Troubleshooting sites that offer Passkey support but don't actually allow you to log in with them

I am continuing to fight with websites that allow you to configure Passkeys for logging in, but when you actually go to log in, there is no option to use the Passkey.

Google and several others (including this site) work perfectly. But others force you to use UN/PW logins. I have repeatedly deleted existing Passkeys, created new ones, but the problem persists. I have tried deleting all cookies from the browser, still no improvement.

Does anyone have any tips on ways to resolve this issue?

I know the Passkeys are there on both ends (password manager and website). In the websites I can see (in security settings) that it confirms I have Passkeys defined for my account.

2 Likes

Hello,

I suspect that you would need to report to each website and hope that they will resolve the poor implementation.

I have one tip regarding eBay’s passkey on the web browser: once you create it, do not clear the cookies for eBay; otherwise, it won’t offer passkey as a login option. I suppose only the press or someone with influence mocking the website would have an effect.

Hopefully, this will improve over time.

P.S. Adobe’s website passkey implementation requires an OTP from your email before proceeding to verify with the passkey. So much for a quick but safe login.

2 Likes

Yeah, I experienced that with eBay.

That’s the frustrating thing - Passkeys are a great strategy but the way various websites implement them are inconsistent and “just enough” to say they support them.

CVS is another one; once you delete a Passkey on your end the website has no idea so it doesn’t give you the ability to create another one. Technical support is clueless, they don’t understand the problem much less really care to do anything about it, at least that’s my perception after numerous emails back and forth.

I really think the alliance who developed the Passkey standard should have to certify every website that wants to be able to claim that they support passkeys to ensure they meet the interoperability requirements. Otherwise it’s just a crap shoot.

2 Likes

CVS has the absolute worst implementation of a passkey I’ve seen yet. Not only does it not work on Android, but CVS only lets you create one. That’s it. It’s one and done and locked in forever. You cannot delete or see that it even exists.

1 Like

If you delete a passkey on your end (= only one part of the passkey-“pair”), no service automatically get’s a notice of some kind of that…

Exactly my experience. Tech support, after many emails and phone calls comes back with an email instructing me to delete the Passkey from my device.

Swell.

1 Like

Correct. That’s why websites that implement Passkeys correctly (such as Bitwarden and Google) give you delete buttons to delete them on their end so things stay in sync.

2 Likes

Here is something I just got notice of a few days ago: Bitwarden doesn't recognize it has a passkey to offer to LinkedIn.com · Issue #7545 · bitwarden/clients · GitHub (“Greenderella” seems to be from Bitwarden)

Google does not even have it quite right. The best passkey implementation substitutes for username, password and mfa. With Google, I still have to type my username.

Amazon is another one that gets “close”. They get the username and password from the passkey, but still prompt for MFA.

Unfortunately, they have decided “passkey” is a noun and not a trademark, so they lost their leverage.

You can login to Google without a username. When you click on the email field, a link appears that allows you to login with a passkey without entering your email address:

However, in my case, I have never been able to login email-less using my passkey stored in bitwarden (which is discoverable, btw), the browser always prompts me to use my security key when I click on Use a passkey.

This is why, when I login to Google, I usually press Ctrl+Shift+L to autofill my email address and then I select my bitwarden passkey for Google (it’s the fastest way for me, if I have my browser extension unlocked).

1 Like

Yes. Edge will list the passkeys stored with Windows hello and options to use other devices. Firefox offers nothing.

That is my experience too. Hoping that MS’s forthcoming 3rd party support for passkey storage will make the pop-up menu work with Bitwarden.

2 Likes