[_Algernon_]

The only way passkeys make sense is in terms of vendor lock in. If you stick with a single vendor (ie. Google or Apple) to manage them for you, it kinda works if you ignore edge cases (eg. how to recover if phone breaks).

So the motivation for why big tech wants them is clear. They've just not managed to make a compelling case for why anybody else should want them.

The only way pass keys become a widespread thing is if they force the issue by removing password authentication, and I don't see that happening any time soon.

[diggan]

> The only way passkeys make sense is in terms of vendor lock in.

This is what I've figured as well, and even if my password manager claims "eventually we'll support it, once it's available" (https://blog.1password.com/fido-alliance-import-export-passk...), I've been putting it off until the implementation is actually in place.

But the question is when that'll be. Last I've heard about the whole "Risk of lock-in from export blocking" is:

> The general vibe is supportive and language has been added to this effect, though it looks like we haven't done a public working draft in some time so I don't think that's externally visible yet. Also usual caveats about in-progress work subject to change.

https://github.com/fido-alliance/credential-exchange-feedbac...

I guess time will tell. But for now, considering the history of lock-in on the web, it's best to stay away from Passkeys for now, until they figure out a proper way of avoiding it.

[trollbridge]

Bitwarden is the one vendor that doesn’t do lock in (since you can export your passkeys). Which also means you can back them up.

The rest of the platforms give you zero ability to export or back up your passkeys, which makes them worse than useless.

[Longhanks]

Apple also announced passkey import and export is coming this fall with iOS 26 (and their other OSes): https://developer.apple.com/videos/play/wwdc2025/279/

[diggan]

> We'll explore key updates including [...] and the secure import/export of passkeys

Have they shared any details about if this is actually cross-provider/platform import/export? I feel like if Apple doesn't outright share those details, they're talking about import/export within the Apple ecosystem.

[dcow]

No, in this case it is actually an industry standard: https://fidoalliance.org/specifications-credential-exchange-...

[diggan]

Nothing of the info Apple published so far seems to indicate that they'll implement that. And again, based on the track record of Apple, feels unlikely they won't implement something on their own.

[dyml]

I worked on this standard and we’re all excited that it’s rolling out to most of not all password managers and platforms.

[yellow_postit]

Let’s see — Apples track record of interoperability isn’t great unless dragged by regulatory bodies. Managing private emails at scale to migrate away from Apple for instance is wildly painful.

[dcow]

There is an industry standard being deployed for passkey (and other credential) import/export so that everything will work together seamlessly. Most players are waiting for that so there aren’t N different formats floating around that only work with subsets of other PW managers, which is a real problem now.

[EvanAnderson]

I'll believe it when I see it. So far I'm with the "Passkeys are for vendor lock-in" crowd and keeping my distance from them.

[l11r]

Apple already implemented Import/Export according to FIDO standard in their iOS 26: https://developer.apple.com/videos/play/wwdc2025/279/?time=1...

Standards themselves:

https://fidoalliance.org/specs/cx/cxf-v1.0-rd-20250313.html

https://fidoalliance.org/specs/cx/cxp-v1.0-wd-20241003.html

[diggan]

I tried finding anything in the transcript that mentions that import/export explicitly will be the open standards, but they seem to mention "FIDO" and import/export in different contexts, not together.

Maybe I missed something?

[EvanAnderson]

These drafts both look reasonable. I wasn't aware they'd progressed beyond vaporware and I'm pleasantly surprised.

[diggan]

re Bitwarden Passkeys export/import, I found this:

> Q: Are stored passkeys included in Bitwarden imports and exports?

> A: Passkeys are included in .json exports from Bitwarden. The ability to transfer your passkeys to or from another passkey provider is planned for a future release.

https://bitwarden.com/help/storing-passkeys/#passkey-managem...

But I'm not sure I understand the last part, how is the "ability to transfer your passkeys to another passkey provider" planned for a future Bitwarden release, if the Passkeys are already included in the export data? Wouldn't that be up to other Passkey providers to implement the import? Or is the export data not complete enough for an import?

[Uvix]

Yes, other providers could theoretically import Bitwarden’s proprietary format. Bitwarden’s reference to a future release is regarding the standardized import/export of passkeys that is in development: https://fidoalliance.org/fido-alliance-publishes-new-specifi...

[dyml]

I work at bitwarden and I can confirm this. While technically you have the data, any other app need to support our json format (which they totally can, our code is open source) - but CXP (the standard) is happening this year so we’re planning on using it.

[signal11]

1Password are working with Microsoft to integrate more with Windows’ passkey APIs.

The real test will be, how easy is it to move passkeys from say 1Password to Keepass XC (open source). It’s on my todo list.

For now, 1P’s passkey support appears to work quite well with all the sites I’ve tried. I’ve got multiple devices (Linuxes, macOS, Windows) and passkeys just work. I like the fact that 1P is cross platform, but after all it too is proprietary.

[diggan]

> how easy is it to move passkeys from say 1Password to Keepass XC (open source). It’s on my todo list.

AFAIK, there is no export from 1Password with Passkeys yet, so maybe better to put it in your calendar to check back in 6 months or so.

> passkeys just work

Yeah, I'm not doubting that, but I cannot reasonable base my core authentication on something that locks me to one service, that just feels to irresponsible. Hence the wait for proper import/export before spending any time on this :)

[jgalt212]

Truth. With passwords, you don't even need a service open or closed. You can just write them down on an air gapped piece of paper.

[signal11]

This so many times. The cryptography around passkeys is great. An operational consequence that a lot of people seem to miss is lock-in.

I know passkey vendors will say they’re working to make interoperability easier in 2025, and that’s true. Equally the number of users who’ll take advantage of this interop will be a rounding error. The net effect will be even more platform entrenchment.

[dcow]

Unless people use weak passwords today, all their passwords are scattered across various browsers and system autofill, unless they use a PW manager deliberately, in which case they’re “locked in”.

One of the couterpoints here is that while good security might have you adopt one password manager vendor, that vendor is not necessarily the same as your platform vendor. Traditionally this is a way to fight vendor lock in.

[recursive]

You can export your passwords. I've done it and switched vendors.

[hedora]

It is trivial to migrate from lastpass to bitwarden. I’m not sure about all other permutations of password managers though.

[signal11]

There are open source password managers with decent interop. The interop is very crusty csv export / import, but hey, it’s not Hotel California.

With passkeys, the concern is that the platform vendor will become the password manager for a lot of people … Android users will use Google’s built in password mgmt tools, iOS users will use Apple’s. This makes switching that much more difficult.

[hshdhdhj4444]

> if you ignore edge cases (eg. how to recover if phone breaks)

I really see this language around passkeys a lot.

How is losing your phone, phone breaking, etc considered an edge case?

It’s common enough that Apple has a whole app called Find My.

Phones falling into toilets led to a whole meme about putting them in rice to fix them.

And even before Find My existed as an app Apple had equivalent functionality available online within a couple of years of the iPhones introduction.

[noirscape]

> The only way pass keys become a widespread thing is if they force the issue by removing password authentication, and I don't see that happening any time soon.

I mean, that's what Microsoft is doing here, no? They're changing their password manager to only accept passkeys, not passwords and to block off autofill functions. Granted, right now they're the only vendor to do this, but that's a pretty risky precedent to create.

[trollbridge]

More likely is MS Authenticator loses its already minuscule market share.

[chronogram]

It is massive in corporate. I think it's the most used authenticator. On the Play Store alone it's got 2 million app reviews, Google Authenticator 579 thousand, Authy has 86 thousand. The download count seems to stop at 100M+ so I can't compare that.

[WorldMaker]

Microsoft is (re-)splitting their 2FA app from their Password Manager. The Password Manager is moving exclusively back into the Edge app. It will still provide autofill inside the Edge app. It may even get autofill (again) into other apps.

If anything this seems a move to get users to use more Edge than to use more Passkeys.

[xlii]

For myself it’s a very good secondary auth in alternative. E.g. I register with a vendor, create strong password in password vault and then create a passkey.

Passkey is convenient for log in (and also - quick) but worst case scenario I still have passwords. I wouldn’t trade in passwords completely but I prefer passkeys to OTPs.

[egberts1]

THIS!

Worth my point for this emphasis.

Can concur.

[brazzy]

Passkeys absolutely make sense from a security (and in theory also UX) POV. Handling logins for dozens of services is either very insecure (reuse), has even worse vendor lock in (federated ID), or has pretty bad UX (password manager).

In practice, unfortunately the UX gains are not realized because interoperability is unsolved, because vendors have little motivation to solve it and eliminate the lock in.