very odd situations, like Chrome asking Windows to authenticate, and Windows having to ask for the passkey on an Android phone.

I migrated to Bitwarden around 3 weeks ago and now Chrome is no longer asking Windows to authenticate, but Bitwarden. But then Bitwarden doesn't have the passkey, so it will offer to delegate to Windows, which will in turn reach to the Android phone, unless it's one which is stored in Windows.

This are the kind of problems which arise, and for a 75 year old senior who never dealt with all this crap, this is nothing but a huge annoyance, because they simply don't understand what's going on. It was easy with username and password.

What I liked the most was username+password and a Yubikey for OTP. And for what can't or no longer wants to deal with Yubikey, I've moved to app-based OTP. And now I'm starting to get forced to move to passkeys, which annoys me a bit because things are no longer so clear.

[jeroenhd]

> The idea of passkeys is that they are supposed to be tied to a hardware device.

No, not really. That was more of a U2F/WebAuthn concept. Passkeys are intentionally permitted to be attached to accounts.

You can use hardware bound tokens as passkeys if you prefer, of course. However, that approach has led to a huge amount of people getting locked out of their accounts because they lost their Yubikey or reset their phone.

There are implementation improvements to be made, for sure, especially on Windows. However, that same 75 year old also won't know to look in Edge's password manager when Bitwarden says it can't find a password for a given website.

And let's be honest, that 75 year old won't be using Bitwarden or a password manager anyway, their password will be NameOfGrandkid2003 despite being told to pick a different one after the last time their account got taken over.

I wish I could use passkeys more often but when websites offer 2FA of any kind, it'll be through TOTP, and usually without providing any recovery codes either. TOTP and email+password aren't going away.

[karel-3d]

I thought Webauthn IS passkeys! It's a different thing...?

I thought Webauthn is a U2F continuation that uses them for both 2FA and login... and the login thing is called "passkey". It is not?

(I implemented U2F 2FA before and still cannot figure this out.)

[jeroenhd]

Passkeys are the name used for FIDO2 authentication flows for normal people.

WebAuthn is the JavaScript API to access the USB devices speaking U2F to the browser.

FIDO2 extends the WebAuthn API by also offering to store security tokens inside of a device's TPM, by using CTAP2 to authenticate with an external device or service, or by using good old U2F. If you're implementing it, you generally only need to deal with the WebAuthn side, the browser will take care of the rest.

You can think of Passkeys as "WebAuthn 1.1". Names like WebAuthn and U2F don't exactly attract the general consumer, so they rebranded it. The same way websites used names like "passwordless logins" when trying to describe WebAuthn+U2F, expect "passkey" seems backed by larger companies.

If you've implemented WebAuthn correctly (I doubt you actually interacted with the U2F API directly), you've also implemented passkeys.

The naming is rather confusing, mostly because a lot of websites used the wrong name for the wrong part of the process. Luckily, almost nobody acfually knows what the hell a WebAuthn is, so passkeys are the introduction to the whole stack for most people.

[cycomanic]

Just a side note my 80 year old mother uses Linux with keepassxc and has generally more secure processes than many software developers I know (who often use very simple passwords, share them around freely...).

Just to say that we should be careful with our generalisations (I know you didn't start this one).

[Biganon]

Why should we be careful? Not trying to troll here, but your mother being an exception to the generalization doesn't mean the generalization is wrong. Nobody said 100% of old people had bad security habits.

[wasmitnetzen]

Do you have a source for the hardware-tied design? Neither the specs[1] nor Wikipedia[2] say anything about Authenticators being hardware-only as far as I can see. The specs even specifically talk about Clients (ie browsers) storing passkeys.

[1]: https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-aut...

[2]: https://en.wikipedia.org/wiki/WebAuthn#Reasons_for_its_desig...

[navigate8310]

> Well you have your passkey stored in Bitwarden, which may weaken its security, since it's a software-only solution.

Well you can decrypt your bitwarden using a Yubikey

[ExoticPearTree]

Looks like a Dashlane problem from what you are describing.

Since I use a Mac, I will refer to my MacOS experience: Keychain and now Passwords will sync passkeys via iCloud to any other device. The end result is that you only have one passkey. Pretty seamless experience.

[jlokier]

I have a Macbook and an Android phone, as do many people.

Can I still have a seamless experience with passkeys, or have they made that difficult? Do I need to remember to reject the dialog offering to save keys on Keychain and learn to use a 3rd party passkey service?

What am I supposed to about all the passkeys that will be needed at my multiple jobs, which I access from my own Macbook and phone? Can I use a single service, ideally open source, or do I need to use several "passkey sharing & backup managers", one for each entity and one more for my personal keys?

[ExoticPearTree]

I have a MacBook and an iPhone, so no problems. In your case I guess you need some third party software to achieve what I described.

[avhception]

There is no way I will sync all of my credentials onto other peoples computers.

Trust issues aside, is there a way to get those passkeys out of there?

Suppose you want to switch from iCloud to whatever else, can you export and import those passkeys?

[jeroenhd]

I don't think iCloud has exports for secrets like that (and that's not just restricted to Passkeys).

Other tools do, though, like KeepassXC or any other password manager really.

[Asmod4n]

You can share them via airdrop

[wkat4242]

No, this is part of the problem. They're using passkeys to build their walled gardens. So lock in is a feature not a bug.

[eviks]

So you're locked into Macs for this seamless experience

[ExoticPearTree]

I don't know, I just shared my experience with passkeys on a Mac. Maybe Microsoft has something similar.

[N_Lens]

Yeah I'm on Mac/iPhone as well and was scratching my head at the "multiple passkeys" comment.

[encom]

>any other device

Any other Apple™ device.

[ashdksnndck]

Nowadays I use the passkeys with my password manager and everything works across multiple devices. I’ve never been presented with a list of passkeys to select from.

[sydbarrett74]

I’ll second this. A combo of KeePassXC (desktop), KeePassium (Apple), and KeePass2Android plus manually synching my .kbdx file makes the passkey experience relatively smooth for me.

[gbil]

> KeePass2Android

It doesn't support passkeys yet so I'm surprised you mention it because this is what I wait for a full cross-device (for me) support, to start using passkeys

https://github.com/PhilippC/keepass2android/issues/2099

[sydbarrett74]

Tiredness caused my poor explanation and you’re absolutely correct. I didn’t explain fully. I guess I have a 2/3 solution.

[dale_huevo]

So you need three different applications and manually moving around files to achieve a "relatively smooth" experience? I don't think this is the endorsement you think it is.

[emptysongglass]

KeePass is a community project, Bitwarden is not. These are just client applications that sync and interact with the .kbdx file the community has formalized a standard on. That's why Bitwarden has a unified client application ecosystem and KeePass does not.

You don't understand KeePass, which is fine, but please don't make bad assumptions like these if you don't understand the underlying reasons for why a thing is the way it is.

It's like calling out why there are two dozen email clients that speak IMAP.

[dale_huevo]

Uh I know what KeePass is and how it works. The proposed "smooth" solution is - at best - clunky and inconvenient. You've missed the forest for the trees.

> You don't understand KeePass, which is fine

Haha this is so hilariously smug and condescending I have to wonder: are you the real-life Comic Book Guy?

[sydbarrett74]

I should’ve clarified: I consider it relatively smooth for a technical user.

[emptysongglass]

Please don't make personal attacks on HN.

The only difference between an imagined smooth solution is the sync mechanism and a unified client application ecosystem, neither of which is really possible without a large company behind it.

I said you don't understand how KeePass works because you refer to 3 applications for 3 different OSes (2 mobile) as if they were a confusing mix of different applications, when really they're just client implementations around a single, formalized spec. And most folks don't use both iOS and Android so really there's just your choice of KeePass desktop app and one for Android or iOS.

No one says the plethora of email client choices is confusing. This is exactly the same.

[jasonjayr]

Same for me, but syncthing works to sync across the platforms for me, and has been pretty solid.

[rafaelmn]

I think your problem is Dashlane. I had to use it for one corporate gig an oh my god was it the worst password manager I used - UX and stability wise.

[wenc]

> I don’t have a good mental model for what a passkey is or how it works. And again, like most users if I don’t really understand what’s going on I’m just not gonna bother with it.

Sites kept asking me if I would like to setup a passkey, and I didn't have a good mental model for what it was either.

Turns out it's like PGP of the 1990s -- public/private key but for auth instead of email encryption.

Public/private key is not the of easiest ideas for a lay man to understand (though some YouTube videos explain it well).

All users want to know is that it keeps their information safe.

Like modern credit cards -- they use public/private keys, but the messaging is "your credit card number is kept safe," not this is based on PKI.

[jbverschoor]

Exactly my experience. The mental model is easy once you understand that it’s just a key on your device/app.

It’s just really hard to wrap around your head that this is the actual implementation with so many drawbacks given most people have 2+ devices, and different OSes to provide it.

I won’t use them.. although I’d have loved to use them.

When they worm they work, but I can’t trust them completely, so what’s the point? There’s no difference with a password, except that the sign-in process can be streamlined when everything works

[Al-Khwarizmi]

I suppose they refer to a more detailed mental model. For example, I know that it's a key in my device, but I don't have a detailed enough model to know if it will work if transferred to another device or stored in the cloud, or what I'm supposed to do at a cybercafe/hotel/airport/borrowed computer. So my mental model is not good enough. With passwords, the answers to questions like that are obvious.

[jbverschoor]

That’s the problem. I don’t think that’s part of the spec.

I’m also not sure, and given that there’s no mention of transferring, backing up etc, I assume they’ll be lost forever.

I won’t take that risk. And if they require my email/password/2fa to recover, the. What’s the point.

I wanted to love them so much, but I can’t. I won’t burn myself again like with getting a new phone and loosing all your 2FA, because someone thought it’d be a good idea to make them device bound on most apps.

Ease of use is a security feature.

[kd5bjo]

> There’s no difference with a password, except that the sign-in process can be streamlined when everything works

There is one other major difference behind the scenes: With passkeys, the service you’re logging into never has enough information to authenticate as you, so leaks of the server-side credential info are almost (hopefully completely) useless to an attacker.

[jbverschoor]

Sure, but that would mean the service is likely to be useless as well.

And, you’re likely to loose access to your service. It’s like would you rather loose your pictures forever, or have them copied by someone

[stavros]

If you think there's no difference between a password and a passkey, that kind of tells me you don't really know a lot about passkeys, so it makes sense you'd think they're just worse-implemented passwords.

[hulitu]

Please, tell us more.

[stavros]

https://duckduckgo.com/?q=benefits+of+passkeys&t=vivaldim&ia...

[jbverschoor]

The only difference is that you sign the authentication.

I think Facebook does the same thing when logging in with a password.

It’s been crudely done for ages by sending over a hashed version of you password when submitting a form.

Not the exact thing, but still.

What is the problem they’re trying to solve? I’m not sure to be honest. Is it leaked passwords/keys? No difference there, as all passwords are unique anyway with a password manager.

Is it ease of use? I hoped so too.. but nope.

Is it anonymity? I hopes so too, but just like “hide-my-email”, apps will detect it, and require all other missing info such as your real email, name etc.

[stavros]

The only difference is that you sign the authentication, except all the other differences like the server doesn't keep a secret that can be stolen, it can't be phished, you can't reuse it, you can't mistype it, you can't store it improperly.

[jeroenhd]

That's not a passkey problem, that's Dashlane being very weird about passkeys. There's no way that isn't a bug.

[richardw]

Interesting. I’m only a user of them but not had one second of trouble. I save them on my device in the native saving place (iOS/mac) and it just works. I didn’t know this issue existed and I’d like to avoid it. Is the issue when you save them in a password manager?

I have Bitwarden for personal and now 1Password for work, so might hit the issue at some point.

[romperstomper]

As far as I understand the passkey are not to be intended to sink across devices. They unlock private keys stored on device and these keys are used for authorization on web sites etc. At least this was my understanding when last time I tried to grok passkeys :)

[dale_huevo]

The downfall of passkeys is that - as was inevitable - they are horrifyingly implemented webshit.

For example, nearly every visit to my Amazon orders page I am now greeted with a nearly full screen modal browser popup letting me know about passkeys and why I should switch to them RIGHT NOW. I politely declined - the first thousand times. I don't know if this is a site or browser issue and frankly I don't care anymore. It's spam at this point and I want nothing to do with it.

My hesitancy was rooted in concerns about potential issues pretty much what you just described so glad to know I was right.

Seems like passkeys use a very simple model where you are using a single device with a single browser or are somehow syncing across devices with some cloud service - and from your description it sounds like that doesn't even work.

No thanks - I'll stick with passwords. Did everyone forget about hardware tokens which are device and OS-independent and rely on no external infrastructre?

[littlecranky67]

Don't forget that a per-device passkey is the wet dream of any $MEGACORP wanting to track your habbits. Which is another reason why it is a no-go for me.

[nasso_dev]

> Seems like passkeys use a very simple model where you are using a single device with a single browser or are somehow syncing across devices with some cloud service - and from your description it sounds like that doesn't even work.

Unlike passwords, you can have multiple passkeys per account. You can have 5 passkeys for your amazon account if you use your amazon account on 5 different devices. If you lose device 4, or if it gets stolen, you can just delete passkey 4. The other ones are safe.

Or, you can use a syncing service like a password manager. Both solutions work!

[0cf8612b2e1e]

How many years did it take for Amazon to allow multiple yubi keys?

If giant tech company with infinite money cannot handle it, why should I have more faith in the dozens of services I use to do better this time?

[hazmazlaz]

That's just a problem with how Dashlane and/or eBay implemented Passkeys. I have tons of site passkeys (1 per site) saved with 1password and use them across multiple devices just fine.

[jorvi]

That is very rarely how passkeys work.

You chose a worst case example and are comparing it with your best case example.

Virtually all sites have one passkey, tied to your vault of choice (Apple, Google, 1Password, etc). You make one, and you can use it everywhere.

Passkeys are a blessing for your regular Joe. No more easy phishing, and no passwords to forget. Often even no username to forget.

Apples-to-apples, passkeys rock.

[probably_wrong]

> Passkeys are a blessing for your regular Joe.

I've had two regular Joes come to me because Google locked them out of their accounts (plus a third one with Apple) and they had important emails they couldn't get to. The "solution" in all cases ended up being a total loss and starting from scratch.

Now when Google locks them out of their account with no recourse (or, more likely, when their phone dies without backup) not only do their lose their email, but also every other service they ever signed up for.

Passkeys may be better when everything works right, but password managers are miles ahead when something goes wrong.

[jorvi]

Google aggressively forces you to add your phone number or a backup email, multiple pop-ups per month. When you make a passkey they again aggressively try to force you to have backup access methods. You really have to put in a good effort to lock yourself out.

If regular Joe configured a TOTP and then ignores the huge warnings about not saving the backup codes, are you going to blame the service or him?

[probably_wrong]

> You really have to put in a good effort to lock yourself out.

When Google and Apple block you, you stay blocked for good regardless of how many backup measures you provide. An Apple representative literally told me once that I needed to provide the phone number of the thief who stole my brother's phone if I wanted to regain access to iCloud; Google asked for my password and backup email only for their system to say "that's not enough to let you in, but there are no other methods so you're SOL".

Even in more "normal" situations, how much do I need to pay to get someone at Google to check my identity (possibly with official ID) and restore my account? Answer: None, because that's not a service Google offers - you can try to sign up for a paid plan, but even then there's no guarantee that they'll listen to you.

Any system that depends on FAANG companies is a system where you can find yourself locked out without recourse. I definitely blame the service.

[jorvi]

Oh, you mean being locked out by the vendor, not accidentally locking yourself out.

Yes, that sucks. I have an old account at a FAANG they won't allow me to log in to despite me knowing the current password, my old passwords and the old e-mail. But it is partly my own fault because I changed the e-mail and phone number to a fake one.

I will say that getting locked out (= banned) by Google or Apple usually means you're doing something odd or even seedy. Of all the regular people I'm acquainted with, it hasn't happened to anyone, ever. And that's gotta easily be 100+ people. However people like dropshippers, grey hats, OF models etc etc any people with irregular cash flows or e-mail traffic definitely run a risk.

[dcow]

FWIW you’re supposed to use one passkey synced across your all devices where your PW manager (Dashlane) is installed. The fact that Dashlane let you so easily do the wrong thing might be an issue of their early/unrefined support for passkeys.

[navigate8310]

I use Bitwarden on every device, it saves exactly ONE passkey per service. No more fiddling it passwords and some services don't even want to bother with your username as well. Just one passkey prompt and login happens seamlessly.