We had originally planned to go all-in on passkeys for ONCE/Campfire, and we built the early authentication system entirely around that. It was not a simple setup! Handling passkeys properly is surprisingly complicated on the backend, but we got it done. Unfortunately, the user experience kinda sucked, so we ended up ripping it all out...
Passkeys are also weirdly complex for the end user too, you can’t just share passkey between your devices like you can with a password, there’s very little to no documentation about what you do if you lose access to the passkeys too.
Any of the multi-platform password managers that support pass keys will solve this.
You walk into the vault on every platform and your pass keys are magically shared between every platform you’re logged into.
In any system that I’ve used pass keys for (which is every system that supports them), you can go into the password section and delete devices/passkeys.
To regenerate new passkeys they either support it directly in the spot where you deleted it or you log out log back in with username password and 2FA and it asks you again if you want to set up a passkey. I’ve not run into anything else.
The only way I ever used passkeys is with bitwarden, and there you are sharing them between all bitwarden clients.
From my very limited experience, pass key allows to login faster and more reliable compared to letting bitwarden enter passwords and 2fa keys into the forms, but I still have the password and 2fa key stored in bitwarden as a backup in case passkey breaks.
To me, hardware tokens or passkeys are not there to replace passwords, but to offer a faster and more convenient login alternative. I do not want to rely on specific hardware (hardware token, mobile phone, etc.), because those can get stolen or lost.
Interesting, maybe I’ll give it a try. I didn’t know they could just be synced between devices on bitwarden.
I think that passkeys are simple, but no-one explains what they do and don’t do in specific terms.
Someone compared it to generating private/public key pairs on each device you set up, which helps me a bit, but I recently set up a passkey on a new laptop when offered and it seemed to replace the option to use my phone as a passkey for the same site (which had worked), and was asking me to scan a QR code with my phone to set it up again.
So I don’t know what went on behind the scenes there at all.
Either you enroll a system that shares them between devices without the need for special interaction (password manager, iCloud etc) or you enroll each device separately into your account.
You can have more than one passkey for a service. This is a good thing.
Gotcha, that makes more sense when explained that way!