4 comments

[ 1.9 ms ] story [ 19.1 ms ] thread
There's a [DEFCon 33 talk](https://youtu.be/xdl08cPDgtE?si=SwZ-87jzDbNeP1Mx) on this, too.

I... Am not sure how I feel about it. On tech merits, this absolutely makes sense - the tech is slinging private keys around, and their secure storage is a hard problem.

On the practical merits - maybe? Token-backed decryption of the password manager's database seems like a devent solution? But does this happen? Is there a password manager which uses the public key derived from FIDO2 token's on-chip private key to decrypt the database?

On-token storage is limited (though 100 passkeys on a YK 5 Nano is fairly generous) - but what if we just used the YK as the "Private key is here and ONLY here" setup?

I kinda like the OFFOAD+ design - it promises to show me to where I am authenticating. With origin binding should be a nobrainer, but still, it speaks to me.

What about offline stores passkeys? I've a keepasxc database. Just having the database isn't enough because you need the keyfile and my password to open it.

I get what they're saying but device bound keypasses are brittle. List device lost account. So you need multiple devices. Passkeys are just a bad solution to a valid problem.

I will never use passkey.
Of the varied reasons for not using them, can you share yours?