The more I play with Passkeys, the more disenchanted I get with them. I would love a Passkey redux episode that answers some of my gripes with passkeys.
Today I set up 3 passkeys. To prevent “vendor lock-in,” I saved the passkeys in 1Password.
That’s when I hit a major snag with Passkeys. They’re in 1Password and they can’t come out of 1Password. When I try to do an export of my 1Password vault, it WILL NOT export my passkeys. It’s telling me that I will need to create new passkeys for all my sites if I don’t want to use the ones stored in 1Password. The same seems to be true for passkeys I store with Google and with Apple in iCloud Keychain.
There is absolutely no way to have local passkeys. They all get locked up by a service and that service could choose to ban me at any time for violating their terms of service. Then I would lose access to my Passkeys.
Because of this, you probably need to leave some other form of authentication enabled on your accounts, such as a password. That way you can get in to your account, should you lose access to your passkeys. But if you leave passwords enabled, you’re now vulnerable. Passkeys just become a more convenient way to login to a site.
I know it’s unlikely that you’re going to get banned from Google, Apple, 1Password, Bitwarden and every other site all in one day. But do you really want to store that many passkeys in the cloud in that many locations? Do you want to pay for 2 password managers, just so you can have redundant passkeys?
I may abandon passkeys completely and stick with passwords and 2FA TOTP.
I don’t disagree with your assessment, although I have not even tried passkeys because I was afraid they were going to be a mess such as you describe. On the other hand, so long as you don’t lose your active passkey(s), how hard, really, is it to enrol (a) new one(s) (and potentially kill the old one(s)?)
It doesn’t look hard. A simple click is all you need. But the problem is WHERE you enroll your passkeys. If you’re using a browser with the 1Password plugin, 1Password will intercept the request for the public key and generate the private key and send it’s public key to the website. So, now you have 2 passkeys for the same site, both in 1Password.
You can potentially make a passkey in Google Chrome or Microsoft Edge. If you don’t log in to the browser, the passkeys will never sync. But they’re also locked to that computer and that browser. If you uninstall the browser, you lose your passkeys.
You could probably disable iCloud Keychain on a Mac and save passkeys to your local copy of Keychain. But you run into the same issue. Your passkey is locked to that computer and can only be used by a browser that can access Apple’s Keychain.
I was hoping when password managers added support for passkeys, that I would have the ability to export them to some kind of format and back them up. 1Password does not allow this. iCloud passwords does not. Haven’t tried exporting from Chrome. But I assume it does not.
Thanks for this summary. I must admit I’m lagging way behind in any research towards Passkeys. From what you’re saying, it seems like Passkeys are yet another way we’re losing control of our digital domain, right behind media and software distribution. For the vast majority, this is a positive because they aren’t even aware that they have a digital domain, let alone the fact that they are responsible for it. For me, and I suspect much of the TWiT audience, it’s a negative.
I personally won’t be using Passkeys until KeyPass introduces support for it in a stable build. Call me old fashioned but I like the idea of having control over my identity.
So frustrating to see this amazing technology being waylaid in the mainstream. We’ve got a finely tuned Ferrari in the garage, while everyone is out there trying to frantically assemble an SUV in the pit box.
I haven’t read the Passkey spec to see if import and export has a standard format or if it’s even supported.
A lot of Passkey supporters claim that not being able to get at your Passkey once created helps make it phishing resistant. And I’m sure for your parents, your grandmother or your less than tech savvy wife, that may be true.
But for those of us that care about privacy, security, and data redundancy, Passkeys are a half-assed solution.
Unfortunately, this is how Passkeys have to work, at least at the moment. They are the cryptographically secure part of the transaction and the secret needs to remain secret. On Apple products and Android, they use the secure enclaves provided by the chipsets, on Windows you need TPM and Windows Hello.
Only 1Password, Bitwarden and Bulwark, AFAIK, provide it in their vaults, which are transferable across platforms.
Apple, Google and Microsoft will allow you to sync across devices in their sphere of influence, but not cross platform - Bitwarden and Bulwark, being open source, means you are less likely to lose access to them, although with Bitwarden, that would mean running your own server, not using their cloud.
But, as you say, if you leave one platform, voluntarily or not, you have to set up new Passkeys on the new platform.
The same as with MFA, you should also store the emergency one time passwords that each service provides, in case you lose you Passkey or MFA token. I had to do that once with LastPass, I had somehow managed to get a typo in my master password and the confirmation, but no matter how hard I tried, I couldn’t find the typo, when I tried to re-open the vault!
I have a couple of passkeys on my iPhone and now a few in 1Password.
Passkeys don’t HAVE TO work that way. That’s just how they’re currently implemented. According to communications I have had with 1Password support, exporting and importing Passkeys is not part of the spec.
They’re currently working wih the FIDO alliance on some kind of universal interoperable import and export. But it would not surprise me if the solutiont that gets rolled out involves vendors being able to import your Passkeys from another vendor, and you still won’t have access to them.
The Mac app Strongbox, which is a Keepass compatible app supports Passkeys. But Keepass and KeepassXC don’t support Passkeys. So, I am going to assume that they went their own way and extended the database.