Yep, Passkeys Still Have Problems
2 days ago
- #Passkeys
- #Cybersecurity
- #VendorLockin
- Passkeys still have flaws in 2025, but they can be used effectively with proper understanding and management.
- Credential Managers (like Bitwarden or Vaultwarden) are recommended for storing Passkeys, allowing backups and control.
- Avoid relying solely on platform Credential Managers (Apple, Google) due to backup and lockout risks.
- For high-value accounts like email, use Yubikeys as Passkey stores and maintain strong passwords + TOTP as backups.
- The FIDO Credential Exchange Specification allows moving Passkeys between providers but doesn't solve day-to-day cross-platform usage issues.
- Vendor lock-in persists due to UI friction and lack of user education about credential management.
- Platform Passkey providers (Apple, Google) often mislead users about biometric data, causing distrust.
- Some services force platform-bound Passkeys, limiting user choice and flexibility.
- Backup strategies are crucial: use Credential Managers with export functions or hardware keys like Yubikeys.
- Developers should avoid pre-filtering Webauthn options and prioritize user consent and choice in Passkey enrollment.