A passkey manager is morally required to do an extra factor of authentication (e.g. fingerprint, Face ID, hardware keys, etc.) when you login, but the site/app has no way of knowing/proving whether that happened; they just get the password.
Thought sites can request hardware attested passkeys? In this case usb keyfob, or passkeys instanced from a secure enclave, etc.?
altmind · 13m ago
Passkeys are the easiest way to lose access to your account.
Darkskiez · 2h ago
Except you can store the passwords on a usb key / remote over bluetooth, and then also keep them secret from the potentially compromised host.
gnabgib · 2h ago
The first passkeys were physical (USB) keys. And you never share the key with a host or server.
lazzlazzlazz · 3h ago
The fact that you can't actually see the passkey is absurd. I understand it's a "feature" prevent phishing — victims have a lot less to share — but it constrains more sophisticated storage and use of passwords.
JohnFen · 5h ago
> To present a passkey, you have to use a password manager.
This is what makes passkeys nonstarters for me.
aldshglkhdg · 2h ago
that isn't true at all.
i regularly use a yubikey as a passkey, and it's entirely orthogonal to any password manager i use. it happily just works on firefox on both mac and linux.
to use a passkey, you need a place to store the passkey. that can be a hardware token, a tpm, or a password manager.
Thought sites can request hardware attested passkeys? In this case usb keyfob, or passkeys instanced from a secure enclave, etc.?
This is what makes passkeys nonstarters for me.
i regularly use a yubikey as a passkey, and it's entirely orthogonal to any password manager i use. it happily just works on firefox on both mac and linux.
to use a passkey, you need a place to store the passkey. that can be a hardware token, a tpm, or a password manager.
No comments yet