I am continuing to fight with websites that allow you to configure Passkeys for logging in, but when you actually go to log in, there is no option to use the Passkey.
Google and several others (including this site) work perfectly. But others force you to use UN/PW logins. I have repeatedly deleted existing Passkeys, created new ones, but the problem persists. I have tried deleting all cookies from the browser, still no improvement.
Does anyone have any tips on ways to resolve this issue?
I know the Passkeys are there on both ends (password manager and website). In the websites I can see (in security settings) that it confirms I have Passkeys defined for my account.
I suspect that you would need to report to each website and hope that they will resolve the poor implementation.
I have one tip regarding eBay’s passkey on the web browser: once you create it, do not clear the cookies for eBay; otherwise, it won’t offer passkey as a login option. I suppose only the press or someone with influence mocking the website would have an effect.
Hopefully, this will improve over time.
P.S. Adobe’s website passkey implementation requires an OTP from your email before proceeding to verify with the passkey. So much for a quick but safe login.
That’s the frustrating thing - Passkeys are a great strategy but the way various websites implement them are inconsistent and “just enough” to say they support them.
CVS is another one; once you delete a Passkey on your end the website has no idea so it doesn’t give you the ability to create another one. Technical support is clueless, they don’t understand the problem much less really care to do anything about it, at least that’s my perception after numerous emails back and forth.
I really think the alliance who developed the Passkey standard should have to certify every website that wants to be able to claim that they support passkeys to ensure they meet the interoperability requirements. Otherwise it’s just a crap shoot.
CVS has the absolute worst implementation of a passkey I’ve seen yet. Not only does it not work on Android, but CVS only lets you create one. That’s it. It’s one and done and locked in forever. You cannot delete or see that it even exists.
Correct. That’s why websites that implement Passkeys correctly (such as Bitwarden and Google) give you delete buttons to delete them on their end so things stay in sync.
Google does not even have it quite right. The best passkey implementation substitutes for username, password and mfa. With Google, I still have to type my username.
Amazon is another one that gets “close”. They get the username and password from the passkey, but still prompt for MFA.
Unfortunately, they have decided “passkey” is a noun and not a trademark, so they lost their leverage.
You can login to Google without a username. When you click on the email field, a link appears that allows you to login with a passkey without entering your email address:
However, in my case, I have never been able to login email-less using my passkey stored in bitwarden (which is discoverable, btw), the browser always prompts me to use my security key when I click on Use a passkey.
This is why, when I login to Google, I usually press Ctrl+Shift+L to autofill my email address and then I select my bitwarden passkey for Google (it’s the fastest way for me, if I have my browser extension unlocked).