Passkey security over password + totp

Hello,

Sorry if it’s a double, but I’m struggling to understand how the actual passkey implementation is safer than password + totp.

With passkeys, in the case where someone gains access to my vault, they can immediately login on a website that I have a stored passkey.

If in the place of a passkey, I have only the password stored, they could not login unless they also have my totp seed, witch stays in another app…

Am I missing something here or the actual implementation is not that safer, it just protects a little more from fishing and websites breachs?

Thanks in advance for your help,

Best regards,
Marc

I don’t think you are missing anything. Make sure your BW vault is super protected.

I see a difference between a passkey stored in BW and a passkey stored on a yubikey (with a PIN that wipes the key if you get the PIN wrong too many times).

I wouldn’t be suprised if websites (maybe called relying parties) start to differentiate between these 2 cases or if BW add a PIN to the passkey but that is only my thought.
I think any future changes should be led by the FIDO standard.

I don’t store TOTP secrets in BW, so I personally am not comfortable storing passkeys in BW, except for websites that actually allow 2FA additionally to passkeys.

For people who do, passkeys are better for the 2 reasons you said.

I heard on reddit that BW is considering putting in another PIN for passkey, but I can’t find the post.

For people using strong random passwords + security keys for BW, I can see the argument of storing both (TOTP secret, passkey) in BW for simplicity sake (backups, emergency access, etc.).

Storing Passkeys | Bitwarden Help Center

Thanks for all the insights. I’ll wait for the implementation to see how it works.

For now I’ll stay with regular password + totp…