> The only way passkeys make sense is in terms of vendor lock in.

This is what I've figured as well, and even if my password manager claims "eventually we'll support it, once it's available" (https://blog.1password.com/fido-alliance-import-export-passk...), I've been putting it off until the implementation is actually in place.

But the question is when that'll be. Last I've heard about the whole "Risk of lock-in from export blocking" is:

> The general vibe is supportive and language has been added to this effect, though it looks like we haven't done a public working draft in some time so I don't think that's externally visible yet. Also usual caveats about in-progress work subject to change.

https://github.com/fido-alliance/credential-exchange-feedbac...

I guess time will tell. But for now, considering the history of lock-in on the web, it's best to stay away from Passkeys for now, until they figure out a proper way of avoiding it.

This so many times. The cryptography around passkeys is great. An operational consequence that a lot of people seem to miss is lock-in.

I know passkey vendors will say they’re working to make interoperability easier in 2025, and that’s true. Equally the number of users who’ll take advantage of this interop will be a rounding error. The net effect will be even more platform entrenchment.

> if you ignore edge cases (eg. how to recover if phone breaks)

I really see this language around passkeys a lot.

How is losing your phone, phone breaking, etc considered an edge case?

It’s common enough that Apple has a whole app called Find My.

Phones falling into toilets led to a whole meme about putting them in rice to fix them.

And even before Find My existed as an app Apple had equivalent functionality available online within a couple of years of the iPhones introduction.

> The only way pass keys become a widespread thing is if they force the issue by removing password authentication, and I don't see that happening any time soon.

I mean, that's what Microsoft is doing here, no? They're changing their password manager to only accept passkeys, not passwords and to block off autofill functions. Granted, right now they're the only vendor to do this, but that's a pretty risky precedent to create.

For myself it’s a very good secondary auth in alternative. E.g. I register with a vendor, create strong password in password vault and then create a passkey.

Passkey is convenient for log in (and also - quick) but worst case scenario I still have passwords. I wouldn’t trade in passwords completely but I prefer passkeys to OTPs.

THIS!

Worth my point for this emphasis.

Can concur.

Passkeys absolutely make sense from a security (and in theory also UX) POV. Handling logins for dozens of services is either very insecure (reuse), has even worse vendor lock in (federated ID), or has pretty bad UX (password manager).

In practice, unfortunately the UX gains are not realized because interoperability is unsolved, because vendors have little motivation to solve it and eliminate the lock in.

I’ve been in charge of a 3rd party authenticator passkey implementation twice and both times the platform (be that chrome or apple) unfairly leveraged their position to push their solution above 3rd party options. Apple, in its most recent update, finally allows the user to disable iCloud keychain so it’s not an option always getting in their way if they use something else like 1pass or bitwarden. Chrome still puts themselves first before allowing the user to see the list of “other” authenticators to use, which isn’t serviceable as an other.

I remember being a kid on the internet 20-something years ago, understanding how passwords worked, and thinking the whole of the internet must be crazy for accepting a "pinky-promise we don't store that secret password you're sending us in plaintext, let alone use it for nefarious purposes" as the status quo.

I then discovered SSH and how it worked, asked in some public forum why there isn't a way to log in to websites using an ssh keypair, and was ridiculed for it.

Ah well, glad times change.

That’s a poor mental model for how it works.

If it was just a private key that I had, then import/export would be trivial.

Perhaps eBay themselves were restricting use of a given passkey to a specific device

I felt the same when implementing OpenID connect flows according to spec. It uses the browser in creative ways ;) Especially the device flow, absolutely insane complexity for what it is.

They're just public/private keypairs that are generated either by a device (whether it's part of you phone, computer, or hardware key), browser, or password manager. I do agree that it can be a bit of a pain when it comes to multiple managers trying to offer to save/respond to a passkey, but otherwise it's a fairly straightforward exchange.

CVS keeps pushing them for their pharmacy login. So annoying.

Agree. The UI/UX is atrocious at present. The concept has flaws, but IMO it substantively raises the floor security-wise.

I hate passkeys, only because it seems like every few months I'm trying to help ream them out of my grandmother's computer because she can no longer login to her yahoo email. I've told her countless times, stop saying yes for passkeys but she somehow inevitably gets them enabled on everything while on her desktop and then can't figure out how to access it from her phone.

> The keys should be device specific right?

No, they can be synched. There are different types of passkeys, synched and device-bound (for YubiKeys, etc.)

Hope this clears up the confusion (haha).

Well you have your passkey stored in Bitwarden, which may weaken its security, since it's a software-only solution.

The idea of passkeys is that they are supposed to be tied to a hardware device. And this leads to very odd situations, like Chrome asking Windows to authenticate, and Windows having to ask for the passkey on an Android phone.

I migrated to Bitwarden around 3 weeks ago and now Chrome is no longer asking Windows to authenticate, but Bitwarden. But then Bitwarden doesn't have the passkey, so it will offer to delegate to Windows, which will in turn reach to the Android phone, unless it's one which is stored in Windows.

This are the kind of problems which arise, and for a 75 year old senior who never dealt with all this crap, this is nothing but a huge annoyance, because they simply don't understand what's going on. It was easy with username and password.

What I liked the most was username+password and a Yubikey for OTP. And for what can't or no longer wants to deal with Yubikey, I've moved to app-based OTP. And now I'm starting to get forced to move to passkeys, which annoys me a bit because things are no longer so clear.

I have a Macbook and an Android phone, as do many people.

Can I still have a seamless experience with passkeys, or have they made that difficult? Do I need to remember to reject the dialog offering to save keys on Keychain and learn to use a 3rd party passkey service?

What am I supposed to about all the passkeys that will be needed at my multiple jobs, which I access from my own Macbook and phone? Can I use a single service, ideally open source, or do I need to use several "passkey sharing & backup managers", one for each entity and one more for my personal keys?

There is no way I will sync all of my credentials onto other peoples computers.

Trust issues aside, is there a way to get those passkeys out of there?

Suppose you want to switch from iCloud to whatever else, can you export and import those passkeys?

So you're locked into Macs for this seamless experience

Yeah I'm on Mac/iPhone as well and was scratching my head at the "multiple passkeys" comment.

>any other device

Any other Apple™ device.

I’ll second this. A combo of KeePassXC (desktop), KeePassium (Apple), and KeePass2Android plus manually synching my .kbdx file makes the passkey experience relatively smooth for me.

I suppose they refer to a more detailed mental model. For example, I know that it's a key in my device, but I don't have a detailed enough model to know if it will work if transferred to another device or stored in the cloud, or what I'm supposed to do at a cybercafe/hotel/airport/borrowed computer. So my mental model is not good enough. With passwords, the answers to questions like that are obvious.

> There’s no difference with a password, except that the sign-in process can be streamlined when everything works

There is one other major difference behind the scenes: With passkeys, the service you’re logging into never has enough information to authenticate as you, so leaks of the server-side credential info are almost (hopefully completely) useless to an attacker.

If you think there's no difference between a password and a passkey, that kind of tells me you don't really know a lot about passkeys, so it makes sense you'd think they're just worse-implemented passwords.

Don't forget that a per-device passkey is the wet dream of any $MEGACORP wanting to track your habbits. Which is another reason why it is a no-go for me.

> Seems like passkeys use a very simple model where you are using a single device with a single browser or are somehow syncing across devices with some cloud service - and from your description it sounds like that doesn't even work.

Unlike passwords, you can have multiple passkeys per account. You can have 5 passkeys for your amazon account if you use your amazon account on 5 different devices. If you lose device 4, or if it gets stolen, you can just delete passkey 4. The other ones are safe.

Or, you can use a syncing service like a password manager. Both solutions work!

> Passkeys are a blessing for your regular Joe.

I've had two regular Joes come to me because Google locked them out of their accounts (plus a third one with Apple) and they had important emails they couldn't get to. The "solution" in all cases ended up being a total loss and starting from scratch.

Now when Google locks them out of their account with no recourse (or, more likely, when their phone dies without backup) not only do their lose their email, but also every other service they ever signed up for.

Passkeys may be better when everything works right, but password managers are miles ahead when something goes wrong.

> It's tied to vendor lock in

If you're referring to the inability to transfer passkeys across systems, that should be improving soon.

https://blog.1password.com/fido-alliance-import-export-passk...

https://arstechnica.com/security/2025/06/apple-previews-new-...

> To all those "I can do this with Keepass/Bitwarden etc", how can you share your Netflix password with your parents 100 miles away to use it in their smart TV? You cannot and will never be able to do it.

I'm not sure that's a good example. I thought you currently only need to share your password if you want to let them use your Netflix account on their computer/phone/tablet. If you are just trying to set them up on their smart TV wouldn't you simply have them install the Netflix app on their smart TV, launch it, hit sign in, and then tell you the 8 digit confirmation code from the app, and then you would go to netflix.com/tv2 on your computer/phone/tablet, enter that code, and use your credentials to confirm?

So let's change it to you want to let your parents use your Netflix on their computer/phone/tablet. Netflix doesn't currently support passkeys, but we will assume they will at some point.

What you would do is something like this.

1. Tell them your Netflix account name.

2. Have them go through Netflix's procedure for logging in on a device that does not have a passkey when you have no other devices available that do have a Netflix passkey for your account. They are almost certain to have some way to do this.

3. Once they are logged in they can add a Netflix passkey to that device.

Since sharing Netflix passwords is a breach of their terms of use, that's not really a compelling argument.

I doubt streaming services are looking to make passkeys the only way to authenticate devices though. Too much competition, and too many valid use cases for use outside of a personal device.

The “problem” they solve for Google and Apple is how to further lock people into their ecosystems. Microsoft too, they are part of it as well I believe.

But companies like Google, Microsoft, and Apple have a vested interest in making third party tools like bitwarden not work as well, or not at all on their platforms.

A lot of answers to problems people raise wrt passkeys seem to be “using a good password manager”.

But one of the selling point is that they are supposed to help bog standard users be more secure. How many bog standard users do you see using a good password manager, despite how long we've been suggesting that they do. If they aren't going to use one for passwords they aren't going to use one to smooth the edges of passkeys use.

This still doesn’t solve requirement 2, at least as far as I can tell.

I’m a 1Password user. There are times I want to login with one of my personal accounts on my work laptop, auxiliary device I have, or family member’s device. On all these occasions, I’m not going to install 1Password and sync down my entire vault, just to delete it 5 minutes later. I simply reveal the password in my app and type it in. With passkeys there is no way to do this. It’s an edge case, but an important one.

I’d feel much better about passkeys if it wasn’t some mysterious thing locked away in a vault. If it’s effectively a public/private key pair, I should be able to see the private in my password manager and copy/paste it wherever I want, and however I want. If I could do this I would instantly understand what’s going on and be more accepting of it, though I’d expect I’d still run into some edge cases.

I want to be able to share access without permission from Microsoft

How does that differ from each person having their own password? Right now, if the service only allows for a single login (username/password), then is there a reason to believe it would allow multiple people to have different passkeys?

Plus that doesn't really address allowing someone else in your family to log into your account "temporarily"; ie if you want them to check something for you.

Yes I do, don't put words in people's mouth. I want to share passwords (not access) with my family so they can authenticate into services without the service provider being able to tell who is accessing it.

That's an implementation detail, could just as well easily have multiple username/password pairs tied to the same underlying account

And still, the entire bank account is still vulnerable to a $15 silent borrowing of your phone number for a day, bypassing all normal protections. The system is only harder to access for the rightful owner.

It is already required to buy an approved terminal to participate in society. This may seem a bit of joke in some countries but in many places it is absolutely real.

The next step in progress is to bake in functionality that can guarantee interested parties that it is you operating the terminal at all times.

You're probably right. We'll have enforced boot chains and attestation for devices if we want to take part in large parts of our economic system in the future. A ton of important systems like banking, safe and secure sex worker and entertainment sites for users and performers, government services like online taxes and car licensing and drivers testing* and children-safe sites.

Over twenty years ago, many of us warned about the dangers of increased and unaccountable intelligence service power. We saw what the Patriot Act would create.

We joined the EFF and the ACLU, or renewed our memberships. Organizations at the time that focused more on actual deep philosophical issues and how they relate to our political world.

Obviously the Patriot Act has saved lives. Terrorist events and neglected victims are tragic and VERY emotional.

But today, immigrants and others are spending their own lives protesting the actions of ICE. Their own very limited time on this planet.

I'm not here to judge Immigration and Customs Enforcement. I'll take flak for that among liberals. Again, I'm not judging ICE. In many cases they've been falsely accused where there was clear evidence they weren't at fault.

No, what bothers me is immigrants, who already have difficult lives, and Generation Z, who have less economic security themselves, are the ones marching in the streets.

Twenty years from now, who will be working extra unaccountable and unbillable hours protesting in the streets because the DRM and secure computing systems being pushed through today are abused?

Even if most of that abuse is a show, meant to divide citizens and law enforcement. There are people out there working for free for that show.

Who will work more in the future?

And like not judging ICE, I'm not judging the countries racing and battling to deploy secure computing environments. Knox and TrustZone and TPM and whatever new things await us in the future. There are reasons both for safety and economic security I dont judge.

And there are dark patterns around software supply chain weaknesses and online safety and incentives to accelerate those issues to push through security architectures.

Other countries are doing it. I hate the fucking game theory solutions that it encourages.

But what I'm worried is that in twenty years who will be working for free because our secure computing environments are found unfair?

And unfair can be many things. Governments push values, even when it's not explicit. When I'm using my integrated cyberdeck or implants or just ambient room device, what am I missing? What is being pushed into or out of my vision or awareness?

That's twenty years in the future, what's forty years in the future? I won't be here, but you bet your ass I'm worried. Because the people who I fucking care about now working their asses off for free are being blinded about the upcoming digital wreck, like they were in 2001.

* I believe myself here, that's key.

Apple, Google, and Microsoft already do passkey sync for free. They don't do exports, though. However, there are various third party solutions for synching passkeys that aren't tied to your computer manufacturer.

I don't think passkeys are going to replace passwords any time soon, and I don't think freeloaders are even part of the equation here. You can share a passkey through Bitwarden just as easily as you can share a password.

Freeloaders already need to jump through hoops to share passwords and even then they're getting off easy; if streaming companies actually cared about catching freeloaders, they could stop the practice all together. What they're doing now is just signalling them that you're not supposed to and adding very minor annoyances to the mix.

Bypassing SEO spam is the core use case of LLMs (with search function) for me. It's so nice to just get a (relatively) concise answer immediately.

While not quite switching to 1Password, the latest Win 11 build includes:

> We have partnered with 1Password to bring users a seamless plugin passkey provider integration in Windows 11.

after other details at least it does go to:

> If you are a credential manager developer, we invite you to integrate with Windows 11 to support customers in their passkey journey. To find out more about implementation detail, go to https://aka.ms/3P-Plugin-API.

The full info:

https://blogs.windows.com/windows-insider/2025/06/27/announc...

That would require all the microsoft auth platforms to allow you to use yubikeys or similar instead of default forcing you in to ms authenticator only

Client certificates have existed for basically as long as encryption. Passkeys are more than that, and that is a crucial point. They allow to verify the identity of the signing device, and allow access only if the device is "legitimate" from the point of view of the remote service. That is a very big encroachment on the user's privacy and freedoms and a new very big step in the process of tying everything even more tightly to accounts and devices controlled by the big service providers and making it more difficult to get out or to enter the market for new actors.

Think Trusted Computing. Soon it will be impossible to log in to some media streaming platform, for example, if you don't have a passkey sanctioned by an OS with a TPM. Then everything will be locked in and the only flaw will be our eyes and our ears.

Just an almost meaningless nitpick, but biometrics are "something you are", aka. the third of the famed three factors. :)

The article is wrong: users copy passwords from their password manager into the website if the autofill doesn't work => phishing. Can't do this with passkeys.

Agree with your other points, the whole passkey story is undeveloped and unclear yet.

Why would I keep them separate? What does this achieve?

I don't think skipping 2FA is a benefit. Sure, replace SMS with passkeys or TOTP or literally anything else, but don't actually take away my second factor, please!

> Password managers sync passkeys

0. Which Password manager(s)?

> just fine

1. Sync where and with whom?

2. And are you including or excluding export and/or import too?

You provide no evidence for your claims.

PKs are being used as 1 factor mechanisms. That's centralizing a whole lot of trust.

What passkeys are isn't something that most people want.

I prefer passwords precisely because passkeys have achieved their design objectives. They are just not objectives that I share.

No, passkey export is intended to be a thing and is becoming a thing. I'm not sure if Microsoft has implemented it yet but here is Apple's version:

https://mobileidworld.com/apple-introduces-cross-platform-pa...

Someone should tell Apple; they’ve been cloud-syncing passkeys for years.

And yet people still need to share authentications between different devices (or people) and back them up for recovery purposes. If you're expecting only what you're saying, you'll find yourself simultaneously disappointed at how low the uptake is in the real world and how many major implementations (e.g. Apple) have a vastly different security model.

No, their point is that they are absurdly long and not phishable. Point b is not practical for mass uptake, as hardware devices get broken/lost/stolen all thr time. And no, only nerds will have multiple ones.

Sounds like the sort of thing that will lock me out for any of a dozen different reasons.

If that means I lose access to my accounts if my device dies on me, then hard pass.

> The whole point of passkeys is that they are a) one per device

Hm, so then i need one for my account and one for every device where i use this account

> and b) stored on the device's secure enclave, where in theory you're never supposed to be able to export/exfiltrate them, only validate them

i heard that the new "device's secure enclave" is the cloud.

> The whole point of passkeys is that they are a) one per device and b) stored on the device's secure enclave

This is literally the opposite of what Passkeys are.

> Was your Authenticator backed up in iCloud?

Yes

> Similar to a password there isn't a way to recover it if you forget it.

But dissimilar to a password in that you aren't ever expected to remember it, can't write it down, and in other ways.

> You can have it show a QR code that you can scan with phone, using your phone as a passkey.

I can't keep my phone in my safe and still use my phone.

>> employees running corp MS Authenticator on their personal devices makes me sad.

> What is sad about that?

Why does it make me sad? That's a good question. Insufficient respect for employees' personal domain. Non-optimal IT defaults.

    - It sets up a scenario where the employee's personal device is
    co-opted without their full, meaningful consent. 
    - It places work assets in a personal device.
    - It introduces a scenario where a critical function takes place
    outside of direct view and control of IT.

    Lastly and speculatively, it places Microsoft software in their device
    and Microsoft can't be trusted to keep it's hands to itself when it has 
    an opportunity to be creepy, grabby or slimy.

    Examples:
    Slimy: Injects Bing links into phone's context menu when Outlook
    for Android app is installed.
    Grabby: History of sharing personal data with 700+ partners.
    Creepy: Relentlessly pushes CoPilot like horny drunk uncle pushes
    sex innuendos.

MS Authenticator Sandbox analysis: https://www.virustotal.com/gui/file/c165ea4f2c399f474f068087...

https://kagi.com/search?q=How+is+Microsoft+like+a+creepy+unc...

Most every bit of online exchange and O365 (+the ever-changing, ever-growing stack of MS policy/admin/security panels) is overkill for 10-20 users who need mail, Outlook, Word, Excel (no substitutions).

It's a massive hydra and it's most dependable output is onerous requirements. And the more of those we heap upon light duty users, the more reasonable it becomes to circumvent them.

In this scenario Winauth is how we placate the unreasonable overlord.

Are you sure you need the Microsoft one? After reading the giant support document at my employer I eventually figured out that any TOTP supporting app would work but most of the documentation made it sound like Microsoft was required anyway.

This was in February of last year according to the screenshot, my device was an iPhone 11 - not a small one, but rather very much standard screen size!

That’s true, but only for my screen size. A smaller device wouldn’t.

I mean that it's a different concept; a different thing. You can set it as the same thing but need to remember keeping it same.

(There is also an Apple Recovery password, but that's for encrypted recovery, a different thing, but that is very hidden and experimental.)