Comment by reddalo
1 day ago
I'm also completely against passkeys. A safe password and a good password manager are way better, they don't lock you into any platform.
It's super sad to see all kinds of websites offering you to add a passkey when you log in.
> A safe password and a good password manager are way better, they don't lock you into any platform.
An open, cross-platform passkey implementation does all that too, and on top of that prevents you from accidental password leaks via logs, MITM etc. by default.
> It's super sad to see all kinds of websites offering you to add a passkey when you log in.
As long as they're not forcing you to add one, what exactly is your problem with having more choice?
Personally, I am grateful for every site that doesn't require my phone number to sign up and uses passkeys for authentication instead, yet I also don't want SMS authentication banned for everybody since I understand it currently works better than Passkeys for many people.
passkeys are a great idea, but poorly implemented
I was planning to make use of passkeys when logging on to various services, so I ordered three physical devices, supporting passkeys (yubikey). I ordered USB C and USB A variants, with NFC support.
Is this a mistake? I am already using password manager and totp for my accounts, but I am tired of dealing with passwords.
Even when using a password manager (bitwarden in my case), it just get tedious bringing out my phone, starting auth app, locating the correct account, reading 6 digit token and logging on.
You're good. The relevant advice in article is to not reuse keys for encryption and auth.
Encrypting password manager database with a passkey or other authentication key on one of those yubikeys would be the mistake. Encrypting it with a separate dedicated key (or passphrase) on the same yubikey in parallel to its passkeys is fine.
No it's not a mistake. But say you lose the Yubikey, or you're away from home. How do you deal with that? You still need a password somehow.
Sure. But I think that is same scenario as me loosing my phone today, since I use that for two factor auth.
My plan was to continue using bitwarden for passwords as well, but more as a break-glass mechanism that I really use. I want to use passkeys mostly for convinience.