Posted by ColinWright 6/30/2025
It's still 2 factors. Just with less hassle (and resulting in more security due to better UX).
0. Which Password manager(s)?
> just fine
1. Sync where and with whom?
2. And are you including or excluding export and/or import too?
You provide no evidence for your claims.
PKs are being used as 1 factor mechanisms. That's centralizing a whole lot of trust.
> You provide no evidence for your claims.
I don't think I'm interested in this conversation.
I prefer passwords precisely because passkeys have achieved their design objectives. They are just not objectives that I share.
https://mobileidworld.com/apple-introduces-cross-platform-pa...
Absolutely. The problem with narrowly targeted security measures is they are a poor fit for nearly everything.
I'm typing this on my Firefox remote app. Everything is cached in it. It runs in a VM at home.
I suppose I am simulating having just one device.
> It actually sounds like the best way to use passkeys and still have control over them.
I belatedly recall that I tried to setup a Google passkey in a VM and was rebuffed. Google depends on Windows Hello for passkey presentation prompts - and Hello is disabled in an RDP session (ostensibly because facial rec won't be needed).
I poked at the problem for a while and couldn't find a workaround.
It is secure.
> it is not safe,
This is incorrect.
> it's fragile
This is incorrect. Many thousands of sessions over most of a decade all testify to to it's robustness and reliability.
> I understand avoiding unnecessary single points of failure is not for everyone.
That's an interesting segue.
Hm, so then i need one for my account and one for every device where i use this account
> and b) stored on the device's secure enclave, where in theory you're never supposed to be able to export/exfiltrate them, only validate them
i heard that the new "device's secure enclave" is the cloud.
The WebAuthn _also_ allows device-bound keys, but they are not "passkeys".
True. WebAuth is good fit for a login that's tied to a user - and that user only logs into it from their workstation and maybe a laptop. There are better options when more flexibility is needed.
Happily, there are enough secure options that my phones will always be authenticator-free.
That seems to be counter to everything else I've heard about it so far. If that was the case, exporting would be easy, yet many password managers have had open feature requests for some time (1y+?).
I don't know what the truth is, but if you're right, there's definitely a lot of misinformation about it. Far more than correct info IME.
What is missing is the standardized interchange format for exported passkeys.
For example,
And password managers like BitWarden only allow encrypted export, but the encryption key is specified by the user. So you can trivially decrypt the exported data if you want.
No batery, no authentication.
Why do i need an additional device ? A device controlled by another vendor.
This is literally the opposite of what Passkeys are.
All the Microsoft accounts in my Microsoft Authenticator broke when I restored onto the new iPhone. None of the non-Microsoft accounts stored in the same Authenticator app broke.
No, Microsoft, I don't trust you to manage passkeys for me.
Yes
You can just install Edge. From what I can tell, you don't even need to browse using Edge to use passwords.
If you don't use Microsoft Authenticator, nothing changes. If you do, probably because IT makes you, you've already seen the warnings about this.
And they don't expect me to have a different passkey per device, right? Otherwise I still need a password every time I login to a new device.
And so I'll still need a password/passkey manager that stores that.
Similar to a password there isn't a way to recover it if you forget it.
>And they don't expect me to have a different passkey per device, right?
You can have it show a QR code that you can scan with phone, using your phone as a passkey.
But dissimilar to a password in that you aren't ever expected to remember it, can't write it down, and in other ways.
> You can have it show a QR code that you can scan with phone, using your phone as a passkey.
I can't keep my phone in my safe and still use my phone.
Okay, so don't put it in a safe. The key is stored securely in your phone.
No it's not, what if I drop my phone in the ocean. Sure in terms of encryption, secure storage and so on, it's securely stored. It's just no physically secured.
That's what concerns people. What happens if I lose my devices? What happens if I need to access an account which has been secured by a passkey, but I don't have any of my other devices, what do I do then?
If you lose access to your phone, click "forgot password" and recover your account through your email address, the same way you would if you'd forget the combination to your safe.
In Microsofts case they want to use passkeys for Outlook.com as well, so their advise on using an email as recovery makes no sense. Then you can use security questions, which honestly is possibly worse than username and password. The last option is via a linked phone number, which security experts also advise against.
My complaint about passkeys stand, without non-digital way of backing them up, as easy as writing a password on a post-it and stuffing it in your sock draw, it can see it being anything that a major hassle.
For some things, e.g. Github, Facebook and things of that nature, fine, go with passkeys. For your email account, may not.
I need an analogue way to get access to my accounts.
If my phone gets crunched, I should be able to go to a secondary device or secure sheet of paper and restore full access to my password safe/accounts. Nothing should be tied to one piece of hardware.
It's why I despise having to use proprietary TOTP like Symantec for banking. If my phone breaks, I have to go through a recovery process. If I could backup my TOTP with a normal app, it wouldn't be a problem.
I do not think that word means what I think you think that word means.
I do not want any kind of password that relies on my phone, because phones break and can get lost.
So basically this forces me to change from a password to a PIN and this is supposed to be more secure?
If you weren't synchronising your passwords through the Microsoft authenticator app, you won't be affected at all. If you were, Microsoft has decided to be annoying and make you install their browser to get password autofill support back.
Microsoft prefers synchronising passkeys between devices because passkeys are immune to credential stuffing attacks, but you don't have to do what Microsoft wants.
Not sure what it has to do with Microsoft, however, but then again, I would never use Microsoft's Authenticator.
Yes. I used an alphanumeric pin: my password. The main malware entry point is the web browser.
I'm glad I don't use Microsoft crap but use everything self hosted so I can decide for myself what I want.
I'm trialing Winauth for some remote-only users. So far I'm happy with having the authenticator on Windows desktop.
> What is sad about that?
Why does it make me sad? That's a good question. Insufficient respect for employees' personal domain. Non-optimal IT defaults.
- It sets up a scenario where the employee's personal device is
co-opted without their full, meaningful consent.
- It places work assets in a personal device.
- It introduces a scenario where a critical function takes place
outside of direct view and control of IT.
Lastly and speculatively, it places Microsoft software in their device
and Microsoft can't be trusted to keep it's hands to itself when it has
an opportunity to be creepy, grabby or slimy.
Examples:
Slimy: Injects Bing links into phone's context menu when Outlook
for Android app is installed.
Grabby: History of sharing personal data with 700+ partners.
Creepy: Relentlessly pushes CoPilot like horny drunk uncle pushes
sex innuendos.
MS Authenticator Sandbox analysis: https://www.virustotal.com/gui/file/c165ea4f2c399f474f068087...
https://kagi.com/search?q=How+is+Microsoft+like+a+creepy+unc...
The other reply had the productive answer with Yubikey.
Past that, I offer that it's the business's problem to solve.
As a career IT professional, I find it unprofessional to expect employees to cough up their personal devices because their employer is buying services from a trillion dollar mega corp who can't figure this out.
> I've never heard of a single small business that can afford to give work phones to their employees
Sure they can. Used cell ebay $30. They can keep it wherever they log in.
But correct poster is correct about Yubikey. For my part, I do Winauth most of the time and junk-drawer cell phones otherwise.
A YubiKey. Ideally replacing TOTP with U2F, but even doing TOTP on the YubiKey will address some of the GP's concerns.
It's about where I draw the line though.
It's a massive hydra and it's most dependable output is onerous requirements. And the more of those we heap upon light duty users, the more reasonable it becomes to circumvent them.
In this scenario Winauth is how we placate the unreasonable overlord.
There is an app in the iPhone App Store called "Microsoft Authenticator" - is that what this story is about or is there a Windows feature with a confusingly identical name?
And my absolutely favorite thing was when it itself came in the way of seeing the 2FA code for a modal entry and you had the option on the screen to hide the modal for 10 seconds in order to remember the number underneath…
See screenshot here: https://ibb.co/5Wh05rsd
The outlook app on my phone (and I can't use any other method because it has been disabled), frequently looses authentication and I stop getting notifications about calendar events, emails ..., missed several meetings and important emails because of this.
When trying to login on my desktop/laptop I get told to confirm using either outlook, MS authentication app. Guess what often I have been locked out on those as well, so now I have to go through the dance of logging in using a sms code instead. It's sometimes even worse, even on mobile I get told to confirm from my authentication app/outlook, where I'm just trying to log in.
Authentication request often only come through to my phone on the 3rd of 4th try. So now logging in to check my email suddenly takes 2 min, because I'm trying to get the popup in the app, it doesn't appear, I need to cancel the request, restart ...
Just like the 5S / SE before it, corporations just sort of stopped testing that screen size, which leads to dumb UI gaffes like that.
Another classic is button or menu text getting truncated. Spotify had that problem on the SE too.