Are passkeys the end of password managers

Today I just installed my first passkey with Google. Apparently Paypal will soon follow and I can get one for my Apple stuff. Bitwarden is only announcing it.
I am really a fan of Bitwarden - recommending to to many other people, but now I ask myself:
What is the real advantage of a password manager managing my passkeys.
So far I could guess the following answers:

  1. I do not need to follow the “passkey on new device procedure” for every passkey/device combination
  2. I still have all the old password/2FA services in my password manager (probably it will take many years to implement passkeys everywhere)
  3. I can share my passkeys with other Bitwarden users (Premium)
  4. In other words: I brake the device/passkey connection
    In this new passkey world, I do not see a long term need of a password manager
    What do you think?
1 Like

Hello,

I love device-bound passkeys. It’s convenient, is a form of automatic 2FA (something I have, and something I know/am), phishing resistant, and breach resistant. I can even live with creating new key/account/device for my most important accounts, knowing that I can go via the account recovery route on new devices.

OTH, creating a key/account/device is pretty inconvenient. Most likely, some people who are used to passwords are going to be confused why. For newer generations, maybe they would think it’s a hassle and would look for a more convenient method. This is where the syncable passkeys can come in.

For syncable passkeys, you most likely would either rely on the OS platforms or the password managers as sync providers. The OS platforms typically don’t implement such functionalities across all the platforms/browsers. If you can live within the walled garden of an OS platform, then you don’t need the password managers (e.g. apple keychain seems to work pretty well, and safely). For everybody else, then it’s the password managers.

I use BW primarily for cross-platform accessibility and some on-line functionalities. Without these, I would have stayed with the off-line password managers. I think convenience would still be a major factor going forward for me, and I think this will be true for some other people as well.

I think FIDO alliance (Passkeys (Passkey Authentication)) has a point:

Convenience
The usability of a password replacement must compete with the convenience of passwords, and one of the primary usability benefits of passwords is that they can be used from any device.

Syncing means that passkeys are available from all of a user’s devices using the same sync provider. And just like passwords, visiting a website from another device does not require going through a credential registration/creation flow — cross-device sign-in is supported via an enhancement to the FIDO Alliance Client to Authenticator Protocol (CTAP) that uses Bluetooth Low Energy (BLE) to verify physical proximity.

If the cryptographic key is bound to the user’s computer or mobile device, then every time the user gets a new device, the RP would have to fall back to other methods of authentication (typically a knowledge-based credential such as a password). In practice, this often means that the first sign-in on a new device will be both inconvenient and phishable.

Passkeys solve this issue because they are available on the user’s device if and when the user needs them — starting from the very first sign-in to a website from that device. Last but not least, users often forget passwords and don’t set up backup emails and phone numbers. With passkeys, as long as the user has their device, they can sign in; there is nothing to forget. Because passkeys can be backed up, they can be better protected from loss.

2 Likes

Your wallet garden comment opened my eyes. I hate when I am forced to look for an Apple/Google or Microsoft device or app just to confirm my login on a “foreign” OS or machine. With the introduction of passkeys they are again trying to manage the complete authentication process of their userbase. They will probably make the export of passkeys as complicated as possible to keep their users under control. The open source nature of BW is a completely different approach and their newest adquisition shows that they want to promote passkeys everywhere. For me the biggest open issue is the lack of an identity provider in the BW system. The passkeys securely identifies a human on a device - no matter who he/she is.

Maybe I misunderstood your comment, but wouldn’t the fact that only one person knows the master password and possesses the second factor for Bitwarden authentication guarantee the identity of the user? I suppose it would be a different situation if a passkey is used to log in to Bitwarden itself, too, but at least this would be a choice the user could make.

1 Like