13 comments

[ 3.5 ms ] story [ 40.1 ms ] thread
How on earth are the big players introducing this when we can't even back up the keys?

Another things is I "lost access" to passkeys.io while trying out passkeys. My phones Bluetooth was switched off, and by the time my phone created and saved a passkey, it timed out on the computer. So now I can't login with that passkey and it only fails. Seems like I'm locked out now...

> How on earth are the big players introducing this when we can't even back up the keys?

> Another things is I "lost access" to passkeys.io while trying out passkeys. My phones Bluetooth was switched off, and by the time my phone created and saved a passkey, it timed out on the computer. So now I can't login with that passkey and it only fails. Seems like I'm locked out now...

What does "backing up" the key achieve over and above just registering another key?

Hey, quick note from the creator of passkeys.io: You can always enter your email address on the login screen and this will initiate a fallback auth flow via email passcode.
At first I thought this was a great idea, but then confusion began to dawn after I read the UI...

> Your device supports passkeys, a password replacement that validates your identity using touch, facial recognition, a password, or a PIN.

> Your device supports passkeys, a password replacement that validates your identity using [...] a password

What is being accomplished here if I choose to activate a "passkey" using a "password" for GitHub?

I think they mean via the system keychain? Chrome seems to auto handle passkey requests for Google themselves.
I thinks the idea is that it has two factors built in. The password/pin is something you know. You still have to use it on a specific device though, which is the something you have.
It is preventing password reuse and ensuring key complexity.

The implementation of the credentials manager on the device storing the passkey should also ensure 2factor auth for use of the key.

Further passkeys are highly phishing resistant since they are bound to one specific domain and the passkey manager enforces that it is only transmitted to said domain.

It is basically a phishing , credentials stuffing, brute force resistant password that should ensure 2factor authentication.

It is pretty much the spot between dedicated hardware keys and still usable for the normal guy.

The only thing I dislike is that every provider can lock you in their "passkey ecosystem" since they only sync between them etc.

What's the difference between using this and having my password autocompleted by my password manager and then getting prompted for Windows Hello? I've had this setup for months now, and I don't see how removing the password factor from here will be better for me than having 2FA with Windows Hello, or my android phone via the QR thingy or an actual key such as Yubikey.
I don't think passkeys are for password manager users, but rather people who are tech illiterate. The problem we're seeing now is that passkeys are confusing as hell for non tech people, the target audience. A period of transition is bound to happen.
This does not support firefox on linux. I believe firefox shipped a feature on linux in last few months which should make this work.
I just tried it again and it worked this time.

I had added that key as a plain fido security key and it didn't let me add it as a passkey. So, I removed that key from the list of security keys and added it as a passkey.