I think I have to agree. I spend my life across 2 macbook and 2 android devices and I now cannot predict which web interaction (or WPA) will ask me to use which device(s) to validate which association.
I have bitwarden on all of them. I can coordinate 2FA TOTP easily. I don't see passkey adding value right now, it's simply added an extra model, alongside the others, which doesn't even reliably work.
Given their non-migrating quality, I can't federate can I?
I use passkeys exclusively on my YubiKeys, and I ensure I always have a backup (two Yubikeys with one passkey each).
TOTPs are handled the same way (stored on two Yubikeys).
We used password managers when 2FA allowed us to guarantee that even a leak of the passwords wouldn’t be that catastrophic. If you sync your passkeys to your password manager, anyone compromising it has full access to your accounts.
It also feels like many sites are trying to either trick or gaslight me into moving over to a passkey. Amazon was successful in tricking me, and I’ve had to be much more vigilant since that happened.
That's because for the average user of most popular websites, user account takeover via weak passwords and phishing are massive risks. These sites are funneling their users hard towards passkeys because they're a huge step forward towards covering those risks.
Call me old fashioned but I distrust any form of authentication that is tied to a specific device.
I might be getting older but my memory is still good enough to remember a couple of secure passwords (secure, as in: 20+ chars long random strings), one of them being a password to my KeePass database, and the other to the email account where I keep a backup copy of it.
I would hate to be locked out of my accounts only because I lost my phone or Yubikey.
I'm not a security expert, but I have an opinion on passkeys: I think we should stick to using them only for 2FA. At least for any site where the security really matters.
In my mind, a passkey authenticates the device, while the password authenticates you, the user. Passkeys let us limit which devices are allowed to connect with our credentials. A hacker in Eastern Europe could steal my login, but if their laptop isn't authorized, it makes an account takeover much harder.
(Side note: This is also why I'm uncomfortable putting TOTP codes and passkeys in the same password manager as the regular login credentials. It effectively defeats the whole purpose, turning multi-factor authentication back into single-factor again.)
8 comments
[ 3.0 ms ] story [ 31.0 ms ] threadI have bitwarden on all of them. I can coordinate 2FA TOTP easily. I don't see passkey adding value right now, it's simply added an extra model, alongside the others, which doesn't even reliably work.
Given their non-migrating quality, I can't federate can I?
TOTPs are handled the same way (stored on two Yubikeys).
We used password managers when 2FA allowed us to guarantee that even a leak of the passwords wouldn’t be that catastrophic. If you sync your passkeys to your password manager, anyone compromising it has full access to your accounts.
I might be getting older but my memory is still good enough to remember a couple of secure passwords (secure, as in: 20+ chars long random strings), one of them being a password to my KeePass database, and the other to the email account where I keep a backup copy of it.
I would hate to be locked out of my accounts only because I lost my phone or Yubikey.
https://www.smokingonabike.com/2025/01/04/passkey-marketing-...
In my mind, a passkey authenticates the device, while the password authenticates you, the user. Passkeys let us limit which devices are allowed to connect with our credentials. A hacker in Eastern Europe could steal my login, but if their laptop isn't authorized, it makes an account takeover much harder.
(Side note: This is also why I'm uncomfortable putting TOTP codes and passkeys in the same password manager as the regular login credentials. It effectively defeats the whole purpose, turning multi-factor authentication back into single-factor again.)