alt.hn

2/28/2026 at 3:11:40 AM

Don't use passkeys for encrypting user data

 https://blog.timcappalli.me/p/passkeys-prf-warning/

by zdw

2/28/2026 at 4:25:57 AM

Passkeys have way too many footguns for me. If I use my phone to sign in I'm going to accidentally create a passkey there on iOS embedded webview. When I use Google Chrome, the website won't give me any information for me to find where I stored the passkey. Was it in iOS keyring? Chrome? My Bitwarden? If I had any discipline around this it would make sense but if I accidentally double tap on the screen I've got a passkey and it's stuck on my phone.

I'm sure it's of use to many people but it's been no end of pain for me and it has really signaled to me what it's like to grow into an old man unable to use computers when I was once a young man who would find this easy.

by arjie

2/28/2026 at 9:49:36 PM

I like the concept of them, and I want them to work well purely so people stop using bad passwords. But nearly everywhere does it differently and weirdly and likely wrongly.

When I log into my Amazon account with a passkey, it then asks me for a 2FA code. The 2FA code is stored on the same device as a passkey, that step literally does nothing. After I do the 2FA code, it then prompts me to create a passkey. No! I have one. I signed in with one.

Some devices give me the option to use a QR code. I like that option usually, I can easily use my phone to authenticate. But sometimes i can’t get the QR code to appear. Support varies by OS, browser, and set of installed extensions. And there’s no easy way to control which of those three handles the passkey when something decides wrongly.

I had to troubleshoot something on someone else’s computer, and saw that they logged in to windows with a passkey and QR code. I’ve looked, and I can’t seem to set that up on my windows computer. There isn’t an option to and I have no idea why.

by snailmailman

2/28/2026 at 11:38:36 PM

Passkeys IMO will only work with dedicated U2F/FIFO keys like Yubikeys.

by trueismywork

3/1/2026 at 3:35:47 PM

Beware that Passkey storage is limited though and I don't think you can reuse one for multiple sites. My Yubikey 5 NFC stores up to 32 and you should have some redundancy if you ever lose it. You also can't export them. I only use passkeys (in Bitwarden) for things I don't care about.

by RGamma

3/1/2026 at 6:31:49 PM

> I'm sure it's of use to many people but it's been no end of pain for me and it has really signaled to me what it's like to grow into an old man unable to use computers when I was once a young man who would find this easy.

My only "good" solution for passkey UX is to make sure all my devices are Apple. Apple's password/keychain integrates reasonably well enough with Chrome, I can share passkeys with my cofounder easily in shared folder (he is also all-in on Apple ecosystem) and I can share passkeys with my work computer (different AppleID) for low-stakes things like news websites or Amazon.com (I work in IT security for the org, so I know exactly how much I can trust my employer)

I do also use Linux and Windows personally, and the passkey story is much worse there, particularly for Linux which doesn't seem to play well with my Yubikeys. Luckily, a lot of websites seem to have a "Scan this QR code with your iPhone" feature to complete the passkey authentication.

by nerdsniper

2/28/2026 at 10:04:45 AM

Passkeys on iOS and macOS actually work quite well in that regard. They get stored in your provider of choice across the web, web views, apps etc., at least in my experience.

Mine is Bitwarden, and that's available on pretty much all platforms, natively where available (except on macOS currently), as a browser extension otherwise.

For the rare instance in which I need to authenticate using a passkey on a computer where I'm not logged into Bitwarden, there's the cross-device CaBLE flow where I can scan a QR code with my phone and use Bitwarden to authenticate. This works across OSes and browsers.

by lxgr

3/1/2026 at 3:30:46 AM

The problem with passkeys is that they aren’t exportable (at least from Bitwarden).

by Cyph0n

3/1/2026 at 6:35:00 PM

They are easily exportable from Apple and 1Password AFAIK. Bitwarden seems to be doing some interesting lock-in, and while I have loved them, I no longer have a commercial password manager that I trust (leaving me with only Apple's as a high-functioning, high-trust option). I'm worried about effects of private equity pressure on groups like 1Password, Bitwarden, and LastPass (I strongly recommend against LastPass these days).

by nerdsniper

2/28/2026 at 7:04:18 PM

> This works across OSes and browsers.

It doesn't work for me in Firefox on Linux. I'm very curious to know how it works for you.

by freeopinion

2/28/2026 at 8:01:41 PM

Does their Firefox extension not inject its own WebAuthN implementation into every visited site on Linux? It does for me on macOS (i.e. it overrides the OS/browser-provided one).

by lxgr

2/28/2026 at 11:27:01 PM

Is this really how password managers extensions work? They inject arbitrary javascript in every page you visit?

I would have naively thought that there'd be a better and safer API for it, considering that all browsers already have the infrastructure in place to handle login autocomplete.

by tredre3

3/1/2026 at 1:00:22 AM

As someone that uses a YubiKey for WebAuthN - I really wish Bitwarden didn't do this. I know I can turn it off, but it's a bad default.

by bpye

2/28/2026 at 11:40:31 AM

except... i store my password for work in bitwarden, so I dont want to also keep my work passkeys in the same place. For my personal stuff, that is a risk I can live with so far, but for work it seems dumb.

by javier2

2/28/2026 at 9:09:24 PM

Your Bitwarden should enforce the necessary 2-Factor auth for this scenario, but if you’re worried just make sure to be careful when registering that single passkey.

by ezfe

2/28/2026 at 12:31:31 PM

Yeah, definitely don’t mix work and personal credentials. But many password managers allow using different accounts/vaults on one machine.

by lxgr

2/28/2026 at 6:43:07 PM

Yup. I hate them. I get the problem they're trying to solve, it just seems like I have more work to do... and I honestly don't even follow what is going on sometimes.

I recently moved to a new computer and it's just an AUTHHELLSCAPE.

by duxup

2/28/2026 at 8:57:29 AM

I truly don't see the advantage of passkeys over a password manager like bitwarden, with random passwords.

by shaky-carrousel

2/28/2026 at 9:04:34 AM

The main benefit is you will never put your passkey on a phishing site. Password managers provide some protections against it because if they do not work automatically on a website you know something is fishy, but sadly many websites have botched their password input so even with a password manager you may still need to manually copy and paste (or even type, if pasting is disabled) the password.

The problem is whether or not the benefit outweighs the additional risks introduced — losing account access when you lose a device, furthering device lock down, difficulty transferring the passkey between devices, UX degradation due to bad implementation. In my opinion the answer is no and I am sticking with my passwords.

by pibaker

2/28/2026 at 1:33:43 PM

> sadly many websites have botched their password input so even with a password manager you may still need to manually copy and paste (or even type, if pasting is disabled) the password.

Unfortunately, it’s exactly those websites that I think would be unlikely to support passkeys at all.

by TurboSkyline

2/28/2026 at 9:02:26 AM

The advantage is that the password never leave the device. It has a public key and signs challenges with the private key but nothing sensitive goes over the wire on every login

by bryantwolf

2/28/2026 at 9:10:40 AM

It should be noted that that is not an inherential advantage of passkeys over passwords. It is possible to achieve the same with passwords, e.g. by using a hash-cascade.

by valenterry

2/28/2026 at 10:11:35 AM

Sure, but then you still need a protocol between user agent and website. If you just do this in Javascript, you're not protected against phishing sites just forwarding the password entered directly.

Passkeys can in fact be backed by exactly this, i.e. a HMAC-only stateless implementation backed by a single password: https://github.com/lxgr/brainchain

by lxgr

2/28/2026 at 2:52:07 PM

> Sure, but then you still need a protocol between user agent and website.

Yes of course. Just like you do for passkeys.

> Passkeys can in fact be backed by exactly this, i.e. a HMAC-only stateless implementation backed by a single password: https://github.com/lxgr/brainchain

No, not quite. It's written on there:

> "Login" with your passphrase, and you can create non-discoverable WebAuthN credentials (don't call them passkeys, but definitely be reminded of them) at ~all~ some websites supporting them (...)

That's the thing: with passwords, a website/app cannot prevent you from controlling the password yourself. With passkeys and attestation it can.

by valenterry

2/28/2026 at 8:00:46 PM

But attestation for passkeys is dead. Neither Apple's, nor Google's implementation (with negligible exceptions) support it anymore, so any site demanding attestation will immediately disqualify > 99% of all potential users.

Some still might, e.g. for corporate or high security contexts, but I don't think it'll become a mass-adopted thing if things don't somehow drastically change course.

by lxgr

2/28/2026 at 11:07:31 PM

It's still in the standard. They could remove it, but they don't, so from my perspective it's just like how Google wasn't evil. Until they decided otherwise.

by valenterry

3/1/2026 at 10:29:08 AM

> It's still in the standard.

Yes, because hardware authenticators (like Yubikeys) still commonly support it, and it makes sense there.

I guess they could add an explicit remark like "synchronized credentials must not support attestation", and given the amount of FUD this regularly seems to generate I'd appreciate that. But attestation semantics seem to be governed more by FIDO than the W3C, so putting that in the WebAuthN spec would be a bit awkward, I think.

by lxgr

3/1/2026 at 11:52:08 AM

Hm, I disagree. I prefer if the user has the freedom to choose how they want to do things. At the cost of some users choosing the wrong way and then getting problems. It's a question of balance, but when I look at recent tech/internet history, I tend to not want to give central authorities any more power than they already have.

by valenterry

3/1/2026 at 1:02:43 PM

Ideally, sure, but the reality is just that some entities are not only reputationally, but also legally required to bear the liability for account takeovers.

In other words, you have a principal-agent problem: Users doing custom software passkey acrobatics and the banks liable for any funds lost.

Preferably, use of attestation should be limited to these (and enterprise) scenarios, and I do share the concern of others starting to use them as weak proofs of humanity etc.

by lxgr

3/1/2026 at 1:14:51 PM

> Ideally, sure, but the reality is just that some entities are not only reputationally, but also legally required to bear the liability for account takeovers.

Seems like an absolutely rare edge case to me. Or maybe even just a misunderstanding. I doubt there is a law that says that. If anything, I could imagine a law saying that a company has to take "sufficient precautions".

But even if what you say were to be true - that's not something to solve with tech. That means the law should be changed.

by valenterry

2/28/2026 at 9:22:55 AM

is it fair to say all passkey implementations have this advantage while only some password implementations can match?

by mi_lk

2/28/2026 at 10:11:14 AM

It is absolutely unfair to say it. Just like passwords stored in a password manager, passkeys can be copied out of the device for safekeeping. Because you can copy them out, a user can be induced to give them to someone.

I saw passkey boosters go very, very rapidly from "Passkeys are immune to phishing!" to "Passkeys are phishing resistant!" when lots of real-world people started using passkeys and demonstrated that you absolutely must have a way to back them up and move them around.

by simoncion

2/28/2026 at 10:13:05 AM

> passkeys can be copied out of the device for safekeeping

You can't copy them out on at least the iOS, Android, and (to my knowledge) Windows default implementations.

> lots of real-world people started using passkeys and demonstrated that you absolutely must have a way to back them up and move them around.

Millions of people use them without being able to move them around in the way you describe.

by lxgr

2/28/2026 at 10:29:04 AM

> You can't copy them out on at least the iOS, Android, and (to my knowledge) Windows default implementations.

Pardon? The official support docs disagree with you [0][1][2]. They absolutely leave the device.

Other passkey managers let them leave the device in a way that you control, but even the default ones copy them off the system they were created on.

[0] <https://support.google.com/accounts/answer/6197437?hl=en&co=...>

[1] <https://support.apple.com/guide/iphone/passwords-devices-iph...>

[2] Examine the "Can I use passkeys across multiple devices?" Q and its A here: <https://support.microsoft.com/en-us/windows/passkeys-frequen...>

by simoncion

2/28/2026 at 10:40:54 AM

Yes, they're synchronized, but I wouldn't call that "copying them out", as that to me implies somehow getting access to the raw private key or root secret bytes.

Both Apple and Google have pretty elaborate ceremonies for adding a new device to an existing account in a way that synchronizes over passkeys.

by lxgr

2/28/2026 at 10:58:01 AM

> ...as that to me implies somehow getting access to the raw private key or root secret bytes.

When passkeys were first introduced, they were 100% stuck to the device that they were created. There was absolutely no real way to copy them off. This is when proponents were -correctly- making the claim that they were immune to phishing.

When lots of users (who -notably- were not supported by whole-ass IT departments who set up and run systems that handle provisioning and enrolling new devices) started using passkeys, the correctness of the thing that many non-boosters were screaming ("You have to have a way to back these up and move them between devices!") became abundantly clear. Passkeys became something that could be copied off of devices, and proponents -correctly- switched to the claim "Passkeys are phishing resistant".

Once things switched around so that passkeys were no longer stuck on a single device, third-party managers got the ability to manage and copy passkeys. [0]

Hopefully it's now clear that the shift from "they never leave the device" to "they do leave the device" (and the consequences of this change) is what I'm talking about.

[0] At least, they will for the next five, ten years until the big players decide that it's okay to use attestation to lock them out to "enhance security".

by simoncion

2/28/2026 at 6:26:40 PM

It sounds like part of the problem is that two rather separate standards of "phishing" are getting conflated:

1. "Hi, I'm your bank, log in just like you normally do." (Passkeys immune.)

2. "Hi, I'm your bank, do something strange I've never ever asked you to do before by uploading some special files or running this sketchy program." (Passkeys just resist.)

The problem with the expansive definition is it basically starts to encompass every kind of trick or social-engineering ever.

by Terr_

3/1/2026 at 8:15:21 AM

That qualifies as "immune to phishing" as far as I'm concerned. No reasonable person using a reasonable implementation will ever be successfully victimized in that manner.

We need to stop pretending that padded cells for the criminally incompetent are a desirable design target. If you are too stupid to realize that you are being taken for a ride when asked to go through a manual export process and fork over sensitive information (in this case your passkeys) to a third party then you have no business managing sensitive information to begin with. Such people should not have online accounts. We should not design technology to accommodate that level of incompetence.

If you can't stop driving your car into pedestrians in crosswalks you lose your license. If you can't stop handing over your bank account number to strangers who call you on the phone you lose all of your money. If you eat rotten food you get sick and possibly die. If you hop a fence and proceed to fall off of the cliff behind it you will most likely perish. To some extent the world inherently has sharp edges and we need to stop pretending that it doesn't because when we do that it makes the world a worse place.

by fc417fc802

3/1/2026 at 4:43:05 AM

The benefit is that they aren't phishable.

by brikym

2/28/2026 at 10:30:30 AM

They're more accessible to people who don't understand computer security?

by red_admiral

2/28/2026 at 8:12:56 PM

The main advantage is how strictly limited export of the passkey secret is. It is very unlikely for it to ever be phished or copied.

by UltraSane

2/28/2026 at 7:53:22 AM

There’s another foot gun I wrote about recently:

https://cedwards.xyz/passkeys-are-not-2fa/

by cedws

2/28/2026 at 8:31:44 AM

I was reading your other blog post about storing them in bitwarden I have to disagree with this point:

> Unless you were forced to by some organisational policy, there’s no point setting up 2FA only to reduce the effective security to 1FA because of convenience features.

2FA both stored in your password manager is less secure than storing than separately, but it still offers security compared to a single factor. The attack methods you mentioned (RAT, keylogger) require your device to be compromised, and if your device is not compromised 2fa will help you.

To slip into opinion mode, I consider my password manager being compromised to be mostly total compromise anyway.

Also I really like the style and font of your blog.

by dwedge

2/28/2026 at 12:17:14 PM

> To slip into opinion mode, I consider my password manager being compromised to be mostly total compromise anyway.

But how is that no the entire point? If your 2FA is a proper device, like a Yubikey, the attack surface is tinier than tiny and the device ensures that your secret never leaves the device.

We did see cases of passwords managers getting compromised. We haven't seen yet a secret being extracted from a Yubikey.

So where you say you consider that your software (password manager) getting compromised is total compromise, we're saying: "as long as the HSM on a Yubikey does its job, we have actual 2FA and there cannot be a total compromise".

by TacticalCoder

2/28/2026 at 1:10:39 PM

You're right, I should have been more clear in that I meant a local compromise of the machine running the password manager client, not the server running the password manager itself. If my sessions and all of my data can be intercepted, the yubikey 2fa seems like it's only saving me from a token "nobody can login remotely to this one service" which at that point seems pretty moot

by dwedge

2/28/2026 at 1:14:02 PM

Yubikey offers a false sense of security in that regard, unfortunately, because if your device is thoroughly 0wned and you don't know it, the attacker "just" has to wait for the victim to do something that would trigger the yubikey, and then swap in their forged request instead. Eg if the victim uses the yubikey to log into bank1 and to crypto wallet, but bank1 accounts have no money, instead of waiting for the customer to log into their crypto wallet with the yubikey, the attack software waits for the victim to log into bank1, but swaps in a request to the crypto wallet instead.

by fragmede

2/28/2026 at 5:48:15 PM

Not sure I understand your point. Under WebAuthn / FIDO2 you can't impersonate a RP

Could you explain better?

by jdmoreira

3/1/2026 at 10:29:51 AM

If the user's computer is pwned, you can wait for the user to log in to their bank account, then blank the screen while you send yourself all their money.

by gzread

2/28/2026 at 10:03:54 AM

This isn't a footgun, you just have absurd security requirements.

>It should be pretty obvious that using a passkey, which lives in the same password manager as your main sign-in password/passkey is not two factors. Setting it up like this would be pointless.

You simply do not need two factors with passkeys. Using passkeys is not pointless, they are vastly more secure than most combined password+2fa solutions.

There are extremely few contexts where an yubikey would be meaningfully safer than the secure element in your macbook.

by JasonADrury

2/28/2026 at 10:23:21 AM

2FA is more secure than 1FA even if that one has a high security level

by gregoriol

2/28/2026 at 11:12:26 AM

To be clear. Proper 2FA, via something like a smartcard or any truly external device is still much more secure. You could have one of those factors be a passkey, that's fine, and may be a good idea.

But there are UX issues with passkeys as well, that aren't all well addressed. My biggest gripe is that there is often no way to migrate from one passkey provider to another, though apparently there may be a standard for this in the works?

by nixpulvis

2/28/2026 at 10:43:08 AM

Are you saying that two weak factors are more secure than one strong factor?

by Genbox

2/28/2026 at 8:09:35 PM

If they are on totally isolated hardware then maybe

by UltraSane

2/28/2026 at 11:33:46 AM

Not who you are replying too. But a yubikey is not a weak factor.

In fact, it’s not even meaningfully more secure than passkey (as passkey is designed) - passkey is, however, more convenient.

So it’s more ‘one weak factor + (really times) one medium/strong factor’ vs ‘one medium/strong factor’.

Which yes, the first one is better in every way from a security perspective. At least in isolation.

The tricky part is that passkeys for most users are way more convenient, meaning they’ll actually get used more, which means if adopted they’ll likely result in more actual security on average.

Yubikeys work well if you’re paying attention, have a security mindset, don’t lose them, etc. which good luck for your average user.

by lazide

2/28/2026 at 10:31:37 AM

if 2fa is "use the second factor that's on same device as first factor" (like when using phone apps in many cases, password + 2fa from email/sms/authenticator app on same device), I disagree.

by PunchyHamster

2/28/2026 at 1:12:44 PM

If I get your password, and you use 2fa that's stored on your phone, does that improve your security position or not

by dwedge

2/28/2026 at 10:51:12 AM

Nonsense, depends entirely on the value of the authentication factor.

by JasonADrury

2/28/2026 at 11:44:03 AM

How is it not 2FA? It's MacBook + Fingerprint.

by YmiYugy

2/28/2026 at 12:06:46 PM

It's not 2fa if you assume some catastrophic exploit chain that allows an attacker to dump your macbooks secure element.

I don't think that's a reasonable assumption for most people, and you're screwed in that situation even if you use yubikeys.

by JasonADrury

3/1/2026 at 9:09:00 AM

You missed this:

>which lives in the same password manager

I'm not talking about Apple passkeys here, which are NOT stored in the Secure Element to my knowledge anyway.

I don't see passkeys as a 2FA replacement. If they're only secured in software and live in memory, as is often the case with password managers, they're too easy to compromise.

by cedws

2/28/2026 at 10:07:16 AM

> It should be pretty obvious that using a passkey, which lives in the same password manager as your main sign-in password/passkey is not two factors. Setting it up like this would be pointless.

If your password manager is itself protected by two factors, I'd still call this two-factor authentication.

by lxgr

2/28/2026 at 8:44:45 AM

Passkeys are meant to replace passwords. Not being second factors is the point.

by FreakLegion

2/28/2026 at 10:09:15 AM

Passkeys can absolutely constitute two factors. At least the iOS and Android default implementations back user verification (which the website/relying party can explicitly request) with biometric authentication, which together with device possession makes them two factor.

by lxgr

2/28/2026 at 11:35:15 AM

That's not what two-factor means. Forget about passkeys -- if you use a password manager, and that password manager has a biometric lock, your accounts don't thereby have a biometric lock as a second factor. The transitive property doesn't apply here.

by FreakLegion

2/28/2026 at 12:29:56 PM

I’d say it does apply transitively, but only if the weakest link itself is also strong enough, and passwords are not.

by lxgr

2/28/2026 at 8:10:54 PM

And even a passkey on a phone that doesn't require authentication is immune to remote phishing and cloning.

by UltraSane

2/28/2026 at 9:49:46 AM

Someone gotta tell all these SaaS about that if so, because currently everyone is treating Passkeys as an alternative to 2FA. Take a look at how GitHub handles it for example when you use TOTP, they'll ask you to replace TOTP with passkeys.

by embedding-shape

2/28/2026 at 11:07:07 PM

They are an alternative to 2FA. Which means they aren't 2FA. If they were 2FA, they wouldn't be an alternative to 2FA. They'd just be 2FA.

Anyway, passkeys and FIDO broadly aren't the same thing. You can read the definition of passkeys at https://fidoalliance.org/passkeys/ or look at any of the marketing, which invariably talks about how great it is that you don't have to futz with passwords anymore.

FIDO credentials in general can obviously also be used as second factors. This is baked into the name of the original standard: U2F, Universal 2nd Factor. The specific point of passkeys though is that they're the single factor.

by FreakLegion

2/28/2026 at 10:02:18 AM

Many do what you describe, probably because some manager somewhere needs to tick some checkbox.

But GitHub, specifically, allows you to sign in with a passkey. On the sign-in page, there's a "sign in with passkey" link. It activates my 1Password extension, asking if I want to use my passkey. I say yes, and I'm in, I don't type anything. This also works the same way with my YubiKey.

by vladvasiliu

2/28/2026 at 4:42:15 AM

Embedded webviews are the stupidest thing ever. Yesterday I got halfway through a checkout process, had to go back to another app to check something, and then the webview simply disappeared so I didn't bother finishing the checkout. This was on Android

Usually I open it in Chrome but for some reason I didn't realize it was a webview this time

by weird-eye-issue

2/28/2026 at 6:19:14 AM

I disable them on every app that lets me. It is in every way worse UX than simply opening the browser.

by mgrandl

2/28/2026 at 8:58:21 AM

God yes that. Our VPN client fell over the other day because the auth popup opens an embedded web browser which throws a javascript error as it's bouncing through our ID provider pages. How the fuck we got there I don't know. Everything is a gigantic Heath Robinson contraption.

by dgxyz

2/28/2026 at 6:27:44 PM

I just use iOS' wallet for all of it, the only exception being if its something I 100% need to open outside of my iphone / macs. Then I go for BitWarden, turns out I dont need any apps to open outside of that sandbox, I am okay only opening these up on Mac. I can always type my password on Linux. That's what bitwarden is for anyway.

by giancarlostoro

2/28/2026 at 9:08:10 PM

The system always asks where you want to store it, and all passkey managers vend to the system prompt with labels so you can see where it is.

This is not an issue on iOS, I can’t tell how what you’re describing could happen.

by ezfe

2/28/2026 at 8:31:56 PM

>If I had any discipline around this it would make sense but if I accidentally double tap on the screen I've got a passkey and it's stuck on my phone.

The problem is not with passkey rather system such as iOS keeps a tight lid on how files are uploaded and retrieved from the device. There is a real disconnect between desktop and mobile file system now days.

by zenmac

2/28/2026 at 4:45:06 AM

You can just use bitwarden everywhere if you are ok with it in the cloud.

by EnPissant

2/28/2026 at 5:04:59 AM

I do use Bitwarden everywhere but a couple of times the passkey prompt doesn't show it. I think that's how I got the webview for one of my google accounts stored in iOS keychain.

by arjie

2/28/2026 at 9:13:18 PM

Anytime you save to your iOS keychain you’re doing so through the system prompt and Bitwarden should be included as a target option in that prompt.

If it’s not, that’s a Bitwarden issue. 1Password shows up in the system UI regardless of context on iOS.

by ezfe

2/28/2026 at 6:15:38 AM

Tell that to my mom who has created a bunch of passkeys all over the place without knowing what they are. I'm trying to unwind it but it's a mess.

by mkehrt

2/28/2026 at 7:03:22 AM

Passkeys are an antipattern in UX design. You want to make it simple for the users? Great! But stop treating them as too stupid to decide anything on their own. Stop locking them out of the decision loop and doing things behind their back. This is practically the corporate design philosophy of the past two decades. You can see this a lot in smartphone design.

I keep asking what advantages passkeys offer over TLS self-signed client certificates. I haven't got any answers so far. Perhaps increase the security by encrypting the private key with a password or an external token. This is safe, like SSH and unlike regular passwords, because no secrets are sent to the server. TLS certs and (encrypted) keys are more tangible and easier to manage.

Perhaps passkeys do offer some advantages over TLS certs. But can't those be added to TLS, rather than rollout an entirely new system? The infuriating part is that this facility exists in browsers. They just let it rot to an extend that it's practically unusable. Meanwhile, Gemini browsers are using it quite successfully (for those who use Gemini).

by goku12

2/28/2026 at 7:31:18 AM

Passkeys ARE self-signed certs. You can store their private key on a hardware token, but you don't have to.

Their only difference is the automated provisioning.

by cyberax

2/28/2026 at 8:46:07 AM

> Passkeys ARE self-signed certs.

So they took something that works well and created a bad UX around it, while ignoring the working, yet languishing UI/UX that was already around?

by goku12

2/28/2026 at 10:22:52 AM

You can't be seriously claiming that self-signed PEM certificates were working well. I've been using them for years in various contexts, and they're an absolute nightmare.

Despite all their faults, for the average user, Passkeys are still miles ahead of GnuPG card, PIV, PKCS#15 etc.

by lxgr

2/28/2026 at 11:42:57 AM

Please check how the client certificate interface of Lagrange, the Gemini browser, works. It's nowhere as complicated as you make it out to be. No passkey interfaces I've seen is as clear as this one. It automatically provisions the certificate (optional. You can share certs among services if you prefer) and associates it with the correct service. So no complicated stuff. It prompts you at the correct time for permission in the clearest way possible. It's like an integrated password manager where your credentials are just files - sort of. That's all that a regular user needs to know about them. It can be exported, imported, backed up, synced, and what not.

Gemini strives to finish an entire request in a single transaction. So TLS certs are really the only option for authentication. That's how I learned the elegance of TLS client authentication workflow and started asking why this is so neglected in web browsers.

by goku12

2/28/2026 at 12:28:32 PM

TLS based authentication is even worse. It’s the wrong layer in today’s Internet, given Cloudflare, load balancers etc.

Not everybody trusts whatever first hop terminates TLS to also do authentication, and it completely falls flat at non-repudiation for transaction approval.

by lxgr

2/28/2026 at 10:22:45 AM

You can't be seriously claiming that self-signed PEM certificates were working well. I've been using them for years in various contexts, and they're an absolute nightmare.

Despite all their faults, for the average user, Passkeys are still leagues ahead of GnuPG card, PIV, PKCS#15 etc.

by lxgr

2/28/2026 at 9:10:32 AM

Self-signed certificates are in the 'barely working' state. They operate on a wrong protocol level, and they can't be provisioned by the website itself.

If you try to describe how you _want_ the TLS client certificate UI to work, you'll end up with passkeys.

by cyberax

2/28/2026 at 9:25:50 AM

Okay. So they took a solution that was in a barely-working state due to their deliberate neglect, and still managed to give a bad new UX when they got the opportunity to rework it?

by goku12

2/28/2026 at 11:18:52 AM

> "they can't be provisioned by the website itself."

It's funny, we used to have a html tag that would exactly that: <keygen />

by 0x0

2/28/2026 at 9:13:54 PM

“All of the place” meaning where? There’s only a few places you can put them and they’re all more secure than passwords so it sounds like not a huge issue.

by ezfe

2/28/2026 at 4:55:10 AM

Doesn't need to be in the cloud for it work everywhere.

by rstat1

2/28/2026 at 4:58:02 AM

True. You can self-host.

by EnPissant

2/28/2026 at 7:15:28 AM

For this reason I am avoiding it like a plague. It is an additional way to fingerprint your activity and the scenarios where you migrate your passkeys from a device to another seems not really well "oiled"

by madduci

2/28/2026 at 10:13:51 AM

How can passkeys be used to fingerprint you? The WebAuthN extension goes to pretty great lengths to avoid fingerprinting.

by lxgr

2/28/2026 at 1:52:29 PM

Don't they get associated to a particular device?

by madduci

2/28/2026 at 7:57:34 PM

Yes, but they're used, by design, to authenticate you.

Even revealing the fact that a given passkey exists on your device requires your active confirmation according to the spec, so unless you actually want to authenticate and click the corresponding button, the site learns nothing about you (other than that your browser theoretically supports WebAuthN, which most do these days, so that's significantly less than one bit of fingerprinting data on you).

In other words, you can't be fingerprinted by WebAuthN, unless there's a (pretty severe) bug in an implementation.

by lxgr

2/28/2026 at 9:14:18 PM

No, they can be synced.

by ezfe

3/1/2026 at 6:11:52 AM

TIL, thanks

by madduci

2/28/2026 at 9:36:23 AM

This story of a user deleting their passkey doesn't seem plausible to me. They don't remember why they have a specific passkey for a messaging app? Surely recognizing the app that stores so many memories is enough not to delete the passkey. And why are they "cleaning up" their passkeys in the first place? Yes I put "cleaning up" in quotes, this metaphor, suggesting that a long list of unused passkeys is dirty in some way is inappropriate.

If an app has a billion users, how many do you expect will delete their passkey for no reason? Is this more important then end-to-end encryption for everyone?

If deleting one's passkey for no reason was a thing, I'd expect a real story about a real user, rather then a made-up scenario.

The essay has a condescending attitude towards the normie computer user who can't possibly be expected to know, but it's precisely the normie computer user who would never get the stupid idea of "cleaning up" their passkeys in the first place -- that's something only a nerd with a neurotic attitude to their computer would do.

by amadeuspagel

2/28/2026 at 1:02:33 PM

This past weekend I watched as my mom discovered the password manager in Chrome, and started deleting every entry she couldn't immediately recognize. "Why is this here? I don't need this"

Despite me pleading that they got there for a reason, and takes zero storage, she was confident she didn't need these passwords. So I can totally see her deleting passkeys; my mom is basically Erica, there need to be very explicit implications stated for every action presented and not assume innate understanding

by petee

2/28/2026 at 3:13:33 PM

This is the kind of real world example of computer use that I missed in the article.

by amadeuspagel

2/28/2026 at 9:58:54 AM

It's more likely for them to accidentally be deleted (or otherwise lost access): in my experience approximately zero users actually understand where their passkeys are stored, and they can be all over the place: the number one question I get is 'why can't I log in?' because they've accepted a passkey setup dialog on one machine without really reading it and now can't log in on another. Sometimes it's on the same machine but in different contexts. No passkeys should be considered something that the average user is going to reliably hold onto (in large part because the industry has been so keen to foist them on users but not very keen at all to educate them on how they work. This also makes them a lot less useful from a security point of view because it means you can't get rid of the recovery process, which tends to be the weaker link).

by rcxdude

2/28/2026 at 10:16:56 AM

> in my experience approximately zero users actually understand where their passkeys are stored

Passkeys are designed to be hidden from the user. The author of this article even went on GitHub telling an open source implementation to not let users copy the private key.

https://github.com/keepassxreboot/keepassxc/issues/10407

There is a good reason for it. If you can copy and paste your passkey, then a phishing site can just ask you for it, making the phishing protection passkeys provide moot.

But the consequence is people, including many technical users on this website, cannot get a grasp on passkeys both as a concept and in a literal sense. How can you perceive, let alone understand, something that is designed to be hidden from you? It also doesn't help that it was pushed on users with little explanation and comes with many seemingly incompatible implementations.

Unless passkeys are redesigned to solve the intangibility problem, grannies will keep losing their accounts for no good reason and we will keep arguing about it on HN.

by pibaker

3/1/2026 at 7:33:18 PM

I cannot believe this guy.

> You absolutely should be preventing users from being able to copy a private key!

> Asking you to put basic protections in place and collaborate with the ecosystem/industry is hardly "anti-user-choice mentality".

> the lack of identifying passkey provider attestation (which would allow RPs to block you, and something that I have previously rallied against but rethinking as of late because of these situations).

Does this guy deflate his neighbors tires before going to work to save them from car accidents?

I cannot believe he has this ridiculous paternalistic behaviour while simultaneously having these bullet points on his personal website that he linked to.

> digital identity ● urban mobility user choice ● boston bruins

by kingstnap

2/28/2026 at 7:41:09 PM

This is 100% spot on.

Passkeys are a mystery, and no one bothers to explain what they are, what it means, how it works, what to do, what to avoid.

I'm not an average user - MA in Mathematics, Ph.D. in Computer Science, 27 years of experience as a developer. I have a vague idea that a passkey is like a password, but you don't see it and don't type it and it's stored "somehow, somewhere."

I can't make much sense of that. How is an "average user" suppose to make sense of that?

When I try to find out how passkeys work, I get some incomprehensible gibberish about self-signed certificates, public/private key pairs, challenges, and on and on. In short, a Monad is just a monoid in the category of endofunctors of X, with product (X) replaced by composition of endofunctors and unit set by the identity endofunctor. What's the big deal?

Since any device that stores a passkey can be lost or destroyed at any moment, I assume any passkey can be lost at any moment, and there had better be a way to recover from that. Is there? Who knows.

by chihuahua

2/28/2026 at 10:30:32 AM

I consider myself pretty sophisticated with passkeys (I wrote a toy implementation of WebAuthN once to understand them better), and yet I still get tripped up by this sometimes: Not via intentional deletion, but accidental overwriting.

As far as I understand, there are several ways to enforce per-account passkey uniqueness via WebAuthN, but every once in a while, some site will somehow not realize that I have a passkey for them available already, they will offer to create a new one for me, and my password manager (Bitwarden) will do this by overwriting the old/existing passkey.

Now consider a synchronization hiccup (updating my password manager storage and the relying party's backend is not atomic), and I could totally see my passkey get lost.

by lxgr

3/1/2026 at 8:47:04 AM

That sounds like broken behavior from you password manager: deleting credentials without making that destructive action clear enough to prevent minor levels of negligence from accidentally destroying them.

by namibj

3/1/2026 at 10:32:13 AM

I think it's actually the RP being broken, not my authenticator. Conceptually, it's the RP's burden to either avoid this situation or allow eventual consistency:

There's an explicit mechanism in WebAuthN to avoid duplicate credential generation (excludeCredentials). If a RP still insists on rotating, what they should be doing is to first add the new credential, perform a successful authentication with it, and then retire the old one.

So the problem only happens if a "single passkey only" site does not support excludeCredentials, as far as I can tell.

by lxgr

2/28/2026 at 9:16:00 PM

What you describe is annoying but not an issue if the website doesn’t use the passkey for encryption - so definitely a good recommendation

by ezfe

2/28/2026 at 10:15:51 AM

the problem so far is UI and incompatibility across devices, OSes etc. I am a big fan of Passkeys and the idea of using PRF for E2E encryption, but I wouldn't implement that as now, there is almost zero control over where those passkeys are, how I can recover them, how I manage them. Whenever I have to switch computer (mandatory policy at work), or phone (mandatory obsolence) or if I want to work across OSes (Mac for work, Windows for fun), everything falls apart, incomprehensible interfaces, inexistent transparency and control. And I'm a pro user that has actually studied how the standard works.

I'm afraid that it'll take some few more decades before we will get rid of passwords, if ever.

by dariosalvi78

2/28/2026 at 9:50:11 AM

> And why are they "cleaning up" their passkeys in the first place?

The same reason they're cleaning up their Windows or system32 folder.

by Telaneo

2/28/2026 at 4:54:29 AM

> Don't use passkeys

Better title.

Mom can't figure out what they are or how to use them. They bind you to your device/iCloud/Gaia account so if it gets stolen/banned you're out of luck (yeah yeah multiple devices and paths to auth and backup codes, none of that matters). It's one further step down the attested hardware software and eyeballs path. Passwords forever, shortcomings be damned.

by akersten

2/28/2026 at 5:18:38 AM

Unfortunately some vendors are now REQUIRING passkeys; specific example:

https://www.healthequity.com

> As of October 2025, passkey login has been fully rolled out and is now required for members with Health Savings Accounts (HSAs) and Reimbursement Accounts (RAs) who use the HealthEquity Mobile app and web experience.

https://help.healthequity.com/en/articles/11690915-passkey-f...

The FAQ is a little misleading by saying WHEN your account has a passkey this and that, but reality is that after October they made them completely mandatory, no bypass, no exceptions. 100% coverage.

Oh, and by the way, passkeys have been broken on PC/Linux when using Firefox for months:

> There Was A Problem: We encountered an error contacting the login service. Please try again in a few minutes.

Neat. You have to use Chrome or Edge.... For months, after making it mandatory...

by Someone1234

2/28/2026 at 6:43:41 AM

That's weird, I can login to my HealthEquity account (which contains HSA) without any issues and I don't have passkey setup. I confirmed it just now just in case.

That article does say "HealthEquity Mobile and web experience" so maybe it's just for customers who use both, I only use web.

by buzer

2/28/2026 at 8:26:33 AM

I’ve only used web and they forced me to enroll one.

by saagarjha

2/28/2026 at 10:24:33 AM

side note, HSAs are also a symptom of a failed Healthcare system

by cyanydeez

2/28/2026 at 12:58:10 PM

You aren't wrong, but many of us are stuck in that failed healthcare system and making the best of it.

by Someone1234

2/28/2026 at 7:16:54 AM

>They bind you to your device/iCloud/Gaia account so if it gets stolen/banned you're out of luck

This is the biggest myth/misconception I see repeated about passkeys all the time. It's a credential just like your password. If you forget it, you go through a reset flow where a link is sent to your email and you just setup a new one.

And if it happens to be your Gmail account that you're locked out of, you need to go through the same Google Account Recovery flow regardless of whether you're using a password or a passkey.

by jesseendahl

2/28/2026 at 8:47:11 AM

First, in relation to TFA: even if you regain access through a recovery channel, any data that was encrypted using your lost passkey will now be gone.

There are also many exciting new ways you can lose your passkey that wasn't the case with a password you can remember in your mind. The person you responded to is worrying about big tech randomly banning you and making you lose access, in the meanwhile I'm mostly worried about losing the physical device containing the key. I don't think I will forget, say, my Google password unless I got Alzheimers or got hit in the head by a hammer, at which point I will have bigger problems than a lost Google account.

And let's not pretend account recovery process is always smooth and easy. They may require evidence from your other accounts you cannot access now due to the key loss. They may demand government IDs that might have been lost alongside your device. They may also just deem your recovery attempt fraudulent and ban you for no reason (which I similar to the scenario the post you are replying to desctibed.)

by pibaker

2/28/2026 at 8:01:55 AM

Genuine question: what if the recovery asks for a 2nd factor that's e.g. the device which you lost? Is that common?

Personally I don't really trust companies to not do a whoopsie and permanently lock you out when you lose credentials. Especially when the company is big or hard to access in person.

For someone like me who already uses a password manager for everything, passkeys seem to add no security while reducing usability and control.

by mcdeltat

2/28/2026 at 8:21:40 AM

> For someone like me who already uses a password manager for everything, passkeys seem to add no security while reducing usability and control.

One advantage of passkeys is that they’re phishing resistant. They’re bound to the website that you created them for, it’s impossible to use them for a different website.

by realityking

2/28/2026 at 11:22:40 AM

> Genuine question: what if the recovery asks for a 2nd factor that's e.g. the device which you lost? Is that common?

Instagram does something similar. If you have no logged in device and you reset your password, good luck getting in, cuz it wants you to log in a device "it recognizes" else it won't let you log in.

by NekkoDroid

3/1/2026 at 10:32:44 AM

Google does it too. You log in with your password and it says "please press the number 35 on your phone"

by gzread

2/28/2026 at 9:31:33 AM

I'm also completely against passkeys. A safe password and a good password manager are way better, they don't lock you into any platform.

It's super sad to see all kinds of websites offering you to add a passkey when you log in.

by reddalo

2/28/2026 at 10:27:59 AM

> A safe password and a good password manager are way better, they don't lock you into any platform.

An open, cross-platform passkey implementation does all that too, and on top of that prevents you from accidental password leaks via logs, MITM etc. by default.

> It's super sad to see all kinds of websites offering you to add a passkey when you log in.

As long as they're not forcing you to add one, what exactly is your problem with having more choice?

Personally, I am grateful for every site that doesn't require my phone number to sign up and uses passkeys for authentication instead, yet I also don't want SMS authentication banned for everybody since I understand it currently works better than Passkeys for many people.

by lxgr

2/28/2026 at 10:18:31 AM

passkeys are a great idea, but poorly implemented

by dariosalvi78

2/28/2026 at 9:39:35 AM

I was planning to make use of passkeys when logging on to various services, so I ordered three physical devices, supporting passkeys (yubikey). I ordered USB C and USB A variants, with NFC support.

Is this a mistake? I am already using password manager and totp for my accounts, but I am tired of dealing with passwords.

Even when using a password manager (bitwarden in my case), it just get tedious bringing out my phone, starting auth app, locating the correct account, reading 6 digit token and logging on.

by tuwtuwtuwtuw

3/1/2026 at 7:26:45 AM

You're good. The relevant advice in article is to not reuse keys for encryption and auth.

Encrypting password manager database with a passkey or other authentication key on one of those yubikeys would be the mistake. Encrypting it with a separate dedicated key (or passphrase) on the same yubikey in parallel to its passkeys is fine.

by pamcake

2/28/2026 at 4:37:10 PM

No it's not a mistake. But say you lose the Yubikey, or you're away from home. How do you deal with that? You still need a password somehow.

by reddalo

2/28/2026 at 4:43:00 PM

Sure. But I think that is same scenario as me loosing my phone today, since I use that for two factor auth.

My plan was to continue using bitwarden for passwords as well, but more as a break-glass mechanism that I really use. I want to use passkeys mostly for convinience.

by tuwtuwtuwtuw

2/28/2026 at 6:23:28 AM

I love passkeys in my selfhosted vaultwarden, but I agree the UX for older people is not quite there.

by mgrandl

2/28/2026 at 7:19:30 AM

Passwords are terrible UX for old people in my experience. They try use the same password everywhere, but then password complexity requirements mean they can't use the exact same password everywhere, and then they forget which variant they used on which service, so they just end up going through the reset password flow every time they sign in. I am not convinced that's a better UX than them just using their fingerprint or face to login.

by jesseendahl

2/28/2026 at 6:40:44 AM

> They bind you to your device

Isn't it why good practice is to bind at least 2 hardware passkeys and/or have recovery codes?

Sure someone can steal your phone/laptop/yubikeybio but then you can use the NitroKey you have at home in your drawer to recover your account.

by utopiah

2/28/2026 at 7:10:08 AM

Biometric keys are still a niche techie thing that the average person probably doesn't even know exist. Most people will be using passkeys exclusively through their phones, often unintentionally. And outside the first world it is not uncommon for people do own no computing devices apart from their phones.

Backup keys and recovery codes also do not solve all cases of key loss. One thing I worry about is what happens if I am traveling in a foreign country and loses my belongings. In the past if I can convince someone to let me use his computer I can at least log into my email account as long as I remember my password. If everything is passkey then I will be locked out of all my online accounts until I make it back home, assuming that I have actually properly set up the backup device and keys. Humans are not very good at making sure that backups actually work.

by pibaker

2/28/2026 at 3:28:23 PM

> Biometric keys are still a niche techie thing that the average person probably doesn't even know exist.

Is it? Maybe I'm in a bubble but feels like most people I know unlock their phone with biometrics. Sure few do that on their laptop, even less on their desktop, but I imagine that explaining it's "like unlocking your phone" would help those very numerous people (if you have metrics on biometrics on phone, please do share, genuinely curious) see that it's basically doing what they already do on more devices.

by utopiah

3/1/2026 at 11:05:29 AM

GP is talking about use of a separate device for it - Yubikey, Nitrokey, et al.

I don't know why biometric models specifically here, I'm 'niche techie' enough to have several Yubikeys, but even I don't have a biometric one.

by OJFord

2/28/2026 at 10:04:39 AM

Your email account would hopefully have 2FA enabled, so if you lose your belongings, then how would you log on in your scenario?

Assuming your 2FA tokens are generated by phone, of course. But I think that's by far the most common way.

by tuwtuwtuwtuw

2/28/2026 at 6:49:43 AM

You can’t expect your grandma to go to those lengths. Heck, even most internet-native people probably wouldn’t.

by aeronaut80

2/28/2026 at 7:06:10 AM

For a random website, no, for bank and primary email (used for account recovery), they probably should.

It honestly takes a minute to add a key and it's just that, a physical key.

IMHO what's risky in terms of UX and habits is precisely that most workflows do not highlight this. So people rightfully are scared of losing that 1 precious key, so they don't activate 2FA because of that. Meanwhile if the UX when they activate 2FA would clarify that they only have 1 key stored, adding a 2nd one or saving codes (most do propose that option for 2FA authenticators but not hardware passkey AFAIK) is what will make them both safe against attacked but also against their own accident (shit happens) then maybe behaviors would change.

Anyway, yes, you're right, most people don't do that or aren't even aware of it but arguably as more and more important and intimate part of our lives are online, it becomes crucial for one owns sanity to better understand how this all works.

by utopiah

2/28/2026 at 12:21:41 PM

> For a random website, no, for bank and primary email (used for account recovery), they probably should.

Even for this, for grandma, this is probably still asking for a lot.

Grandma's bank will have a recovery option even if she's tossed her phone, computer and hardware token in the ocean, and then had a stroke which made her forget any passphrases or whatever: You can call the bank and physically authenticate yourself with a passport, driver's licence or some other ID. It's a bitch to do, you may have to go to an actual bank branch, but grandma will get access to her money again. Meanwhile, her access to physical mail doesn't stop just because she's forgotten some passphrase or lost her phone.

Even techy people get caught out by Google forcing 2FA, while casuals don't even consider the possibility of losing access to their email. While both the rhetorical you and grandma both should probably have a bulletproof recovery option for their email, since it will be the foundation of their digital identity, getting them to acknowledge the problem is going to be hard, and the solution, paying for a Yubikey or some other house of cards solution, is a tough sell.

by Telaneo

2/28/2026 at 5:19:38 AM

KeepassXC has exportable passkeys, so you can avoid the stolen case at least.

by pabs3

2/28/2026 at 9:06:53 AM

Too bad the spec is stupid and requires password managers to be identifiable so servers can deny the "insecure ones". It's already a pain to use Keepassxc for otp since they all want you to use their apps but it's still doable (the worst offender being steam where you have to hack your own app to extract the otp secret). With passkeys you won't have a choice to use The Google AuthenticatorTM etc because eventually some exec will find they can block every provider except their own to boost app download KPI. I really like concept of passkeys, the simple fact of using asymmetric keys is so much better than giving the secret to prove you have it, but the spec is hostile and thought for vendor closing.

by hollow-moe

2/28/2026 at 11:47:29 AM

IIRC KeepassXC can just identify as Apple Passkeys and it will work fine.

by pabs3

3/1/2026 at 1:17:41 AM

No, the spec is for companies that need to enforce higher levels of security so that you can e.g. only enable Yubikeys in your env. I hate big tech just like anybody else but this is just spreading FUD right now.

Also execs can already enforce their apps only - banking apps for approving transactions are already a thing at least in europe, no fido passkey needed.

by lousken

2/28/2026 at 9:37:05 AM

> exportable passkeys

But didn't the author hint that this could get blocked?

My general read on passkeys and their implementers is that exportability is seen as a risky feature, and there's a push to make it as opaque as possible, likely through attestation or similar mechanisms.

[1]: https://github.com/keepassxreboot/keepassxc/issues/10407

by 8cvor6j844qw_d6

2/28/2026 at 6:30:36 AM

Also a password could be the passkey, the passkey protocol is basically a way to send to a server an authenticated public key. The client could deterministically convert passwords to key-pairs and authenticate with those

by afiori

2/28/2026 at 10:25:32 AM

> They bind you to your device/iCloud/Gaia account

Then don't use Apple's/Google's/whatever Gaia is as your passkey provider?

> Mom can't figure out what they are or how to use them.

Then do something nice for your mom and set her up with Bitwarden, 1Password or KeepassXC, which prevents the platform lock-in.

> It's one further step down the attested hardware software and eyeballs path.

None of the synchronized passkey implementations, which big tech has been pushing lately, support attestation, so this is just FUD.

Yubikeys do, but fortunately they don't seem to have the (non-enterprise) weight to make it mandatory for all passkeys.

by lxgr

2/28/2026 at 3:58:46 AM

Nothing in this post is specific to passkeys; it reads like advice to not encrypt data. There’s no way to prevent some users from losing their encryption key anyway. Whatever warnings you include, even when software doesn't connect to the internet and just encrypts local files, someone will write to support that they forgot their password and ask you to "reset" it.

Good advice at the end, though.

by dchest

2/28/2026 at 5:10:57 AM

The issue I think is that passkey managers don’t make it clear that deleting a passkey can cause permanent data loss

by shepherdjerred

2/28/2026 at 6:50:30 AM

Because passkey managers have no idea what a service is using its passkey for. They could warn that deleting a passkey could make all sort of bad things happen, but for most services it will be only the loss of access. What the alternative could be? "Before deleting this passkey you must contact this site and ask them what data you will loose. I give you a week. Come back here a week from now and confirm your desire to delete this passkey. I will not make you delete it before that day. See you!"

by pmontra

2/28/2026 at 7:26:31 AM

yeah I feel like metadata could be attached to the passkey so the manager could surface the info

by shepherdjerred

2/28/2026 at 12:28:26 PM

While I in theory would love this idea, attaching arbitrary metadata to something and expecting a manager to somewhat "nicely" figure out some text to display for it is just not really scalable unless you limit what those fields can be set to. Mainly cuz just displaying keywords isn't exactly user friendly and having anything longer will also need to get translated for all/most/some languages they manager supports.

by NekkoDroid

2/28/2026 at 6:17:39 AM

There's a big difference between being kept in the dark and being informed but careless.

by orbital-decay

2/28/2026 at 4:11:43 AM

How many people are doing a spring cleaning of unused passkeys in their password managers? We're talking like a kilobyte of data, nobody needs to delete these things in any kind of normal circumstance.

Sure, it would be great if users would store 5 copies of their encryption keys, with one in a lockbox on the bottom of the ocean. But that's just not going to happen at any kind of scale, so an automatic way of putting encryption keys in a replicated password manager makes sense. And compared to how people normally handle end-to-end encryption keys, it's going to result in a lot less loss data in practice.

by johncolanduoni

2/28/2026 at 6:17:17 AM

I don't know about spring cleaning, but it's pretty easy to delete by accident if you connect to the browser or OS when setting up instead of the password manager.

That said, I've been assuming I could have multiple passkeys per site and that's turning out to not always be something websites behave sanely about.

by Glyptodon

2/28/2026 at 10:34:09 AM

Most password managers implementing passkeys only allow one passkey per account entry, and I've ended up with multiple passkeys per site, while the site only supports one (and deletes the others upon creating a new one), so I've been in the exact situation of not knowing which entries are safe to delete before.

This is usually due to relying party and possibly password manager bugs, but it does happen.

by lxgr

2/28/2026 at 5:49:44 AM

I thought the point of passkey security is that you don't have to send the private key around, it can stay on your device. Different passkey per device. Lose or destroy a device, delete that passkey and move on.

by bo1024

2/28/2026 at 12:16:38 PM

The issue there being there's a big usability headache with enrolling multiple devices. You really want one device to be able to enroll all your devices (including not-present and offline), but there's no mechanism to do this with the way the webauthn spec works at the moment.

by rcxdude

2/28/2026 at 5:39:44 PM

That's such a bummer and seems like poor design. It ought to be easy for a user to have multiple keys associated with their account.

by bo1024

2/28/2026 at 8:42:08 AM

None of the password managers (including but not limited to ones built-in iOS/Android) work that way. The Apple one (and I think Google is the same) keeps the private key inside the secure enclave (security processor), but it is still copied to each new device - though it is end-to-end encrypted during that transmission.

by johncolanduoni

2/28/2026 at 6:13:43 AM

That’s how I use them. Passkeys on two Yubikeys. And I tag in my password manager which credentials have what form of auth. UP, TOTP (also stored on the two Yubikeys), Webauthn or passkeys (the former indicating 2FA).

by slau

2/28/2026 at 9:06:02 AM

> "Even if there were explanatory text, Erika, like most users, doesn’t typically read through every dialog box, and they certainly can’t be expected to remember this technical detail a year from now."

Passkeys are a step in the right direction, ironically for the exact reason the author advises caution. We've been telling people to "store your backup key somewhere safe" for the best part of a decade now, and your average Erika hasn't got on well with that at all. Locking themselves out and losing data left, right and centre.

If you've worked at any kind of scale you'll know well that a certain percentage of users will lose their data with E2EE, full stop. It's just different from everything else they've ever used. These are the same people who'd be lost without the "forgot password" link, and there's no shame in that. That's just the reality of it. And passkeys can help people like this to not lose their keys.

If the product is truly E2EE, the best options right now are the passkey implementations baked into Chrome or Apple. Windows, as ever, needs a bit of work, but the password managers seem to be picking up the slack well enough. We also need to educate people that with true E2EE there is no "forgot password" email. Passkeys and the tooling around them still have a ways to go, but we're getting there.

by seanieb

2/28/2026 at 3:51:26 AM

If the user deletes passwords they're shown the same exact message. The only saving grace for passwords is that you can remember them, but are you also suggesting to not use generated passwords?

by halapro

2/28/2026 at 4:01:40 AM

I think the distinction is that a passkey is meant to be used for authentication (logging in), and is usually not the only way you can authenticate. If you delete your password, passkey, or 2FA method, you can still go through a "forgot password" flow.

Encryption is different. If you encrypt data with a generated password and then delete it, you're toast, and passkeys are no different. I think the author is arguing that users may not even realize that the passkey itself is needed to decrypt, possibly because they're so associated with login.

by bensyverson

2/28/2026 at 4:09:46 AM

for account-associated encryption, what it should do instead is to generate a dedicated file encryption key for each backup, and encrypt said key with the account's passkeys. Each time the user adds a new passkey, it should save an additional copy of the backup's key encrypted with the new passkey. This way you can have multiple redundant passkeys that can decrypt the backup. This is basically how age's multi-recipient encryption works.

by dansjots

2/28/2026 at 4:14:41 AM

Most of these systems already do this, especially since very few applications have a flat encryption key hierarchy regardless of passkeys. The counterpoint would be that not everyone will set up multiple passkeys unless you require it on sign-up, but you're going to have that problem with any other method of storing end-to-end encryption keys. Might as well piggy-back on the password manager's replication methods.

by johncolanduoni

2/28/2026 at 4:56:33 AM

You're just saying that the user needs to be aware that you cannot forget or delete a password, which applies just the same way to passkeys.

Passkeys are effectively just long passwords you cannot see. The mechanism is just gravy.

by halapro

2/28/2026 at 5:15:49 AM

I think there is a difference.

Sites usually have the user SEND their password to the site to authenticate. There is no need for sites to be written that way, but that is how they are written.

Passkeys cannot, by design, be sent to the site. Instead they use a challenge-response protocol.

by Borealid

2/28/2026 at 6:36:56 AM

> you can remember them, but are you also suggesting to not use generated passwords?

You can remember a strong generated password if it's a pass phrase. Better "rememberability" with the same amount of entropy.

by bad_username

2/28/2026 at 6:51:04 AM

Generated passwords can be useful, but they come with challenges like management and security. It's better to adopt approaches like password managers or biometrics to enhance usability while maintaining security.

by hrmtst93837

2/28/2026 at 3:52:31 AM

This is why I haven't started using passkeys. Managing them is looks complicated and I don't understand the ramifcations of what I'm doing.

Also a style nit, it's OK to use "he" or "she" pronouns in a contrived narrative. The "they/their" usage really detracted from the clarity of the example.

by SoftTalker

3/1/2026 at 3:35:35 PM

It's obviously okay to use he or she - not sure why it wouldn't be. I'm confused why you have a problem with the author's choice not to - I don't see any clarify issues caused by it.

by ezfe

2/28/2026 at 6:39:21 AM

The author's concern of "misgendering" an imaginary person (with ab unambiguously female name) is quite odd.

by bad_username

2/28/2026 at 4:05:49 AM

I don't think I would have even realized why I felt tension reading if you hadn't mentioned this. They/their wasn't confusing at all but, giving the hypothetical user a name was the weird part. I realize now I was expecting some other user to enter the scenario the whole time. Alice and Bob style. When I got to the end, I felt like I missed something. If there's just one, "the user"/"they"/"their" is fine.

by kgwxd

2/28/2026 at 8:01:06 PM

Security is important, security is important, security is important — I keep emphasizing this point. But for me, that statement only really applies to people who genuinely understand security. I personally bought two YubiKeys, understand the associated risks, and store my credentials on those YubiKeys. However, many people today do not realize the risks involved. They casually store these things in places like a keyring and then never manage them properly. That does not necessarily mean they are secure. On the contrary, it can become another kind of danger, because once you start using passkeys, the level of access and authority tied to them is significant. If they are lost or leaked, the consequences can be disastrous. I am glad to see that the industry is paying more attention to security, but at the same time, I believe these more specialized aspects should be aimed at people who actually have the relevant expertise. Passkeys do have a learning curve. For ordinary users, they often just click through a few prompts and end up binding themselves to a system without really understanding what happened. On top of that, with modern systems relying on encryption and TPM, once a computer runs into serious problems, many people simply have no way to recover their data. For the average user, 2FA is already sufficient.

by dennysora

2/28/2026 at 7:25:48 AM

It is conundrum that passkeys were designed to help the majority as they are frictionless (like passwordmanagers etc) but fail in reality.

Even those that have 2 devices they don't have them all the time.

Another overlooked issue is that some banks etc don't allow for 2 devices as login or 2FA. Even if it allowed one needs to keep the spare device always updated. Either Govt needs to build a common API that one can use directly through google pay or apple pay - so that only one app is needed to be kept up to date.

to be honest, I wouldn't mind if google/Apple can take all my private data and passkeys hold them - but at least then if I lose the phone - and I show my ID they should allow me to setup my new phone. But that is also not possible. (I am discounting the awful AI bans)

by whyagaintango

2/28/2026 at 10:17:05 AM

You're thinking about hardware authenticators, not Passkeys. Passkeys are definitionally synchronized and backed up in the cloud (otherwise you just have a sparkling WebAuthN authenticator).

Proprietary clouds and sync backends create their own set of problems, but they do solve the availability issue of always having to register at least two different security keys with each service.

> to be honest, I wouldn't mind if google/Apple can take all my private data and passkeys hold them

That's exactly what you can do today!

> I show my ID they should allow me to setup my new phone.

You have to show them your phone number, which for better or worse is our age's "showing ID", but then you can indeed get back in.

by lxgr

3/1/2026 at 7:40:12 PM

> have to show them your phone number,

Not always working. You can see often in google community support people lost their phone. Get a new sim card and phone. Google sends the 2FA request to old phone - without that they cannot restore data.

Double whammy for people that use eSIM that gets sent to their old email address.

by faust201

2/28/2026 at 11:12:52 AM

Somewhat related, i recently ran into the issue, after i created an account on Confer.to [1] on my Desktop, i couldn't login on my iPad / iOS with Proton Pass and/or Bitwarden.

The error message was: "Error: "Authenticator did not return a PRF result — this passkey probably isn’t PRF-capable."

So i now have an account, but can only use it on my Desktop. (can't change to a password login either, it's Passkeys only...)

[1] end-to-end encrypted AI, developed by Moxie Marlinspike, the founder of Signal: https://confer.to/

by DavideNL

3/1/2026 at 5:18:53 AM

Some password managers do not support the PRF extension yet. ProtonPass is one of them that does not: https://www.passkeyprf.com

by peterspath

2/28/2026 at 9:18:45 PM

Sounds like the website did a shitty job at implementing passkeys. I’ve read through the guides and done it myself and yes there are a lot of gotchas and they’re all avoidable.

by ezfe

2/28/2026 at 8:33:52 AM

Passkeys to me come across as a part solution to a valid problem. Education is part of the solution. Treating the user as too dumb to understand why they need strong passwords or passkeys is important.

I actually despair about when my family members are forced into passkeys and then lose access to their accounts because they get a new device.

I use passkeys from keepasxc because the native workflow for passkeys is opaque and easy to misunderstand what you are actually doing. And it's predicated on having an account with big us tech companies.

by ifh-hn

3/1/2026 at 3:36:32 PM

> I actually despair about when my family members are forced into passkeys and then lose access to their accounts because they get a new device.

People forget and reset passwords all the time. Passkeys are no different, except now they'll lose them less.

by ezfe

2/28/2026 at 10:35:49 AM

> I actually despair about when my family members are forced into passkeys and then lose access to their accounts because they get a new device.

Both iOS and Android sync passkeys to their respective cloud accounts by default. (Of course, losing access to that account, sharing one across family members and causing confusion etc. are still concerns.)

The real problem is lock-in, as this effectively often prevents entire families from switching from iOS to Android or vice versa. I'd encourage anyone managing their family's tech setup to pick a platform-agnostic passkey implementation such as 1Password or Bitwarden for that reason.

by lxgr

3/1/2026 at 3:37:02 PM

Apple Passwords support export/import of Passkeys - 1Password amusingly does not.

by ezfe

2/28/2026 at 11:57:30 AM

Don't use Passkeys.

(Or at absolute minimum don't force them on unsuspecting users, make them opt-in, not opt-out frequently at random times (Amazon!!!).)

by OJFord

3/1/2026 at 3:17:44 PM

Maybe we could add an extension to webauthn that adds a reason to a passkey. Then, the credential manager can warn the user better why deleting the passkey would be a bad idea.

by Pesthuf

2/28/2026 at 4:01:50 AM

I recently whipped up a bare-bones PWA wrapping Typage[0] into a quick-and-dirty tool to encrypt files individually using passkeys:

https://news.ycombinator.com/item?id=46895533

This give much more conscious control to the user knowing that they are explicitly encrypting which file with which passkey. Additionally, you can just download the page and serve it via localhost so that you always have control of the relying party for your passkey.

[0] https://words.filippo.io/passkey-encryption/

by dansjots

2/28/2026 at 6:13:49 AM

Probably everything else is debatable, I do agree with one thing though, the cat is indeed out of the bag. It would have been probably a really good use case if the scope was limited to only hardware based security keys for enterprise users only. Rolling it out for OS platforms, software based authenticators just muddies the water. You cannot even provide any guarantees around it being phishing resistant anymore.

by sandeepkd

2/28/2026 at 11:18:00 AM

The crazy thing is that for a non synced device bound passkey you are tying that user to the device forever.

by daft_pink

3/1/2026 at 3:37:58 PM

Yes, if you use passkey to encrypt user data - which is clearly a bad idea because passkeys are not designed for that.

Obviously passkeys do not bind a user to a specific device in any other context.

by ezfe

2/28/2026 at 7:27:38 PM

Honestly we peaked at Hardware U2F keys. Passkeys were a step backwards.

They were secure, scalable, and they were simple to explain to my parents ("This is a physical key for your email account; like your front door key").

by exabrial

2/28/2026 at 10:01:45 PM

I love the idea of hardware keys, and would absolutely use them for the essential stuff (email, domain registrar, bank) but they're just too expensive, while plain old TOTP 2FA is free and provides 99% of the benefits for my use case. TOTP also has a much better workflow in my experience, but this isn't that big of a problem for the things I'd consider essential, but it would be annoying if I were to use a hardware key for everything.

I can buy 6-8 physical keys for the front door of my house for the cost of one Yubikey. Even though there are options at half price, that then gets eaten into by the need to have two or three of them, since a backup is not optional for this sort of use case. I can't imagine convincing one's parents to buy 'a key for your email account' will be easy when the old way mostly 'worked fine' and was free, meanwhile the new one will cost them a non-trivial amount of money. It's an easy flow if you're their sysadmin, but I wouldn't want to throw my parents into the deep end of hardware keys and have to explain to them that they don't need the expensive one, but still have them be discouraged by the mere existence of 100+ dollar options for what should be damn-near throwaway hardware.

Passkeys somehow manages to have a worse workflow than both though.

by Telaneo

2/28/2026 at 4:11:27 AM

I was looking into this to start using this. Because it’s quite user friendly to not let the user worry about all the details that involve encryption of data.

I guess informing them is a good way to start. Are there any other tips on how this can be improved?

by peterspath

2/28/2026 at 9:13:29 AM

The title could've been shorter: don't use passkeys. Period.

by jgb1984

3/1/2026 at 3:38:07 PM

Why not?

by ezfe

2/28/2026 at 8:01:06 AM

Passkeys aren’t going to make it unfortunately but that’s ok.

They’ll teach us what we need to know to create something that will do what they’re trying to do.

by cadamsdotcom

2/28/2026 at 10:03:35 AM

So... Don't use the PRF extension for its declared purpose? I really wonder how people keep getting Passkeys wrong!

by lxgr

2/28/2026 at 10:06:17 AM

If no one can implement a specification without causing problems here and there, perhaps we should consider the specification itself problematic.

See also: Bluetooth.

by pibaker

2/28/2026 at 4:56:21 AM

Trezor support FIDO2 tied on the seed phrase, so if you lost it another hardware wallet will works issueless once restored.

by kkfx

2/28/2026 at 6:41:24 AM

On a similar note mooltipass can export an encrypted backup of passkeys. That said platform should support multiple passkeys so if you lose access to one you arent screwed over.

by miladyincontrol

2/28/2026 at 3:14:52 PM

In the end we are talking about "smart-card-alike" auth, something there since decades, cheap, functional, safe and apparently ignored by most.

Curiously biometric crap is not ignored as well instead, and is pushed by any means...

by kkfx

2/28/2026 at 4:02:39 AM

Another way to say this is that you have to have an account recovery process and you need to think about how your encryption interacts with account recovery.

by wmf

2/28/2026 at 8:17:34 AM

Still android doesn't support NFC in combination with resident passkeys.

by hbogert

2/28/2026 at 8:44:39 AM

It does if you use microg or authnkey or keepassdx.

It's Play Services that does not support this combination, likely to shepherd you towards Google acoount usage. Alternate Android apps work fine.

by Borealid

3/1/2026 at 2:20:03 PM

Is it possible to disable passkey support in Chromium and have it tell websites that feature is unsupported? So you no longer get prompted to create them? (On a global or per-site basis)

by rkagerer

3/1/2026 at 6:26:06 PM

Since this is getting downvoted, let me explain:

I don't want any cloud service to be my passkey provider. I'm not comfortable establishing that kind of dependence on a company I don't trust.

I'd be content to keep passkeys in a datastore that I control, and which I can inspect and manage on my own (including backup, restore, and ideally even daily migration to a "hotspare" device).

As more websites adopt passkeys, I find myself continually being nagged to adopt them. Although their intent is benign, the companies use dark UI patterns like not respecting my choice after I've said NO (there isn't a "Never" option, just a "Skip for now"), and they continually shove the unwanted reminders in my face every time I login.

My concern is eventually I'll accidentally hit the wrong button and create an unwanted passkey that's now tied to my machine/cloud account/vendor service in a way I don't control. I'm fact, I'd bet product managers are counting on that manipulation (nag the user until they concede) to brag about adoption rates and get raises.

My browser is supposed to me my agent, so I think it's a valid question - and related to this topic - to ask if there's a way to turn off the unwanted functionality.

by rkagerer

2/28/2026 at 9:39:34 AM

I don't use passkeys because I am scared that I will not be able to recover my account with my email address.

by darkhorn

2/28/2026 at 9:20:44 PM

Why wouldn’t you?

by ezfe

2/28/2026 at 9:15:40 AM

[dead]

by Paddyz

2/28/2026 at 6:19:07 PM

> What we actually need is for the WebAuthn spec to include a signal that tells credential managers "this passkey is load-bearing for encryption, not just auth" so they can surface appropriate warnings before deletion. Right now credential managers treat all passkeys identically.

This feels more like CYA/shifting the blame for me. If a service is designed so that I will lose all my data if I lose the passkey, then a "yo, don't lose that passkey, like, ever!" warning is the minimum, but doesn't solve the problem.

I found the initial suggestion "don't ever use passkeys for encryption of persistent data" more reasonable.

(Or what the sibling comment describes: Design the encryption in such a way there is an alternate key that could be used for decrypting)

by xg15

2/28/2026 at 10:20:49 AM

I think the idea behind PRF was something like "use this as one of several keys", never as "use this the only key". I don't think this was explicitly called out in the specs, though.

> this passkey is load-bearing for encryption, not just auth" so they can surface appropriate warnings before deletion

That sounds like a reasonable idea, but still doesn't help with the case of a completely deleted/destroyed authenticator, e.g. a lost Apple/Google account or Yubikey.

The only viable solution to me for mass adoption is restricting (by recommendation, since there's no way to programmatically enforce it) PRF to scenarios where it's only one out of several ways to get access back. Some password managers do this, e.g. they encrypt their master secret under a PRF-derived key, but this is not the only way/place to get to the master secret, and they also encourage printed key backups etc.

by lxgr

2/28/2026 at 4:02:42 AM

100% of the arguments against using passkeys for e2ee data apply to using passkeys as credentials.

(Unless they are not credentials, and you can loose them then do a password reset via a phishing prone channel like email and SMS. Supporting this eliminates any possible user benefit of passkeys.)

In addition to the arguments in the article, when used as credentials, they are an obvious trojan horse allowing large websites to completely hijack your operating system.

Don’t believe me? Try logging into a bank or using rideshare/parking/ev charging with degoogled android. This is where passkeys are taking PCs, and it is their only purpose.

So, “Don’t use passkeys” would be a better title.

by hedora

2/28/2026 at 10:37:08 AM

> Don’t believe me? Try logging into a bank or using rideshare/parking/ev charging with degoogled android.

What does root detection and other device attestation have to do with passkeys? Passkeys (at least Google's and Apple's) don't support device attestation.

by lxgr

2/28/2026 at 4:07:52 AM

Passkeys are an open standard? You might as well argue against SSH keys.

by inkysigma

2/28/2026 at 4:11:20 AM

The standard includes a hardware attestation path.

That’s the backdoor allowing the eventual takeover of your OS.

First people use passkeys, and they become standard.

Then they become required for important accounts for security.

Then the important accounts require the attestation bit.

At that point, you cannot run web browsers on open source operating systems.

This is all boring and predictable. It is exactly what they did with Android, and exactly the same organizations are pushing passkeys.

Note: If they had good intentions, the operating system would manage any attestation, and not allow websites to query for or require attestation support.

by hedora

2/28/2026 at 4:25:52 AM

The attestation actually has nothing to do with the browser, only the holder of the passkey's key material. You can satisfy the attestation by having a passkey on your Android device and doing the normal Bluetooth flow with your Firefox browser on your Framework laptop. So this mechanism is totally useless for enacting this plan.

The operating system doesn't manage attestation because that's totally useless for the stated goal of the attestation system. Enterprises don't want their SaaS vendors to accept passkeys from some random employee's BitWarden, instead of the hardware keys they issued the employee. If the OS manages attestation and doesn't send anything to the relying party, then it doesn't solve anybody's problem at all.

by johncolanduoni

2/28/2026 at 4:58:48 AM

It seems like it will only be a matter of time before consumer sites start requiring a patched OS with an attestation bit set in the key.

Also, as I understand it, sites can whitelist credential hardware.

If not, then the attestation is security theater. I (or an attacker on your machine), can just make a sw emulator of a hw attestation device, and use that to protect my choice of OS, (and skim your credentials).

If a whitelist exists, then my “hijack your OS” plan works: Require the builtin macos/windows/signed chrome on signed os password managers. That’s 90% of the market (and dropping) right now.

by hedora

2/28/2026 at 5:49:05 AM

As I said, the attestation structurally does NOT attest to your OS or your browser that are displaying the website performing the authentication. It attests to the device that holds the passkey's key material, which is usually not your desktop computer.

by johncolanduoni

2/28/2026 at 8:48:20 AM

The attestation is in fact readable by the FIDO Platform (the browser/OS). It is not encrypted to be readable only by the RP (web site).

It talks about whatever you used to authenticate and the platform can manipulate (or omit) it.

by Borealid

2/28/2026 at 8:51:05 AM

Yes, but the attestation does not tell the RP anything about the browser. The whole point of the nightmare scenario above was for Google to sneak browser attestation in via passkey attestation. The browser being able to see the attestation doesn’t matter for that.

by johncolanduoni

2/28/2026 at 4:32:29 AM

Does Firefox support the Bluetooth flow on Linux at this time?

by doubled112

2/28/2026 at 5:47:16 AM

That's a matter of implementing an open standard. Google hasn't done anything to prevent open source browsers and OSes from implementing it, and nothing in the spec makes it difficult for Firefox/Linux specifically AFAICT.

by johncolanduoni

2/28/2026 at 5:50:49 AM

I do not want any business with Apple/Google/Microsoft at all, including owning an Android or iPhone for hardware attestation.

by debazel

2/28/2026 at 7:21:57 AM

You don't need to use anything from Apple/Google/Microsoft. Passkeys are just WebAuthn which is an open standard.

by jesseendahl

2/28/2026 at 8:50:59 AM

An open standard that has attestation in it which allows sites to block all open implementations. FIDO Alliance spec writers have even threatened that apps like KeepPassXC could be blocked in the future because they allow you to export your keys.

by debazel

3/1/2026 at 5:27:53 AM

That standard also allows for importing and exporting passkeys. Apple added that in iOS/macOS/etc 26 to their platforms. https://9to5mac.com/2025/06/13/ios-26-passkeys-password-tran...

by peterspath

3/1/2026 at 6:52:13 AM

The export is end to end encrypted, so you do not have ownership of the data, and the provider (Apple in this case) has full control over who you are allowed to export your keys to. (Notice how there are no options to move your keys to a self-hosted service.)

by debazel

2/28/2026 at 10:38:19 AM

> The standard includes a hardware attestation path.

Yes, and iOS and Android's Passkey implementation does not support it, since doing so would be lying about a given credential being hardware-backend when it's actually not (due to being cloud-synced and often recoverable via some process).

Attestation is only for hardware authenticators, either dedicated ones like Yubikeys or non-synchronized Android WebAuthN credentials. (iOS only supports them in MDM contexts anymore, I believe.)

by lxgr