Proton Pass now supports passkeys on all devices and plans: Beating Bitwarden to mobile devices

Norgur, 1 month ago

Vaultwarden is completely in my hands though

danie10, 1 month ago

True, just hope they eventually get passkeys for mobile.

sugar_in_your_tea, 1 month ago

If you’re on Android, you could probably use the Firefox extension.

danie10, 1 month ago

Just like the Bitwarden app on Android, the Proton Pass one sits in the background to help with auto-fill on any browser form, irrespective of which browser it is.

d3Xt3r, 1 month ago (edited 1 month ago)

all devices

Lies, there’s no Linux app yet. As usual, Proton Inc continues to treat Linux users as third-class citizens, all whilst claiming they care about privacy and security.

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTYljUhrf6W6MF_OJALuwU5MrO7NT8q1UnCwaUpGZWs5FfG4PgVZRhk7Oxf&s=10

---

Edit: They don’t even have a macOS app yet lol.

https://i.imgflip.com/8l11x3.jpg

danie10, 1 month ago

I’m using the browser add-on in Linux across all my browsers. I do have the Bitwarden app for Linux, but to be honest I never open it as it is a pain to have to open a separate app, and then copy and paste. Isn’t it just more seamless to let it replace the browser password manager on Linux? If I want to tidy up my Bitwarden vault, I also do that in the browser.

d3Xt3r, 1 month ago (edited 1 month ago)

Passwords are used in more places than just browsers though. If there wasn’t any need for a dedicated app, why did they bother making one for Windows?

But personally, I dislike Bitwarden as well. I prefer KeepassXC instead, as it works fully offline and I don’t need to depend on a cloud-based provider (or spin up a server). The best part about KeepassXC is that it supports auto-typing credentials, so you don’t need to copy-paste - and it works across a multitude of apps, such as remote desktop / terminal sessions.

BassTurd, 1 month ago

I have the app and the browser extension. I usually open the extension and copy from there rather than use the app for things outside of the browser. It’s just quicker.

SmoothLiquidation, 1 month ago

This is what I do as well. I always have Firefox running and can easily search the extension for whatever password I need and it is just as easy to copy from there as opening another tool.

That being said the iOS app is great for when I am away from my laptop.

fishpen0, 1 month ago

Devops here. I use the 1Password cli constantly to feed auth tokens and passwords and identity overrides into other shell commands. I’d lose my shit if I had to keep opening my browser to login to all my various workflows. The CLI even integrates with biometrics so my hands never leave the keyboard

jelloeater85, 1 month ago

Have you used KeepassXC or BitWarden? Just curious.

fishpen0, 1 month ago

Yes. My personal vault is Bitwarden and my work vault is 1Password. It’s actually nice they are separate so I have a hard mental context switch. If I want to do something to my personal services, it’s a different set of commands to inject my tokens than my work ones and not something easier to leave on like an env var to target a different profile

jelloeater85, 1 month ago

Ah, nice! Yeah, I have a seperate KeepassXC on my work Mac, so the ones on my Linux desktop never touch. I do sync my general Obsidian notebook back and forth which is nice. Client specific notes stay seperate due to NDA’s. It’s easier having to seperate devices with a KVM.

jelloeater85, 1 month ago

I tried their mail app, it’s Electron garbage. I love all their other stuff tho.

TBH KeepassXC + SyncThing is superior in every way.

Manmoth, 1 month ago

They will have to rip Bitwarden (soon Vaultwarden) from my cold dead hands.

danie10, 1 month ago

True, it is good, but they need to speed up on passkeys for mobile as many do use mobile devices and what’s the point of having passkeys on desktop.

TurkeyFX, 1 month ago

When are they changing their name? I didn’t even know

Manmoth, 1 month ago

They aren’t. Vaultwarden is the selfhosted version.

DingoBilly, 1 month ago

The real question is why the fuck is this guy passing for two password managers if not more, especially if he isn’t even using one?

nyakojiru, 1 month ago

Everyone should downvote ads type post if you want to keep the community clean.

aesthelete, 1 month ago

Passkeys seem like mtls…so much so that I’m not sure what the difference is.

danie10, 1 month ago

There is a difference but right now as long as one uses a good password with a 2FA it is probably good enough. Too many services with passkeys are still quickly offering password resets via e-mail or text, so they, as sites, are not secure. And unless you can move your passkeys with you, like you can with passwords, you don’t want to get locked into a single device or OS.

Ithral, 1 month ago

MTLS is for transport layer security, not authentication security. This is closer to those RSA keys where there is an RSA server keeping track of all the fobs that can be queried to figure out what number they are currently showing. Acting as a something you have factor of authentication, proving you are who you say you are.

aesthelete, 1 month ago

MTLS is also used for authentication security in some cases.

FrostKing, 1 month ago

Can I get an explanation on what exactly passkeys are? I already use bitwarden for passwords, is there any good reason to switch to passkeys if that works for me?

danie10, 1 month ago

Not really, right now as the password resets all undermine passkeys for many sites. One day if/when passwords get replaced then there will be a need, but that is a long way off probably. A good random password along with any 2FA is really good enough for most cases, and Bitwarden already does that very well along with even random e-mail addresses.

EarMaster, 1 month ago

Passkeys are a form of passwordless authentication. You store them in Bitwarden like regular passwords, but when you want to access a site that supports them (e.g. eBay) instead of asking for you password and autofilling or copy pasting it from Bitwarden your Bitwarden pops up and asks you if you want to login and it just happens (if you have multiple passkeys associated with a site you can select which you want to use). That’s it. No password fields which get autofilled and no password in your clipboard (history).

slumberlust, 1 month ago

Sounds a lot like SSO no?

EarMaster, 1 month ago

It is a similar experience, but you don’t need any infrastructure for it. Everything is handled by your device.

FrostKing, 1 month ago

Thanks for the explanation. From the sound of it I’ll probably stick with passwords—i like being able to copy them, cause I’m often signing in to an application, not a website, etc.

EarMaster, 1 month ago

That’s a reasonable decision. While passkeys are usually considered much safer than passwords they are not really common. It is mostly the big services (Google, Microsoft, eBay) which have implemented them. Also Bitwarden only supports them on desktop as they are currently working on mobile support. But this will change and as they follow a standard it will be no problem to log into apps with passkeys as the support widens.

victorz, 1 month ago

How do I create a passkey with Proton Pass then? I don’t see that option when pressing the big Plus button.

danie10, 1 month ago

It is the same for Bitwarden. What I noticed is if I go to a site with passkeys, then Bitwarden prompts me with a pop-up to want to add a passkey. It’s not something you manually add, apparently.

victorz, 1 month ago

Thanks, buddy! 🙏

IdleSheep, 1 month ago

If the site you’re using supports passkeys, it should have an option in your account settings somewhere to create one. When you do, proton pass (or whatever other password manager) will prompt you to save that passkey. You can’t manually create one in Proton pass, it has to be the website requesting to save one.

victorz, 1 month ago

Oh I see! So essentially it’s like creating a separate key pair for each login/site? Or will I be able to reuse the same public key/passkey for many different sites once it’s created?

IdleSheep, 1 month ago

The first, each account gets its own passkey.

victorz, 1 month ago

Ah okay, thanks a bunch!

Greensauce, 1 month ago

Proton is also the ONLY passkey provider that I’ve seen allowing you to store, share, and export passkeys just like you can with passwords!

1Password has had this for several months.

As others have mentioned, Bitwarden also has this. This really feels like an ad.

danie10, 1 month ago

Thanks I did not know that. I see they say share via the vault, but don’t specifically mention exporting, as in to a file for importing elsewhere outside 1Password. But certainly LastPass, Bitwarden and others I’d looked at were not exporting the passkeys.

set_secret, 1 month ago

i looked at it and it literally says passkeys aren’t supported on Android right now. so this is bullshit.

Greensauce, 1 month ago

Looks like they are just rolling out support for Android 14 and up.

blog.1password.com/save-use-passkeys-android/

set_secret, 1 month ago

sry my comment was not clear i meant proton.

Swarfega, 1 month ago

Bitwarden only works on the desktop with a browser extension. So as much as I have Passkeys in Bitwarden they are not usable on my phone :(

slumberlust, 1 month ago

Agreed. Saying PP four times in two sentences triggers my ad sense. Capitalism never capitulates.

kattenluik, 1 month ago

I don’t see a way where this isn’t an ad, especially with the end and it’s frustrating.

Defaced, 1 month ago

I really really like proton pass, was using Google password manager prior but I primarily use Firefox and Firefox’s password syncing is just bad. Proton pass has been a surprisingly reliable password manager.

danie10, 1 month ago

It does seem to have innovated quite quickly. I’m still using Bitwarden as I have the paid access to biometrics etc, and it has a nice tweak also to add unique e-mails for every login, etc. But I’m interested to see where Proton Pass will be in another few months, seeing I’m already paying for their service, and maybe I can consolidate my expenses a bit. I actually got drawn into paid Proton by leaving ExpressVPN, which I needed for Netflix, and then found Proton (with one or two others) were the only one’s handling Netflix’s geofencing quite well. Looking at options is always good.

rjek, 1 month ago

This reads achingly like an advert pretenting to be a social media post. BitWarden works fine for third party pass keys on every site I’ve used it on, ta - and I can self-host it.

danie10, 1 month ago

But you seem to have missed the heading of the post? Bitwarden still (after many months) has not rolled out passkeys to mobile devices. That was actually the point of the post, and Bitwarden needs to start innovating a bit faster as others are overtaking in regard to passkeys. So, you can’t be using Bitwarden for your passkey logins on mobile?

victorz, 1 month ago

I hear Bitwarden is redoing its mobile app, so maybe with that redesign will come some passkey support. 🤷‍♂️🤞

deweydecibel, 1 month ago

Why are you trying to frame this as a race? The vast majority of users don’t care about passkeys yet.

The point of the post is completely irrelevant because Bitwarden already announced they’re implementing this in the next release of the app already.

danie10, 1 month ago

It’s not a race and I would not even start to use passkeys until I know they can move with me across devices and OSs. Also, most sites that do offer passkeys, still offer highly insecure password resets which really undermines the security that passkeys should offer. I waited a long time for Bitwarden to start with passkeys, and they were going to be the answer to fully portable passkeys (I’ve been waiting so that I know my passkeys will work across all my devices and OSs). Now I’m waiting for mobile implementation before I can get going. I do hope they will also be offering exporting of passkeys, like you can currently export your passwords to other services.

lorkano, 1 month ago

Bitwarden only have not done it because their Android and IOS apps are using xamarin which prevents this implementation at it’s current version, so they have to rewrite app first. It’s not a matter “they have to start innovating”. It’s a technical problem that takes time to solve.

danie10, 1 month ago

Ah thanks for explaining that. It just makes it then difficult to fully move to passkeys with Bitwarden, which is why I’ve been waiting so long, and why I never stayed using Google or Apple’s passkeys.

almightyGreek, 1 month ago

I get “This device does not support passkeys” on Sony Xperia 1 V running android 14

hornedfiend, 1 month ago (edited 1 month ago)

Does it beat Bitwarden though? Bitwardan has supported at least 2 services for me using passkeys ,one of which is google.

I might be misunderstanding this,but it doesn’t seem like proton beat anyone to anything.

Edit for info: bitwarden.com/passwordless-passkeys/

DesolateMood, 1 month ago

They’re talking about the fact that Bitwarden doesn’t support passkeys on mobile

hornedfiend, 1 month ago

Right,yeah,that’s true for mobile indeed.

Sad that these sort of features are paywalled.

capital, 1 month ago

Why shouldn’t these features require money?

It’s $10 per YEAR. This is an extremely reasonable price given the importance of the service.

Bitwarden employees need to eat too.

lorkano, 1 month ago

It’s not paywalled. It’s not yet implemented in mobile bitwarden apps. It probably won’t be paywalled once implemented because it’s not paywalled in extension where it’s already implemented

capital, 1 month ago (edited 1 month ago)

2FA is a paid feature in Bitwarden. That’s the feature we were talking about.

Edit: fuck me for explaining myself

DesolateMood, 1 month ago

You’re getting downvoted because that, in fact, isn’t the feature we were talking about.

2FA and passkeys are different

TheEntity, 1 month ago

I’d be perfectly okay with them just charging for Bitwarden, period. Instead they pretend it’s free but charge premium for all the most effective security features, including 2FA to their own services. Effectively it creates a group of people that use Bitwarden without access to these security features but complacent enough to not seek alternatives that would offer these features at a price acceptable for them (possibly free, like KeepassXC).

Bottom line: security shouldn’t be a premium feature. It should be either available or not at all. Never as a premium within the service.

hedgehog, 1 month ago

For logging in, Bitwarden supports TOTP, email, and FIDO2 WebAuthn on the free plan. It only adds Yubikey OTP and Duo support at the paid tier, and WebAuthn is superior to both of those methods. This is an improvement that they made fairly recently - back in September 2023.

The other features that the free plan lacks are:

• the 1 GB of integrated, encrypted file storage. This is a convenience that is nice to have, but not essential to a password manager.
• the integrated TOTP generator. This is a convenience that many argue is actually a security downgrade (under the “putting all your eggs in one basket” argument).
• Upgraded vault health reports - free users get username data breach reports but not weak / reused password reports. This is the main area where your criticism is valid, but as far as I know free competitors don’t offer this feature, either. I looked at KeepassXC and didn’t see this mentioned.
• Emergency access (basically a trusted contact who can access your vault under some circumstances). This isn’t essential, either, and the mechanisms they add to ensure security of it cost money to provide.
• Priority support - free users get 24/7 support by email, which should be good enough

TheEntity, 1 month ago

I wasn’t aware they added WebAuthn to the free plan recently. That’s great to hear, thanks for the correction!

capital, 1 month ago

I disagree.

Simply adopting the use of their free service (or any password manager, sans 2FA) is an upgrade in terms of personal security. That’s moving in the right direction from memorized (and let’s be honest, that means using the same or a small list of similar passwords) passwords everywhere.

The existence of alternatives that include 2FA at no cost works against your point IMO. But that also comes at a cost - Keepass requires that you manage your own sync and backup.

danie10, 1 month ago (edited 1 month ago)

The point of the post was that Proton Pass is beating Bitwarden right now to having passkeys for mobile (Bitwarden has still not released that), and Proton Pass can actually export passkeys which Bitwarden does not do, so they are improving. I would not say though they are better all round than Bitwarden. I pay for both but am still evaluating the rest of Proton Pass vs Bitwarden especially around tweaks in options. But Proton is showing some innovation and momentum, while Bitwarden is slowing a bit. For those already using Proton they will likely find Proton Pass good enough to use right now.

phoneymouse, 1 month ago

Has anyone used pass keys? I have been hesitant to try them out. Using them, do they basically keep you logged in all the time to a given site?

danie10, 1 month ago

I use passkeys for some sites, but have been reluctant to go all in until I’m sure all my devices can support them. I’m not always going to have my desktop with me, and likewise my phone’s battery can be flat, etc. I’ve always wanted passkeys to first sync across all my devices, and ideally to be exportable and brought into a different service. Right now you can export your 900+ passwords, and import them into a different service if you want to move. You can’t do that with Apple or Google passkeys.

diggit, 1 month ago

I’ve had them since 1Password beta. They do not change the duration of a session unless the service opts to. In the case of google they ask me to log in more often, presumably because there’s less friction, so why not?

OfficerBribe, 1 month ago

Only for a test, I do not see myself switching to passkeys any time soon, using KeePass is fine in my use case. If there would be some site for which I would need to authenticate every day I would probably create a passkey on device itself (Windows Hello or Google Password manager) since authentication speed increase is undeniable.

Only authentication method changes, there should be no difference after you sign-in, how long sign-in is kept still depends on site owner.

There are various sites to test authentication experience, here’s one where you can test it with dummy account and no registration webauthn.io. It is pretty cool, but you need to create a passkey for every site on all devices to fully utilize their potential.

irotsoma, 1 month ago

I don’t like passkeys yet because they’re implemented poorly on most platforms, IMHO, because they replace two factors with one. Some don’t let you also turn on two factor auth at all which is dumb, but the ones that do then often only have options that use your device as a factor either through text or email. So if the passkey is your phone and you add text messages as the 2 factor option, that’s still your phone. Or if your passkey is your laptop and you’re logged into your email on the laptop, it’s just one.

EncryptKeeper, 1 month ago

Passkeys are 2FA

Refract, 1 month ago

Could either you or @phoneymouse explain this for me? If all that’s required to log in using a passkey is access to a single device/provider (e.g. Proton Pass in this case) how does it replace 2FA?

hedgehog, 1 month ago

For an authentication flow to qualify as two factor authentication, a user must verify at least two factors - and each must be from the following list:

• something they know, like a password
• something they have, like a phone or security key
• something they are - fingerprints, facial recognition (like FaceID), iris scans, etc…

Passkeys require you to verify a password or authenticate with biometrics. That’s one factor. The second factor is having the passkey itself, as well as the device it’s on.

If you login to your password manager on your phone and use your fingerprint to auth, that’s two factors right there.

irotsoma, 1 month ago

But authentication to access the passkey is on a remote device. So the server doesn’t have any information about if or how authentication was performed for the person to access the key. If they use a 4 digit pin or, worse, the 4 point pattern unlock, it’s easy enough to brute force on most devices.

This is also why using a password manager is not two factor authentication. It is one factor on your device and one factor on the server. But no one monitors the security logs on the device to detect brute force attacks and invalidate keys. Most don’t even wipe the device if the pin is being brute forced.

hedgehog, 1 month ago

None of what you’re saying has anything to do with whether an authentication flow is effectively implementing two-factor authentication.

The server doesn’t need to know details about which two factors you used. If you auth with a passkey and it knows that passkeys themselves require an additional factor to be used, then it knows that you’re using 2FA.

If they use a 4 digit pin or, worse, the 4 point pattern unlock, it’s easy enough to brute force on most devices.

This is true, but that doesn’t mean it doesn’t qualify as an authentication factor. Nobody should use a 4-6 digit PIN for their phone, but this is a matter of individual security preferences and risk tolerance. In a corporate setting, the corporation can set the minimum standard here in accordance with their own risk tolerance.

My password could be “password123” and it would still be one factor.

irotsoma, 1 month ago

I’m not saying it doesn’t count as authentication, it just doesn’t count as authentication to the security of the server directly. That’s the device’s security and configured by the user, not the server. And user devices are very prone to exploits to the point that many law enforcement agencies don’t even bother asking for a password anymore to access a device.

So, let’s move to a physical model as an example. Let’s say you have a door. It has a very simple door handle lock. You keep your key inside a hotel safe. Sure it might be difficult to get the key if they had to enter the hotel room, cut open the safe in place, and get the key while they’re standing in front of the secure door, exposed. But that’s dumb. They could just as easily grab the safe out of the room and open it later where there’s room for proper equipment, use a known exploit for the particular safe, or use other exploits all out of view of the door/server and at any time until the user realizes you know how to open their safe, because the door/server will never find out. Once that safe is open, you have not just the key to the door, but the key to all locks the user uses since now we only have “something you have” factors and the user uses only one device. Just like when we only had “something you know” factors and the user uses the same password everywhere.

So what does the passkey help with? It makes the lock and thus the key itself more complex. This makes it so that brute force attacks against the server are more difficult. But it doesn’t solve anything that existing TOTP over text messages didn’t solve, other than some complexity, and it eliminated the password (something you know) factor at the server. Something a lot of companies are already doing and we already know from experience is a bad practice. It has changed the hacking target to the device rather than the person. But still just one target, you don’t need both. Sure it’s better than a really bad password that’s reused everywhere. But it’s not better than a really good password unique to a site that’s only stored in a password manager on the user’s device that requires a separate master password to access (outside of MitM attacks that TOTP mitigates).

Now, what if we have a door with two locks, one that requires a code, and one that requires you to have access to a device. Now in order to attack the door, you need two factors right at the time you’re standing at the door. Also, there’s probably a camera at the door and someone paid to check it periodically when someone tries too many times, which isn’t the case in the user’s safe/device. So even if you get the key from the user, you still need to brute force the second lock efficiently or you need to implement a second exploit to get the second factor ahead of time. This is the idea of two factors at the server and the current state of things before passkeys.

hedgehog, 1 month ago

Getting physical access to users’ devices is more difficult than compromising their passwords, so in that sense, transitioning that one factor is a net improvement in terms of reducing the number of compromises for a given service.

Except for e2ee accounts, which I suspect Passkeys don’t support in the first place (at least, not without caching the password on your device), law enforcement can access your account’s data without ever needing your password. If you’re concerned about law enforcement breaking into your device and you’re not using a unique 16+ character passcode with it set to wipe the device after a certain number of attempts, that’s on you.

I’m not sure about the state of affairs on Android, but the most popular and powerful tool used by law enforcement to extract data from iOS devices only recently gained support for iOS 17 and it doesn’t have the ability to bypass passwords on a device that isn’t accepting FaceID; it just has the ability to brute force them. A password with sufficient entropy mitigates this attack. (It’s unclear if it’s able to bypass auth when FaceID is enabled, but I could see it going either way.)

You said a couple of things that I specifically want to address:

But it doesn’t solve anything that existing TOTP over text messages didn’t solve, other than some complexity, and it eliminated the password (something you know) factor at the server.

and

outside of MitM attacks that TOTP mitigates

Text-message based TOTP - or SMA 2FA - is incredibly vulnerable. In many cases, it can be compromised without the user even realizing. A user with a 4 digit PIN (even if that PIN is 1234) and a Passkey on their device is much less vulnerable than a user using SMS 2FA with a password used across multiple services.

If a user cares deeply about security, they likely already have a set of security keys (like the YubiKey 5C) that support U2F / WebAuthn, and they’ll add passkeys for their most sensitive services to those devices, protected by unique, high entropy PINs. This approach is more secure than using an equally high entropy password and U2F / WebAuthn if the latter isn’t secured with a PIN, since these devices are extremely secure and wipe their contents after 8 failed PIN attempts, but the password is transmitted to the server, which receives it in plaintext and stores it hashed, generally outside of a secure enclave, making the password vulnerable, e.g., if grabbed from server memory, or to a brute force attack on the hash if the server (which could be undetected and only involve read access to the db server), meaning a simple theft of the security key would be all that was needed to compromise the account (vs needing the PIN that is never transmitted anywhere).

And app-based TOTP doesn’t mitigate MITM at all. The only thing it does is add a timing component requirement, which current MITM phishing attacks have incorporated. To mitigate such an attack you need Passkeys, Webauthn, or U2F as an authentication factor. To bypass this the attackers need to compromise the service itself or a certificate authority, which is a much taller task.

The other thing is that we know most users reuse passwords and we know that sites will be compromised, so:

• best case scenario, salted password hashes will be leaked
• likely scenario, password hashes will be leaked,
• and worst case scenario, plain text passwords will be leaked

and as a result, that user’s credentials for a different site will be exposed. For those users, Passkeys are a vast improvement over 1FA, because that vulnerability doesn’t exist.

Another factor is the increased visibility of Passkeys is resulting in more sites supporting them - U2F / Webauthn didn’t have great adoption. And getting these into the hands of more users, without requiring them to buy dedicated security keys, is a huge boost.

For the vast majority of users, passkeys are an improvement in security. For the few for whom they aren’t, those users likely know that, and they still benefit from increased adoption of a MITM immune authentication method, which they can choose on a site-by-site basis. And even they can benefit from increased security by storing passkeys on a security key.

dustyData, 1 month ago

That’s because it’s not 2FA, strictly speaking. The second factor is whatever the device uses to verify you. So, essentially:

You go to a webpage, then go to sign up. Instead of inputting a password, you just input some ID, like a username or email. The device generates a cryptographic handshake with the webpage and your ID. You don’t (can’t, unless you can memorize a string of thousands of letters and numbers and be really good at math with prime numbers) have to remember it.

Now, when you go to login to that page again, the device just remembers and exchanges the keys with the webpage for you. That is NOT 2FA. But, you can configure your device to require another verification (most do). So, when you go to login, then the device asks you to use your fingerprint, or a remembered PIN. Or whatever that confirms that the one handling the device is indeed you before sharing encryption keys with the webpage. This is sorta 2FA, but not really because the webpage is delegating the second factor to the same device actually doing the login. Which might be compromised altogether, but that already happens with most 2FA implementations.

If you go to a second device, and wish to login, then your second device will fallback to other 2FA versions, like sending a OTP to the verified email or phone, or asking you to verify on the one device that is already logged in.

EncryptKeeper, 1 month ago

A passkey that’s generated on any given device is tied to that device, and is never sent to the server you’re authenticating to. What’s sent instead is a time based challenge/response that functions similarly to TOTP except that it’s not based on a shared secret like TOTP is. Since the Passkey is both a file, and is tied to the device you generated it on, it satisfied the something you have factor. Then in order to use a Passkey to authenticate, you need to unlock access to it using either biometrics (something you are) or a PIN (something you know).

Now storing your passkeys in a password manager does muddy the process of it a bit. The “something you have” part is no longer a device, but the key file itself, which is still arguably “something you have” but it is to a degree less secure than keeping it tied to a device. But you can think of storing passkeys in a password manager similarly to storing your TOTP in your password manager. It’s a tradeoff.

I know that with 1Password, even if I authenticate to my vault using my master password, when I go to use any particular passkey, it still requires biometrics.

irotsoma, 1 month ago

Problem is that if the factor is not authenticated by the server, it doesn’t count. Not saying it’s not helpful, but it’s not part of the consideration when designing the security of the system.

The device can be attacked for an indefinite time and the server knows nothing about that. Or the device can disable that additional security either knowingly or maliciously and the server has no knowledge of that breach. So it’s still a single factor, “something you have” to the perspective of the server when considered security.

I’ve worked with healthcare data for decades and am currently a software architect, so while it’s not my specialty directly, it is something I’ve had to deal with a lot.

phoneymouse, 1 month ago

I believe passkeys are supposed to replace 2FA and passwords. If you have a passkey, you’re not supposed to need 2FA.