Passkey security over password + totp

Marc78 · November 25, 2023, 8:14pm

Hello,

Sorry if it’s a double, but I’m struggling to understand how the actual passkey implementation is safer than password + totp.

With passkeys, in the case where someone gains access to my vault, they can immediately login on a website that I have a stored passkey.

If in the place of a passkey, I have only the password stored, they could not login unless they also have my totp seed, witch stays in another app…

Am I missing something here or the actual implementation is not that safer, it just protects a little more from fishing and websites breachs?

Thanks in advance for your help,

Best regards,
Marc

DoctorB · November 26, 2023, 12:03am

I don’t think you are missing anything. Make sure your BW vault is super protected.

I see a difference between a passkey stored in BW and a passkey stored on a yubikey (with a PIN that wipes the key if you get the PIN wrong too many times).

I wouldn’t be suprised if websites (maybe called relying parties) start to differentiate between these 2 cases or if BW add a PIN to the passkey but that is only my thought.
I think any future changes should be led by the FIDO standard.

Neuron5569 · November 26, 2023, 7:38pm

I don’t store TOTP secrets in BW, so I personally am not comfortable storing passkeys in BW, except for websites that actually allow 2FA additionally to passkeys.

For people who do, passkeys are better for the 2 reasons you said.

I heard on reddit that BW is considering putting in another PIN for passkey, but I can’t find the post.

For people using strong random passwords + security keys for BW, I can see the argument of storing both (TOTP secret, passkey) in BW for simplicity sake (backups, emergency access, etc.).

Nail1684 · November 26, 2023, 9:07pm

→ Storing Passkeys | Bitwarden

Marc78 · November 29, 2023, 4:47pm

Thanks for all the insights. I’ll wait for the implementation to see how it works.

For now I’ll stay with regular password + totp…