Passkeys

[Black_Mage]

Is there any chance this site will add Passkeys as a way to sign in? 

[OddOod]

My guess would be that it's deeply unlikely unless the platform (Invision Community) does. And they don't look like they're planning on doing so any time soon. 
Also, IIRC, passkeys are kind of a nightmare right now. Something about the RFC/whitepaper not being clear about specifics of implementation so every company is rolling their own flavor of it. 

[Gerowen]

I'm fine with username+password+otp because it all gets auto-filled by my password manager anyway.

[StDragon]

3 hours ago, Gerowen said:

I'm fine with username+password+otp because it all gets auto-filled by my password manager anyway.

You would need those credentials stored anyways.

Passkeys are either Synced in a secure fabric like Apple, Google, etc, or are Device Bound.

Device Bound are specific to the piece of hardware you're accessing from. They're vaulted to the TPM. While it makes access secure and convenient, if the device fails or BIOS cleared (thus clearing fTPM), you're shit out of luck unless you have your primary means of regaining access to the account; which would be the standard user/pass.

Synced Passkeys also are stored in the TPM, but they're not device specific only.

IMHO, just treat Passkeys as an added convenience and never a replacement for standard user/pass credentials.

[Gerowen]

1 minute ago, StDragon said:

You would need those credentials stored anyways.

Passkeys are either Synced in a secure fabric like Apple, Google, etc, or are Device Bound.

Device Bound are specific to the piece of hardware you're accessing from. They're vaulted to the TPM. While it makes access secure and convenient, if the device fails or BIOS cleared (thus clearing fTPM), you shit out of luck unless you have your primary means of regaining access to the account; which would be the standard user/pass.

Synced Passkeys also are stored in the TPM, but they're not device specific only.

IMHO, just treat Passkeys as an added convenience and never a replacement for standard user/pass credentials.

I've got several passkeys saved to my KeePass database as well.  I'm able to use them via the KeePassXC-Browser extension on desktop, or on mobile the "KeePassDX" mobile app is set as my passkey credential provider and works just fine, at least with all the ones I've created so far.  The one thing is that if you're using it on desktop, the option for passkeys is disabled by default in the browser extension and you have to go enable it.

[OhYou_]

the problem with passkeys is that you are shifting the risk factor over to account recovery and passkey resets. 
passkey it gets lost way too often. 
so now how do you securely verify the user to issue them a bypass and re-register? 

[StDragon]

6 hours ago, OhYou_ said:

the problem with passkeys is that you are shifting the risk factor over to account recovery and passkey resets. 
passkey it gets lost way too often. 
so now how do you securely verify the user to issue them a bypass and re-register? 

That's ostensibly the issue. Which is why the standard User/Pass will be the fallback method if not the primary (instead of Passkeys).

Passkeys are secure. But when they're lost or inaccessible, that's not a good place to be if needing to regain access to your account.

[benny001]

go watch the wan show and hear Luke and Linus's opinion on passkeys

[Black_Mage]

On 4/26/2026 at 9:30 AM, benny001 said:

go watch the wan show and hear Luke and Linus's opinion on passkeys

I listened to the show earlier today. What I got from what they said is that they are frustrated that Passkeys don't offer a consistent experience from site to site because the standard doesn't enforce something like biometrics. It's up to the company running the site. I don't remember hearing them flat out say they don't want to implement passkeys on their sites. 

[anothertealtiger]

Passkeys are the new gTLD. Oh these are cool and useful. Maybe rough right now but definitely a step in a better direction. What? Use it? Hell no! 

[Cactys12]

On 4/23/2026 at 9:01 PM, OddOod said:

My guess would be that it's deeply unlikely unless the platform (Invision Community) does. And they don't look like they're planning on doing so any time soon. 
Also, IIRC, passkeys are kind of a nightmare right now. Something about the RFC/whitepaper not being clear about specifics of implementation so every company is rolling their own flavor of it. 

Invision company only uses this for LTS, so I don't belive that any major new features will be added