I have yet to see a compelling argument for passkeys that is strong enough to overpower it's negatives.
- I want to be able to share passwords for accounts with my family (some, but not all of them)
- I want to be able to load up my login information from whatever device I am currently working on; my phone, my home computer, my work computer, my wife's phone, etc
- I don't want to risk my phone breaking and losing access to all my accounts
Something like 1Password or Bitwarden fits all of that perfectly.
It's tied to vendor lock in. Which increases the ability of companies who develop certain technologies for the masses to increase the friction of interacting with things outside of the ecosystem. The argument is that if a user is unable to use an alternative, by hook or crook they will pay increasingly high subscriptions to access the services provided by that ecosystem. This increases a number on a spreadsheet, the only true compelling argument one could say
As long as the passkey spec includes remote snitching (attestation) your keepass open source alternative will exist only because big tech allows it, and it will end when big tech demands it. The entire import/export standard is a red herring.
It's sort of happening already. Members of FIDO threatening to block KeepassXC users [0] from logging in, unless KeepassXC complies with FIDO demands regarding specific implementation
On one side of the pond, we have the EU's Digital Markets Act to protect consumers. It has teeth and it's already being used to ensure consumers have choice.
Not so sure that EU bureaucrats will understand and fix that problem. With NIS2, they let the IT-security-crapware lobby dictate draconian and mostly stupid security laws. Could be that the security-paranoid part of the bureaucracy overrides the consumer protection part in that case.
I'm not making changes to my security workflows now based on promises that the lock-in potential will be reduced as some unspecific point in the future.
> I have yet to see a compelling argument for passkeys that is strong enough to overpower it's negatives.
> - I want to be able to share passwords for accounts with my family (some, but not all of them)
This, but for another reason.
To all those "I can do this with Keepass/Bitwarden etc", how can you share your Netflix password with your parents 100 miles away to use it in their smart TV?
You cannot and will never be able to do it. Yes, passkeys improve security in some contexts but also tighten the grip of service providers.
> To all those "I can do this with Keepass/Bitwarden etc", how can you share your Netflix password with your parents 100 miles away to use it in their smart TV? You cannot and will never be able to do it.
I'm not sure that's a good example. I thought you currently only need to share your password if you want to let them use your Netflix account on their computer/phone/tablet. If you are just trying to set them up on their smart TV wouldn't you simply have them install the Netflix app on their smart TV, launch it, hit sign in, and then tell you the 8 digit confirmation code from the app, and then you would go to netflix.com/tv2 on your computer/phone/tablet, enter that code, and use your credentials to confirm?
So let's change it to you want to let your parents use your Netflix on their computer/phone/tablet. Netflix doesn't currently support passkeys, but we will assume they will at some point.
What you would do is something like this.
1. Tell them your Netflix account name.
2. Have them go through Netflix's procedure for logging in on a device that does not have a passkey when you have no other devices available that do have a Netflix passkey for your account. They are almost certain to have some way to do this.
3. Once they are logged in they can add a Netflix passkey to that device.
Since sharing Netflix passwords is a breach of their terms of use, that's not really a compelling argument.
I doubt streaming services are looking to make passkeys the only way to authenticate devices though. Too much competition, and too many valid use cases for use outside of a personal device.
> Since sharing Netflix passwords is a breach of their terms of use, that's not really a compelling argument.
Like the millions of "terms of use" breached by the exact trillion dollar companies pushing for passkeys (Google, Microsoft) while training their AI models? Sounds like terms of use are entirely irrelevant in the first place.
Terms of use != laws. ToS are very often overruled by laws in lot of jurisdictions. Saying anything that violates ToS should not exist as a free/public standard, is corporate speak, and not in the interest of the consumer.
Not sure if anything different happens. If you get caught, you probably get fined - that is true for Meta and for you. Not sure what jurisdiction you are in that would get you into prison.
Meta just figured the fine is worth the leap ahead in AI training, and I kind of agree.
> Since sharing Netflix passwords is a breach of their terms of use, that's not really a compelling argument.
Since when "you are not supposed to do it" works? :) Most videogames cannot be freely copied or modified/tampered with, according to their ToS; still, companies implement draconian DRMs/anticheat to block people from doing it anyway. This is the same situation.
The “problem” they solve for Google and Apple is how to further lock people into their ecosystems. Microsoft too, they are part of it as well I believe.
You can do all of those using Passkeys in Keepass, eg though KeepassXC, including import/export. However, Keepass applications have already been flagged as non-compliant for this reason. What you also currently can't do afaik is use them on mobile.
But companies like Google, Microsoft, and Apple have a vested interest in making third party tools like bitwarden not work as well, or not at all on their platforms.
iOS and Android both have APIs for plugging in custom password managers into password entry fields in every app, and for using passkeys with those custom password managers. I use 1password on my iPhone and my Android and it integrates perfectly with both. I agree that those corporations have an interest in making those tools work poorly to stop you from leaving the platform, but they seem to have done the right thing and put some effort into allowing them to work well.
Bitwarden works just as well on Android. In fact, it's even easier when it comes to managing multiple passkeys per domain. And yes, that includes CTAP2 logins ("scan a QR code with your phone to log in").
From what I saw, 1Password was fighting tooth and nail to get into the FIDO Alliance, as the big corps were trying to leave 3rd party password managers behind. I assume without fights like this, all 3rd party password managers would have been left behind. I think that was the plan, thankfully it didn’t work.
Keepass was straight up threatened with blackballing using the attestation feature an enforcement mechanism. This thing was barely out of the gate before the mask slipped.
iOS third-party password manager integration has gotten better over the years. It went from nonexistent, to half-working but constantly pushing me to use iCloud passwords instead, to allowing third-party to be the default once I set it up and never mentioning iCloud passwords to me during normal use.
If blocking this integration will ever be in their interest (I can't say much about this though), then they'll just tighten the grip as soon as passkeys are the norm and other auth methods are deprecated. It's always easy to invoke generic or obscure "security" reasons, even if it means creating the problems themselves so they come with the solution just in time.
A lot of answers to problems people raise wrt passkeys seem to be “using a good password manager”.
But one of the selling point is that they are supposed to help bog standard users be more secure. How many bog standard users do you see using a good password manager, despite how long we've been suggesting that they do. If they aren't going to use one for passwords they aren't going to use one to smooth the edges of passkeys use.
1Password also supports passkeys. I'm not sure if you can share them in a family vault, but considering they're just "passwords" in 1Password, i don't see why you wouldn't be able to. The portion of a passkey stored on device is just a private key, which is essentially just a string of bytes.
The built in password manager in iOS/MacOS also supports synchronizing passkeys across devices (via iCloud), and again, i'm not sure if you can share those passkeys between uses, but same argument as for 1password.
This still doesn’t solve requirement 2, at least as far as I can tell.
I’m a 1Password user. There are times I want to login with one of my personal accounts on my work laptop, auxiliary device I have, or family member’s device. On all these occasions, I’m not going to install 1Password and sync down my entire vault, just to delete it 5 minutes later. I simply reveal the password in my app and type it in. With passkeys there is no way to do this. It’s an edge case, but an important one.
I’d feel much better about passkeys if it wasn’t some mysterious thing locked away in a vault. If it’s effectively a public/private key pair, I should be able to see the private in my password manager and copy/paste it wherever I want, and however I want. If I could do this I would instantly understand what’s going on and be more accepting of it, though I’d expect I’d still run into some edge cases.
That assumes the device/app I’m logging into supports that. It also assumes I have my password manager on a device that can scan QR codes.
Are passkeys ubiquitous? It doesn’t feel that way. Tech demos are nice, but they’re just tech demos. When I’m doing my taxes I don’t want to find out I can’t download my data in TurboTax because I can’t login to my bank with a passkey via their app. Or maybe I want to use some old hardware, where the apps haven’t been updated with QR codes and passkeys, I guess I’m out of luck.
Too many edge cases. They are trying to sell passkeys as a magic way to login. I’m not going to entrust my ability to login to magic.
Also, scanning QR codes to authenticate feels very janky. Isn’t that why CurrentC failed? No one wanted to do a QR code dance with their phone.
> I want to be able to share passwords for accounts with my family
No you don't, you want to share access, and the only way you can do it with passwords is by sharing the password itself. With passkeys you can have each person register their own passkey.
They can "control" them in any meaningful way if they use them for access of things that you do not allow or denies access for things that you do allow. If neither are happening, then you're effectively the one controlling, not them.
The specific issue at hand is sharing. With passwords, I can easily share my passwords. Is it easy to share passkeys? And could doing so be prevented by Microsoft?
The point of passkeys is that you can have many of them unlike a single password. Each device should have its own passkey that I can revoke if my device is lost.
Does the Passkey-enabled account support multiple passkeys?
I'm pretty sure I have my Android phone setup with a passkey for my Google account and also my Windows laptop.
Presuambly the same logic applies for a service that permits multiple passkeys. Each person would register a passkey on their device using the shared credential.
> Does the Passkey-enabled account support multiple passkeys?
There in lies the issue. With passwords, it doesn't matter if the account supports multiple passwords. I can share the one I have
> Presuambly the same logic applies for a service that permits multiple passkeys. Each person would register a passkey on their device using the shared credential.
but can I simply share the passkeys without someone's permission (other than my own)?
How does that differ from each person having their own password? Right now, if the service only allows for a single login (username/password), then is there a reason to believe it would allow multiple people to have different passkeys?
Plus that doesn't really address allowing someone else in your family to log into your account "temporarily"; ie if you want them to check something for you.
Yes I do, don't put words in people's mouth. I want to share passwords (not access) with my family so they can authenticate into services without the service provider being able to tell who is accessing it.
- I want to be able to share passwords for accounts with my family (some, but not all of them)
- I want to be able to load up my login information from whatever device I am currently working on; my phone, my home computer, my work computer, my wife's phone, etc
- I don't want to risk my phone breaking and losing access to all my accounts
Something like 1Password or Bitwarden fits all of that perfectly.