Are passkeys the end of password managers

Today I just installed my first passkey with Google. Apparently Paypal will soon follow and I can get one for my Apple stuff. Bitwarden is only announcing it.
I am really a fan of Bitwarden - recommending to to many other people, but now I ask myself:
What is the real advantage of a password manager managing my passkeys.
So far I could guess the following answers:

  1. I do not need to follow the “passkey on new device procedure” for every passkey/device combination
  2. I still have all the old password/2FA services in my password manager (probably it will take many years to implement passkeys everywhere)
  3. I can share my passkeys with other Bitwarden users (Premium)
  4. In other words: I brake the device/passkey connection
    In this new passkey world, I do not see a long term need of a password manager
    What do you think?
1 Like

Hello,

I love device-bound passkeys. It’s convenient, is a form of automatic 2FA (something I have, and something I know/am), phishing resistant, and breach resistant. I can even live with creating new key/account/device for my most important accounts, knowing that I can go via the account recovery route on new devices.

OTH, creating a key/account/device is pretty inconvenient. Most likely, some people who are used to passwords are going to be confused why. For newer generations, maybe they would think it’s a hassle and would look for a more convenient method. This is where the syncable passkeys can come in.

For syncable passkeys, you most likely would either rely on the OS platforms or the password managers as sync providers. The OS platforms typically don’t implement such functionalities across all the platforms/browsers. If you can live within the walled garden of an OS platform, then you don’t need the password managers (e.g. apple keychain seems to work pretty well, and safely). For everybody else, then it’s the password managers.

I use BW primarily for cross-platform accessibility and some on-line functionalities. Without these, I would have stayed with the off-line password managers. I think convenience would still be a major factor going forward for me, and I think this will be true for some other people as well.

I think FIDO alliance (Passkeys - FIDO Alliance) has a point:

Convenience
The usability of a password replacement must compete with the convenience of passwords, and one of the primary usability benefits of passwords is that they can be used from any device.

Syncing means that passkeys are available from all of a user’s devices using the same sync provider. And just like passwords, visiting a website from another device does not require going through a credential registration/creation flow — cross-device sign-in is supported via an enhancement to the FIDO Alliance Client to Authenticator Protocol (CTAP) that uses Bluetooth Low Energy (BLE) to verify physical proximity.

If the cryptographic key is bound to the user’s computer or mobile device, then every time the user gets a new device, the RP would have to fall back to other methods of authentication (typically a knowledge-based credential such as a password). In practice, this often means that the first sign-in on a new device will be both inconvenient and phishable.

Passkeys solve this issue because they are available on the user’s device if and when the user needs them — starting from the very first sign-in to a website from that device. Last but not least, users often forget passwords and don’t set up backup emails and phone numbers. With passkeys, as long as the user has their device, they can sign in; there is nothing to forget. Because passkeys can be backed up, they can be better protected from loss.

2 Likes

Your wallet garden comment opened my eyes. I hate when I am forced to look for an Apple/Google or Microsoft device or app just to confirm my login on a “foreign” OS or machine. With the introduction of passkeys they are again trying to manage the complete authentication process of their userbase. They will probably make the export of passkeys as complicated as possible to keep their users under control. The open source nature of BW is a completely different approach and their newest adquisition shows that they want to promote passkeys everywhere. For me the biggest open issue is the lack of an identity provider in the BW system. The passkeys securely identifies a human on a device - no matter who he/she is.

Maybe I misunderstood your comment, but wouldn’t the fact that only one person knows the master password and possesses the second factor for Bitwarden authentication guarantee the identity of the user? I suppose it would be a different situation if a passkey is used to log in to Bitwarden itself, too, but at least this would be a choice the user could make.

1 Like

time flies, let me share my experience.

i’ll say my best bet would be username+passward+2FA(authn OR key OR recovery code).

the username and passwd is easy target for key logger, so indeep is relying ONLY and mostly on the 2FA. so I dont put the authn into BW, i put on phone. and the recovery code is put somewhere not close to the username+passwd.

for passkey, it should only replace username+passwd. finish.

i.e. for any login, a passkey + a 2FA shd be needed.

however, those who push passkey, overrides and make passkey=2FA, i.e. they make passkey solely enough for login which i disagree.

you may say that passkey already include a 2FA like fingerprint, faceID etc,
however, for me, google allow saving a passkey into BW, making this a single point of failure.

summary: (username+pwd/passkey) WITH a 2FA esp hardware key is my way to go

I think generally, people reluctant to put TOTP secrets into their BW wouldn’t store passkeys in BW. People who use hardware 2FA for particular accounts also wouldn’t put passkeys into BW for those particular accounts. I think this is unsurprising at this point.

I wouldn’t put TOTP secrets into BW either. But I do use passkeys on my home PC, as I rate it unlikely to be stolen along with the PIN to unlock my PC. Very convenient to log in for most accounts (definitely not for BW). Would be a (tolerable) pain when I have to replace the passkeys to all those accounts.

And that maybe not true for a passkey, even in Bitwarden, because with a keylogger “alone”, I think the stored/used passkey couldn’t be extracted.

I think this should be recommended.

Strictly speaking, that is nothing, Bitwarden can decide for itself. This depends on the account/service how they implement it. And maybe this changes again over time.

This makes me think of “UV” (user verification – via biometrics and/or PIN). Bitwarden has not implemented that, yet. This would be a part of the 2FA-process of a passkey and would offer additional protection. - However, if this (when implemented) really stops an “intruder” in getting access to the passkey, I don’t know… hopefully Bitwarden has an eye on that…

… nothing against hardware keys (which contain passkeys then) from me.

And a sidenote to the title of the thread: yes, passkeys may be the end of password managers… and the beginning of passkey managers. :wink:

i mean,
i dont mind passkey replace username+passwd, as originally there shd be a fingerprint/faceID checking.

but BITWARDEN’s store of passkey ELIMINATED that biometrics checking which is ridiculous.

further ridiculous is that google 's default is passkey = 2FA.
which when you use with BW’s passkey == you MAY skip biometrics and login with a click. This wasted the fingerprint reader, camera, keys. And is totally opposite the strongest factor, the physical key.

as i said i wont mind if passkey simply replace username+passwd,
just keep the 2FA (authn, key).

I’m not quite sure, but I think Bitwarden plans on implementing that already… I saw something in GitHub, but that was for Organizations, if I’m not mistaken. Seems to be in some kind of developement, anyway. ([PM-7808][PM-7848] UV Preferred/Required, Item has MP reprompt, user without MP incorrectly bypasses UV and When UV = discouraged, cannot save passkey to item using [+] button by gbubemismith · Pull Request #9015 · bitwarden/clients · GitHub)

That I don’t fully understand.

By “authn” you mean “WebAuthn”? → That would be a passkey.

By “key” you mean “hardware key”? Like a YubiKey? → That would also store “passkeys”. (if we speak about FIDO2 / WebAuthn again ---- storing TOTP-seeds on a YubiKey and using the Yubico Authenticator app, this wouldn’t be a passkey, of course)

So when you say, passkeys could replace username+password and “keep the 2fa”, and your 2FA would be passkeys as well… it is a bit confusing to me. :sweat_smile:

AI told me authenication’s shorthand is authn., i mean the QR code authenicator.

so for me,

level 1: (username + passwd) OR passkey

level 2: QR code authenication OR physical security

(rarely, have the recovery code for accidents)

better 1 + 2 for everything important.

at first what i read is passkey = a pair of asymmetrical keys, where the private key is guarded by the biometrics.

Again, that is not entirely clear to me. But I guess you mean the (mostly) every 30-seconds newly generated one-time-passwords, right? - Because with passkeys, there is a QR code authentication process as well…

As I understand it, the private key is not only guarded by that, but by other mechanisms as well. And as written above - “user verification” could also be a PIN… and is not completely mandatory.

PS:

Yeah, ‘authn’ seems to be an abbreviation of the word ‘authentication’ - but that can pretty much mean everything here in our context. Using username + password is also a form of authentication. - As I wrote above, if you mean the “every-30-seconds-one-time-password” this would better be called ‘TOTP’, which stands for Time-based One-Time-Password (and that can either be initiated via a QR code or via manually typing in the “secret key/seed”).

BTW:

Your level 1 “passkey” + level 2 “physical security” would really be:

passkey + passkey

:wink:

Here is a good explanation, I think, of the mechanisms of a passkey (and the video is just a few days old): https://www.youtube.com/watch?v=RWcXKQcwBRY Have to watch it myself at least a second time. :sweat_smile:

PS: … ah, I just found (again) the “user verifications”-developement, maybe around the corner: [PM-4577] Enhance passkey user verification to use configured unlock methods by gbubemismith · Pull Request #8746 · bitwarden/clients · GitHub