alt.hn

2/27/2026 at 5:55:27 PM

Please, please, please stop using passkeys for encrypting user data

https://blog.timcappalli.me/p/passkeys-prf-warning/

by timmyc123

2/28/2026 at 3:23:29 AM

What's the difference between keeping a passkey in bitwarden, and just using a password, also in bitwarden?

by code-e

2/28/2026 at 3:49:35 AM

Mainly that a service can't refuse passwords from Bitwarden, whereas in a few years you'll find yourself reading an article about how a bank in Luseristan has decided to require that their users sign in using Passkeys stored in an attested authenticator (not Bitwarden) running on an attested device (not any current Linux desktop).

by zetanor

2/28/2026 at 3:45:59 AM

Your mom uses Bitwarden?

by DANmode

2/27/2026 at 6:00:58 PM

Not to mention the challenges when (gasp!) a single user uses more than one device. Like, yes, some of us have both desktop computers and phones, thanks for asking.

This is why I refuse to let most sites set me up with passkeys. I’m considering making exceptions for the ones that usually get this stuff right (like GitHub).

by apothegm

2/27/2026 at 6:44:25 PM

Not sure what you mean. In most cases, passkeys sync across your devices.

by timmyc123

2/27/2026 at 7:43:02 PM

People with all Apple devices do not consist "most" of users

by throwaway798214

2/28/2026 at 2:53:10 AM

This is the case in other areas though. I keep some of my passkeys in BitWarden and that is cross device/platform as well.

by TheCleric

2/28/2026 at 5:50:48 AM

Just add more than one passkey to your account?

by pabs3