Passkey Questions

[Vectraat]

Wondering how many of you use passkeys? 

If so, have you ever experienced any issues with them? Maybe with synching or anything else? And what method of synching do you use?

I'm sure I'm late to the party with this, but I'm kind of wondering what the point is since companies still store your login details on their servers anyway. 

So yeah, passkeys are more secure when you use them, but to my knowledge, every time I've ever been compromised It's because hackers stole login details from the companies I do business with....that problem will still exist (for now) whether I use a passkey or not. 

[whispous]

1 hour ago, Vectraat said:

companies still store your login details on their servers anyway.

You should read up on how (responsible) companies "store" your login details.

1 hour ago, Vectraat said:

hackers stole login details from the companies I do business with

Sounds like 25+ year old insecure credential storage.

 

 

Google, for example, does not hold a copy of your password at their end.

[Vectraat]

1 hour ago, whispous said:

You should read up on how (responsible) companies "store" your login details.

Sounds like 25+ year old insecure credential storage.

 

 

Google, for example, does not hold a copy of your password at their end.

"Recent news in June 2025 has highlighted that 16 billion login credentials from various services, including Google, were leaked and compiled into datasets online, prompting cybersecurity experts to urge users to change their passwords on affected services, including Gmail. "
 

This isn't the first time that this has happened. I've had Google's password checkup tell me that I need to change 100+ passwords because they've been compromised. 

So, Google was hacked then? Because all of the passwords I use for my gmail accounts are specific to gmail; I don't use reuse them for other sites/services. So how else would someone have gotten hold of them if not from Google? 

[Eigenvektor]

7 hours ago, Vectraat said:

I'm sure I'm late to the party with this, but I'm kind of wondering what the point is since companies still store your login details on their servers anyway. 

To sign in to a service, by necessity that service needs to be able to verify your identity. And that means storing credentials in some form.

 

The question is how they are stored and how useful they are in the event of a leak. 

 

Ideally a service should at least store passwords in salted and hashed form. That makes attackers unable to get the actual password and also defeats techniques like rainbow tables.

 

Since you cannot typically present that hash to a service directly to sign in, having access to the hash shouldn't allow sign in. But it still means they now have access to a secret shared between you and that service.

 

Passkeys go a step further, by storing a private key on your machine and a public key on the server.

 

With passkeys no password is exchanged between you and the service. Instead the public key can be used to verify you own the private key without the private key ever having to leave your machine.

 

So there's effectively nothing for the service to leak. The public key is called public for a reason. There's virtually zero issues with it leaking.

 

If your private key is compromised (lost or stolen device) you can revoke that specific passkey rather than having to change a password.

 

So it's like a unique password per service per device and the password as such is never exchanged between you and the service you sign in to.

 

What isn't defeated is the service leaking private information like name, address, payment information and so on. The best you can do is provide each service with as little of that as is necessary to use it (and ideally a service should never ask for private data that isn't necessary for them to have in the first place)

[whispous]

6 hours ago, Vectraat said:

Recent news in June 2025 has highlighted that 16 billion login credentials from various services, including Google, were leaked and compiled into datasets online, prompting cybersecurity experts to urge users to change their passwords on affected services, including Gmail.

Check that story out some more - it's largley fake.

 

And phishing is a thing too.

[20ReliableLights]

I'm wondering how you sign in to something if you lose your phone? My brokerage requires that I have their app installed on my phone in order to login via a web browser. I guess I have to call them and talk to someone to get in if my phone is ever lost or broken. Which, if that's the case, is always going to be the weakest link in security. I'm told social engineering a customer service rep isn't that hard.

[Vectraat]

19 minutes ago, 20ReliableLights said:

I'm wondering how you sign in to something if you lose your phone? My brokerage requires that I have their app installed on my phone in order to login via a web browser. I guess I have to call them and talk to someone to get in if my phone is ever lost or broken. Which, if that's the case, is always going to be the weakest link in security. I'm told social engineering a customer service rep isn't that hard.

You can still sign in with a username/password from my understanding.

That's what I'm getting at with my post though.... while a passkey is more secure, these companies still keep your username/password. So if they're hacked and they get your info, It's possible that it can be cracked....essentially making the whole passkey thing somewhat pointless. 

[Avocado Diaboli]

41 minutes ago, Vectraat said:

You can still sign in with a username/password from my understanding.

That's what I'm getting at with my post though.... while a passkey is more secure, these companies still keep your username/password. So if they're hacked and they get your info, It's possible that it can be cracked....essentially making the whole passkey thing somewhat pointless. 

Passkeys are designed to make the whole multi-factor authentication process less burdensome. It's become a nightmare of authenticator apps, confirmation e-mails and SMS with one-time-codes, so logging in takes longer and longer. Because in addition to there being a ton of people out there who don't use different passwords for different sites and password managers to suggest and store them all, many people also don't voluntarily use multi-factor authentication.

[Eigenvektor]

2 hours ago, Vectraat said:

That's what I'm getting at with my post though.... while a passkey is more secure, these companies still keep your username/password.

Losing that "backup" way of authentication would probably result in a lot more support calls. Besides, you need to authenticate yourself somehow to be able to generate a passkey in the first place. The way you word it sounds like a service shouldn't have access to the account you create with them.

 

As @Avocado Diaboli said, a passkey reduces friction, because you can cut down on the number of steps needed to sign in. It also reduces the number of times you need to enter and/or transmit your password, reducing the risk it's stolen in transit or during entry.

 

As I said above, the primary issue isn't even account credentials, as long as they are unique to that account, the issue is with a service leaking your private data. Having to change a password when it's leaked is inconvenient, sure, but much less trouble than changing your physical address.

[jake9000]

I use passkeys where I can and right now they seem to only be a convenience option for users and not a serious alternative to cred pairs. 

 

Every site that I have a passkey in also still lets me log in with my username + password. Many of them still make me do a TOTP anyways after supplying a passkey. Not all devices support passkeys and I still find myself needing to enter passwords on certain TV apps or oddball devices like an android ereader that I got recently. 

 

I use bitwarden exclusively for all passwords and passkeys. On devices where everything is supported, the experience is excellent and they all stay in sync. No matter what method I am using the workflow is that I click on the login field and Bitwarden pops up offering to complete the login. 

[Vectraat]

4 hours ago, jake9000 said:

I use bitwarden exclusively for all passwords and passkeys. On devices where everything is supported, the experience is excellent and they all stay in sync. No matter what method I am using the workflow is that I click on the login field and Bitwarden pops up offering to complete the login. 

Do you prefer Bitwarden over Google Password Manager? Does Bitwarden work with a banking app? I don't think it would, but I'm curious. 

12 hours ago, Eigenvektor said:

As @Avocado Diaboli said, a passkey reduces friction, because you can cut down on the number of steps needed to sign in. It also reduces the number of times you need to enter and/or transmit your password, reducing the risk it's stolen in transit or during entry.

Yeah, I get the argument for passkeys and admittedly my logic is flawed, but for me I've just been too worn down over the years....being forced to learn about/adopt different login methods and what sites I need to use them for etc. It's made me not give a shit about adopting another login method (passkeys) even if it offers better security. Because as I said, the passkey method is still insufficient because the company stores your login information on their servers anyway and that information can be hacked. Sure, using a passkey is more convenient than 2FA/Texts/Emails etc., but it's about the same speed as using a traditional username/password that autocompletes. My argument is that I'll care when these tech companies come out with something better, but for now I wish Google/MS/Amazon/Ebay etc., would stop pushing passkeys on me every time I try to use their services in some capacity. I'm pretty sure I'm not alone in feeling fed up like this. 

[Eigenvektor]

5 hours ago, Vectraat said:

Do you prefer Bitwarden over Google Password Manager? Does Bitwarden work with a banking app? I don't think it would, but I'm curious. 

I also use Bitwarden, no experience with GPM though.

 

On mobile, my banking app allows me to sign in with a fingerprint. Can't use Bitwarden to auto-complete. Requires manual copy & paste between apps.

 

On desktop, I can use Bitwarden to auto-complete login credentials for online banking.

 

5 hours ago, Vectraat said:

I'm pretty sure I'm not alone in feeling fed up like this. 

No, you're not. Security and convenience have always been opposites to a degree. While I like to err on the side of security, having to sign in can feel very tedious in some cases. It gets extra annoying if you have proper credentials, but you still get blocked because you're coming from an unusual IP or something.

[maplepants]

I like passkeys, kind of. But the tech just isn't there yet. Passkeys are hard to share between browsers, between users, and between devices. Vendors of passkey solutions like Apple and Google are just trying to use the tech to wall you into their ecosystem. Chrome passkeys only live in Chrome and Apple's passkeys only live on your Apple devices while also only really being usable in Safari or some native apps.

 

So if, like me, you use Firefox, share accounts with any family members, or move between operating systems then passkeys aren't really available.

 

Some websites like GitHub let you put your passkey on a YubiKey which is cool, and I do it, but even sites that let you do that can sometimes fight you on it. Google, for example, let me put a passkey on my YubiKey but there's no obvious way to use it. So I just let 1password fill my password and then use my TOTP token.

 

The tech is great, and maybe someday I'll be able to just plug in my YubiKey and basically use it for everything but that day is not today.

[smcoakley]

There are some sites out there that support using passkeys as the one and only auth method for your account (like Tailscale) but it is very uncommon for now. Maybe it will happen more in the future when adoption increases.

[wasab]

On 7/5/2025 at 8:49 PM, Vectraat said:

"Recent news in June 2025 has highlighted that 16 billion login credentials from various services, including Google, were leaked and compiled into datasets online, prompting cybersecurity experts to urge users to change their passwords on affected services, including Gmail. "
 

This isn't the first time that this has happened. I've had Google's password checkup tell me that I need to change 100+ passwords because they've been compromised. 

So, Google was hacked then? Because all of the passwords I use for my gmail accounts are specific to gmail; I don't use reuse them for other sites/services. So how else would someone have gotten hold of them if not from Google? 

By login credentials, I suppose this means username and their HASHED passwords? If so, nothing to worry about. They still need to crack the hash which will probably take billions of years using modern computers and brute forcing.