Passkeys are just passwords that require a password manager
9 months ago
- #security
- #password-managers
- #passkeys
- Passkeys are randomly generated passwords managed by password managers, supported by major providers like Apple, Google, and 1Password.
- Passkeys can be public/private keypairs or secret passwords, designed with anti-phishing protections by including metadata tied to specific sites/apps.
- Password managers prevent copying passkeys, requiring authentication (e.g., fingerprint, Face ID) for access, though sites cannot verify this step.
- Resetting a passkey works the same as resetting a password, with complexity varying by site (e.g., email recovery, multi-factor authentication).
- Passkeys create lock-in with password managers, as they cannot be copied/pasted between services, though future protocols may enable transfers.
- Sites are encouraged to allow multiple passkeys per user to support different password managers, but adoption varies.
- Passkeys offer phishing resistance, as users cannot accidentally paste them into malicious sites, unlike traditional passwords.