Sorry if it’s a double, but I’m struggling to understand how the actual passkey implementation is safer than password + totp.
With passkeys, in the case where someone gains access to my vault, they can immediately login on a website that I have a stored passkey.
If in the place of a passkey, I have only the password stored, they could not login unless they also have my totp seed, witch stays in another app…
Am I missing something here or the actual implementation is not that safer, it just protects a little more from fishing and websites breachs?
Thanks in advance for your help,
I don’t think you are missing anything. Make sure your BW vault is super protected.
I see a difference between a passkey stored in BW and a passkey stored on a yubikey (with a PIN that wipes the key if you get the PIN wrong too many times).
I wouldn’t be suprised if websites (maybe called relying parties) start to differentiate between these 2 cases or if BW add a PIN to the passkey but that is only my thought.
I think any future changes should be led by the FIDO standard.
I don’t store TOTP secrets in BW, so I personally am not comfortable storing passkeys in BW, except for websites that actually allow 2FA additionally to passkeys.
For people who do, passkeys are better for the 2 reasons you said.
I heard on reddit that BW is considering putting in another PIN for passkey, but I can’t find the post.
For people using strong random passwords + security keys for BW, I can see the argument of storing both (TOTP secret, passkey) in BW for simplicity sake (backups, emergency access, etc.).
Thanks for all the insights. I’ll wait for the implementation to see how it works.
For now I’ll stay with regular password + totp…