Passkey Is Still Too Confusing to Use

Posted3 months agoActive3 months ago

ilamont

37 points

27 comments

bogleheads.orgTechstory

calmnegative

Debate

40/100

PasskeysPassword ManagementSecurity

Key topics

Passkeys

Password Management

Security

The article discusses the difficulties of using passkeys, a passwordless authentication method, and the community shares their experiences and concerns about its usability and security.

Snapshot generated from the HN discussion

Discussion Activity

Moderate engagement

First comment

Peak period

0-3h

Avg / period

3.4

Comment distribution27 data points

Loading chart...

Based on 27 loaded comments

Key moments

01Story posted
Oct 7, 2025 at 8:08 PM EDT
3 months ago
Step 01
02First comment
Oct 7, 2025 at 8:16 PM EDT
8m after posting
Step 02
03Peak activity
8 comments in 0-3h
Hottest window of the conversation
Step 03
04Latest activity
Oct 9, 2025 at 10:33 AM EDT
3 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (27 comments)

Showing 27 comments

ggm

3 months ago

2 replies

I think I have to agree. I spend my life across 2 macbook and 2 android devices and I now cannot predict which web interaction (or WPA) will ask me to use which device(s) to validate which association.

I have bitwarden on all of them. I can coordinate 2FA TOTP easily. I don't see passkey adding value right now, it's simply added an extra model, alongside the others, which doesn't even reliably work.

Given their non-migrating quality, I can't federate can I?

mmiyer

3 months ago

2 replies

FWIW Bitwarden supports passkeys which allows you have them synced across all your devices.

grim_io

3 months ago

1 reply

This is the way.

Easy and painless.

sph

3 months ago

2 replies

I use Bitwarden. I need none of the convenience of passkeys, and I am able to login on a third system just by hand-copying a password, which I cannot do with passkeys. So why should I prefer passkeys anyway?

Passkeys have some benefits, but the major reason they exist is vendor lock-in.

port11

3 months ago

The main reason they exist is that the vast majority of people don't create secure passwords and 2FA isn't always reliable. Passkeys may not be for someone like you (and me).

akerl_

3 months ago

Passkeys can’t be accidentally hand-copied into a phishing page.

ggm

3 months ago

Thank you. TIL.

slau

3 months ago

I use passkeys exclusively on my YubiKeys, and I ensure I always have a backup (two Yubikeys with one passkey each).

TOTPs are handled the same way (stored on two Yubikeys).

We used password managers when 2FA allowed us to guarantee that even a leak of the passwords wouldn’t be that catastrophic. If you sync your passkeys to your password manager, anyone compromising it has full access to your accounts.

al_borland

3 months ago

1 reply

It also feels like many sites are trying to either trick or gaslight me into moving over to a passkey. Amazon was successful in tricking me, and I’ve had to be much more vigilant since that happened.

akerl_

3 months ago

That's because for the average user of most popular websites, user account takeover via weak passwords and phishing are massive risks. These sites are funneling their users hard towards passkeys because they're a huge step forward towards covering those risks.

Detrytus

3 months ago

3 replies

Call me old fashioned but I distrust any form of authentication that is tied to a specific device.

I might be getting older but my memory is still good enough to remember a couple of secure passwords (secure, as in: 20+ chars long random strings), one of them being a password to my KeePass database, and the other to the email account where I keep a backup copy of it.

I would hate to be locked out of my accounts only because I lost my phone or Yubikey.

noman-land

3 months ago

1 reply

This is great until you get a memory altering brain injury. Then what?

Detrytus

3 months ago

That's why I have those passwords written down on a piece of paper that I keep in my desk drawer :) /s

wmf

3 months ago

Most passkeys are synced to multiple devices.

pabs3

3 months ago

KeePassXC can now generate, store and export Passkeys.

pabs3

3 months ago

1 reply

Passkeys are also incompatible with Free Software:

https://www.smokingonabike.com/2025/01/04/passkey-marketing-...

akerl_

3 months ago

1 reply

This whole post just reads like somebody trying to axiomatically derive what passkeys are and how they work by hopping between fragments of blog posts, github issues, and other random docs. Sentences like this really drive that home:

> I don’t know what a “relying party” is, so I’m not sure exactly what this threat entails, but this statement really puts the Passkey spec authors in a bad light.

How can you hear something, not understand the terminology, and then use that as a basis for declaring the speaker "in a bad light"?

digitalPhonix

3 months ago

1 reply

Why do you need to know what “relying party” could mean for

> To be very honest here, you risk having KeePassXC blocked by relying parties

to not cast the author in a bad light?

They are straight up threatening a well regarded open source password manager for implementing portability for passkeys.

akerl_

3 months ago

1 reply

This is why knowing what technical terms mean matters.

What they’re saying is: the FIDO spec allows website operators to specify which passkey implementations they trust for authentication to their site. If your passkey implementation does not follow the spec around how it secures secrets and validates user auth flows, you risk that some sites will not trust your software as a viable passkey option.

As a comparison: imagine I made an HTTP client called “wurl”, and it was like curl but when users used it with authenticated requests, it emitted their credentials in plaintext logs on their laptop. Site operators could say “I’m gonna block requests where the user agent is wurl, because we don’t want our users to think they’re making secure requests and not catch this credential mishandling”.

No free software principles have been broken here: site operators (relying parties) are free to determine which auth implementations they are willing to interact with. Users are free to stop using sites that block auth implementations they think shouldn’t be blocked. No primitive of free software demands that site operators interoperate with something just because it’s a FOSS client.

pabs3

3 months ago

1 reply

Users should have the freedom to choose their implementations, or the entire point of Free Software is nullified and becomes useless. Take a look at what is happening with the Android attestation APIs, users of GrapheneOS (a libre and more secure variant of Android) are blocked from running mandatory government apps or almost mandatory banking apps, or even just fast food apps. Or the FSFE Router Freedom campaign. Or the mobile networks blocking devices that can share their access with other devices, or other devices they don't like.

https://grapheneos.org/articles/attestation-compatibility-gu... https://fsfe.org/activities/routers/

akerl_

3 months ago

1 reply

Service operators being required to allow users to use whatever software the user wants to interact with the operator’s system is not in fact a principle of Free Software.

You’re welcome to want service operators to do that, but not doing it doesn’t affect any of your software freedoms.

pona-a

3 months ago

1 reply

Freedom 1: The freedom to study how the program works, and change it to make it do what you wish.

The later half -- the freedom to change the program -- is meaningless in a world of attestation. Tivoization was explicitly forbidden on these grounds: if you can modify the software, but cannot use it in its modified state, the distributor is in violation of the spirit of free software and in particular, GPLv3.

It is a basic argument from positive liberty: the freedom for services to discriminate based on user's software and the freedom of the user to be discriminated against is no freedom at all.

akerl_

3 months ago

1 reply

I think we’re just speaking different languages here.

Free software does not mandate service operators to interoperate between their own infrastructure and custom or modified software you possess. You are not somehow guaranteed access to someone else’s system just because your local code has a FOSS license.

pona-a

3 months ago

1 reply

If I said the Web Integrity API is incompatible with Free Software, would you read that as: a) Chromium would cease to be Free Software if it implemented it; or b) Web Integrity itself makes effective Free Software structurally impossible and exists to punish its users?

The latter is what I mean. Web Integrity or SafetyNet are a closer counterpart to this situation than your curl example. A user agent is just a hint; attestation is an effective enforcement mechanism.

No Free Software license on my client can obligate your server to cooperate. But if attestation becomes the norm across many different services, the entire framework of user choice Free Software stands on collapses.

How would Ungoogled Chromium survive if every second website rejected non-Google Chrome? We've already seen this play out with Android: more people daily-drive GrapheneOS than Lineage because it passes Google's lower-level integrity checks.

And when a "strongly advised" government app requires the strictest attestation level, will you have to move countries just to exercise that freedom of choice you supposedly have?

akerl_

3 months ago

Ungoogled Chromium is still free software even if every second website rejects it. Free software does not have a de facto right to interoperate, and does not become less free or structurally impossible because other entities don't interact with it. The freedoms define what you can do to and with software you possess; it does not put requirements on 3rd parties to interact with you.

In the same way that commercial entities aren't guaranteed a business model just because they want one, free software isn't guaranteed connectivity to other people's systems just because otherwise it's less useful.

misterspaceman

3 months ago

1 reply

I'm not a security expert, but I have an opinion on passkeys: I think we should stick to using them only for 2FA. At least for any site where the security really matters.

In my mind, a passkey authenticates the device, while the password authenticates you, the user. Passkeys let us limit which devices are allowed to connect with our credentials. A hacker in Eastern Europe could steal my login, but if their laptop isn't authorized, it makes an account takeover much harder.

(Side note: This is also why I'm uncomfortable putting TOTP codes and passkeys in the same password manager as the regular login credentials. It effectively defeats the whole purpose, turning multi-factor authentication back into single-factor again.)

commandersaki

3 months ago

Criminals love getting persistent access to accounts using Passkeys because there's a large populous that do not understand what a Passkey is or does or review if they have any, and even if they have an unauthorised one created, do not do anything about it.

View full discussion on Hacker News

ID: 45510507Type: storyLast synced: 11/20/2025, 12:50:41 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN