Comment by shaky-carrousel
18 hours ago
I truly don't see the advantage of passkeys over a password manager like bitwarden, with random passwords.
18 hours ago
I truly don't see the advantage of passkeys over a password manager like bitwarden, with random passwords.
The main benefit is you will never put your passkey on a phishing site. Password managers provide some protections against it because if they do not work automatically on a website you know something is fishy, but sadly many websites have botched their password input so even with a password manager you may still need to manually copy and paste (or even type, if pasting is disabled) the password.
The problem is whether or not the benefit outweighs the additional risks introduced — losing account access when you lose a device, furthering device lock down, difficulty transferring the passkey between devices, UX degradation due to bad implementation. In my opinion the answer is no and I am sticking with my passwords.
> sadly many websites have botched their password input so even with a password manager you may still need to manually copy and paste (or even type, if pasting is disabled) the password.
Unfortunately, it’s exactly those websites that I think would be unlikely to support passkeys at all.
The advantage is that the password never leave the device. It has a public key and signs challenges with the private key but nothing sensitive goes over the wire on every login
It should be noted that that is not an inherential advantage of passkeys over passwords. It is possible to achieve the same with passwords, e.g. by using a hash-cascade.
Sure, but then you still need a protocol between user agent and website. If you just do this in Javascript, you're not protected against phishing sites just forwarding the password entered directly.
Passkeys can in fact be backed by exactly this, i.e. a HMAC-only stateless implementation backed by a single password: https://github.com/lxgr/brainchain
3 replies →
is it fair to say all passkey implementations have this advantage while only some password implementations can match?
6 replies →
They're more accessible to people who don't understand computer security?
The main advantage is how strictly limited export of the passkey secret is. It is very unlikely for it to ever be phished or copied.