Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
The eco-system lock-in makes this a non-starter for me. If I could store the private keys in something like a keepass vault (or that) and do the authentication magic from that I would consider it.
You can? At least I do that. I host vaultwarden myself and store the passkeys there.
Passkeys to me are just a better way to autofill in login data.
OK, now think how nontechnical people will not be able to do it. They will be tied to Google/X-corp for all credentials, even government ones. Waiting to be banned if their social credit is too low.
Nontechnical people can use BitWarden/Keeper/Proton Authenticator/any other major system like that instead of self-hosting.
True. But I would say that this isn’t an issue intrinsic with passkey. Many people don’t have time/energy or the attitude to think critically about technology and are herded towards Google/X-corp/etc with offers of convenience and because they are often the only offered choice on the web sites. But from the POV of passkey they just act as a password manager.
Oh I’m stoopit. I just looked up the documentation for keepassxc and it supports it too:
https://keepassxc.org/docs/KeePassXC_UserGuide#_passkeys
So I guess the next time I create an account that supports it I’ll try it and see how it goes.
https://keepassxc.org/docs/KeePassXC_UserGuide#_browser_passkey_support
There you go. Local, serverless passkeys in the software of your choice.
I am not dependent on any ecosystem for passkeys. I have a self-hosted vaultwarden instance that works with Bitwarden clients. I create and store my passkeys over there primarily and in my keepass db (which I primarily use for TOTPs) for redundancy. So if either one gets compromised, I can just delete the passkey for the accounts involved in that database.