r/Passkeys

▲ 4 r/Passkeys+1 crossposts

passkey vs password

How does a passkey differ from a password?

Why is every site (seemingly) asking me to establish a passkey when I already have a password?

reddit.com
u/IDontStealBikes — 3 days ago
▲ 8 r/Passkeys+2 crossposts

New Sign In and Passkey Notification… But Then Nothing…

I was watching YouTube this morning, when I saw a Google Prompt YouTube Notification pop up that said my Google account had been signed into on a new device (an iPad I was unfamiliar with). Then I got another notification that said a passkey had been created.

I instantly jumped into action, tapped both notifications, but YouTube might’ve glitched, because it did not take me to a new screen after tapping both notifications (since I was already in the app maybe?) then I went to my Google account settings and saw… nothing… That’s right, no new passkeys, no new sign in’s and no evidence of the notifications I just received.

Regardless, I changed my password, I signed out of all devices, downloaded the Authenticator app, setup backup codes, turned on 2 step verification, the whole nine yards.

After doing this, I went back in to see if I could find ANY evidence at all of this sign in and passkey (checked other devices used, history, I only have one passkey that I created) and couldn’t find ANYTHING. Of course, I clicked the notifications expecting to be redirected to a “was this you?” page, but that never happened. I checked my email to see if there was any sign in alerts sent to my recovery email. Nothing.

What the heck happened? Is my account compromised? Any advice for me? Anything is helpful.

reddit.com
u/DarkOrbit253 — 2 days ago

Can Our Zoom Account Have Different Passkeys for Different Users?

We host recovery meetings nightly but the facilitators who lead the meetings are all different individuals and we're all having to log into one Zoom account which then triggers an email for a code to be entered. If each device creates their own passkey to log into our one Zoom user account will this allow the facilitators to log in and start/lead the meeting without triggering the MFA email for approval?

For context, our non profit only has one Zoom account to lead recovery meetings typically once a day for 1.5hrs.

reddit.com
u/CastimoniaGroup — 3 days ago

Can someone please help me with my Google pass key?

My Google pass key I went from a thumbprint pass key to a case ID and then back to the thumbprint. Now my pass key does not work at all. We will keep sending me to the same site and I've done all the steps to try to deactivate the old pass key but it doesn't work. Does anyone have any thoughts on how I can reset my passkey beyond the basic? Looked in security tab and and delete it but the tab should lead is not there

reddit.com
u/Revolutionary_Lie346 — 3 days ago

How do I use a Passkey that is stored in my password manager?

I have a passkey for a particular site stored in my password manager but when trying to log into the site, there’s no way I can see to use that stored passkey. What am I doing wrong?

reddit.com
u/No-Sherbet2876 — 5 days ago

Is it just me, or is the WebAuthn / Passkey spec an over-engineered nightmare to implement from scratch?

I’ve spent the last week trying to roll native Passkey support into our database/auth schema without pulling in a massive external provider. I thought it would be a simple browser API call, but holy crap. Decoding the attestationObject from raw binary array buffers, parsing CBOR payload maps in Node, extracting the raw COSE public key format, and mapping the credential IDs safely to a SQL schema, it feels like you need a PhD in cryptography just to let a user touch their FaceID.

Has anyone successfully built a lightweight, pure TypeScript handler for this without exploding their client-side bundle or relying on a bloated third-party library? How are you handling fallback when a device drops cross-platform WebAuthn support?

reddit.com
u/IterateFast — 9 days ago

An oversimplified explanation of Passkeys

For a while now, I've been looking on YouTube for a video that explained passkeys to the average user, but they all go into technical mumbo jumbo.

I found a video titled "Passkeys Explained (so even a kid could understand")

But then he started talking about Cryptography and public and privates keys. The average user doesn't care.

So I came up with an analogy that I think gets the point across without any using technical mumbo jumbo.

https://preview.redd.it/0ur4l1x2y89h1.png?width=800&format=png&auto=webp&s=999a49586f294384e5dce6894a6684f2be4ee288

Imagine one of those heart necklaces that breaks into two matching pieces. One person keeps one half, and the other person keeps the other half.

With passkeys, the website has one half, and you have the other half.

If the website gets hacked and someone steals its half, that stolen piece is useless by itself. It cannot unlock your account without your matching half. This particular heart necklace is one of a kind; there is only one in existence.

Another important part is that each website gets its own special necklace.

The heart necklace for your bank is not the same heart necklace used for your email. The heart necklace for your email is not the same heart necklace used for your shopping account.

So if one website gets hacked and someone steals that website’s half of the heart, they cannot take that piece and use it on another website. It would not match anything there.

That is very different from passwords. If you reuse the same password on more than one website, and one of those websites gets hacked, a hacker may try that same password on your email, bank, shopping accounts, and other websites.

With passkeys, each website has its own one-of-a-kind match. Stealing one website’s half does not give the hacker a master key to your other accounts.

Your half of the necklace has to be stored somewhere.

It might be stored on your phone, tablet, computer, or a password manager that can sync it between all your devices. You can also use a security key as a backup.

A security key is a small physical device that you keep with you, kind of like a house key, car key, or flash drive. A recommended security key is listed at the end of the article.

I would not usually recommend a security key as the first option for the average person. For most people, it is easier to use their phone, computer, or a password manager that can sync passkeys between their devices.

A security key is more like a spare key you keep in a safe place, just in case you lose access to your other devices or your password manager.

Some security keys plug into your computer. Some plug into your phone or tablet. Some do not plug in at all and instead get tapped against your device.

The idea is simple: a security key can hold another passkey for the same website.

Think of it like creating a second one-of-a-kind heart necklace for the same account. One necklace could be paired with your password manager, while another necklace could be paired with your security key.

That means the website has more than one matching half on file. One half matches the passkey in your password manager. Another half matches the passkey stored on your security key.

So, if you lose access to your phone, computer, or password manager, you would still be able to log in using the passkey stored on your security key.

A passkey does not automatically exist on every device you own. It lives wherever you save it.

If your half is stored on one device, then that device is the one that has the matching piece.

For example, if you create the passkey on your Windows computer and it is only saved to that computer, your iPhone does not automatically have that same half. If you create it on your iPhone and it only stays on that iPhone, your Android phone does not automatically have it either.

That is where password managers come in.

A password manager can act like a protected jewelry box for your passkeys. Instead of your half of the necklace being locked to only one device, the password manager can securely sync that half to your other approved devices.

For example, Apple Passwords and iCloud Keychain can sync passkeys between your Apple devices. Google Password Manager can sync passkeys with your Google account.

But password managers such as 1Password and Bitwarden can sync passkeys between everything: your phones, tablets, and computers.

Now, you might ask: “What happens if I lose access to the device that has my passkey?”

That depends on where your passkey was saved and what recovery options the website gives you.

If your passkey was synced through a password manager, you may be able to sign in from another device that has access to that same password manager. For example, if your passkey is saved in iCloud Keychain, Google Password Manager, 1Password, or Bitwarden, another approved device may still have access to it.

If your passkey was saved only on one phone, computer, or security key, and you lose that device, then you may not have your half of the necklace anymore.

In that case, you would usually need to use the website’s backup login or account recovery options.

A lot of websites that support passkeys still let you fall back to your regular password. So if you lose access to your passkey, the site may still let you log in with your password, a code sent to your email, a text message, a recovery code, or some other account recovery process.

That is convenient, but it is also important to understand: if the website still allows password login, then your password still matters.

Passkeys are safer than passwords, but if your account still has a password as a backup, you should still use a strong, unique password and turn on two-factor authentication if the website offers it.

This is why it is a good idea to have more than one safe way back into important accounts. For example, you might keep your passkey in a syncing password manager, add a second trusted device, save recovery codes somewhere safe, or set up a backup security key.

A passkey is very secure, but just like a real key, you need a backup plan in case you lose access to it.

Now, you might ask: “What stops a hacker from copying my half of the necklace?”

That’s the important part: your half is protected. It is not something you type in, and it is not something the website gets to keep.

Think of your half as being locked inside a tiny safe on your phone, computer, security key, or password manager. That safe only opens when you approve it with your fingerprint, face, PIN, or device password.

When you log in, the website does not need to see your half. It only needs proof that your half matches its half.

Your actual half is not handed over to the website.

This is different from a password. With a password, you type the secret into the website. If you type it into a fake website, the hacker now has it.

With a passkey, you are not typing your secret into the website. Your device is proving you have the matching half without giving the half away.

This also helps protect you from fake websites, because your device checks that it is talking to the real website before it proves your half matches.

Now, could someone use your passkey if they stole your device, got into your password manager, or somehow unlocked the safe that holds your half? Yes, that is why your device password, PIN, fingerprint, face unlock, and password manager security still matter.

But a hacker cannot just steal your passkey from the website or trick you into typing it into a fake page like they can with a password.

That is why passkeys are safer than passwords. The two matching pieces have to come together, like two lovebirds who were once separated and are finally reunited.

------------------

A popular security key is called a YubiKey. You can purchase them online, including from Amazon. I recently purchased two of them myself.

YubiKeys come in different versions. Some plug into a standard USB-A port, which is the older rectangle-shaped USB port found on many computers. Others plug into USB-C ports, which are found on many newer computers, phones, and tablets.

Some YubiKeys can also work with phones or tablets using NFC, which is where you tap the key against the device instead of plugging it in.

If your computer or phone does not have the right type of port, you may need an adapter, such as a USB-C to USB-A adapter.

Yubikey Regular USB version https://a.co/d/0h7Omhd9
Yubikey USB C version https://a.co/d/03rMnQR3
USB  adaptershttps://a.co/d/02adGKWP

reddit.com
u/warwagon1979 — 12 days ago

Passkey-Based Encryption

Im working on a webapp and I'd like to be able to encrypt the data at rest. So this is what I'm doing...

I added the ability to use passkeys to derive a password for the encryption key.

Support for passkeys is still a bit flaky between devices. My phone is fairly modern but passkeys psuedo random function doesn't work. I considered in such a case to simply not offer passkey encryption, instead i decided to fallback to to using the credentialsID+HKDF as the password.

To have mechanism around recovery, I decided to use a crypto-random string as the password which would itself be encrypted by using the passkey-derived password.

I was aiming for a seamless passwordless authentication for the use. You can try the demo here: https://enkrypted.chat

reddit.com
u/Accurate-Screen8774 — 12 days ago

Password and Passkey set up

I think I come up with a password / password setup that I like and feel its reasonably secure.

  1. I use a password manager that is cross platform. I want the flexibility to change platform from Android to Apple, Windows to Mac to Linux to ChromeSO, etc. Websites are store in the password manager.
  2. All site will use 2FA if possible. I prefer TOTP overr SMS. If passkey is available,then I would add that to the password entry.
  3. I protect the password manager with hardware keys. I used 3 keys.
  4. Critical sites like login to financial sites and other important account are store in the hardware key if possible. The idea is that even if they break into the password vault, they still can't login.

One reason I like using the password manager is because I can backup the vault. Storing the passkey a hardware key or a phone is a bit of a pain if you lose the device. I would need to login using the backup key, add the new key and then remove the old key. This is ok if it's one or two site, but if you have 100+ passkey then it's a real pain.

reddit.com
u/paulsiu — 12 days ago
▲ 2 r/Passkeys+1 crossposts

Passkeys completely broken

I've already tried other tips and guides on how to fix this and I have contacted Roblox support with almost no help really as they keep believing I'm locked out of my account. This seems to only be an issue with my phone (moto g power 5G 2024) as when I try using passkeys on my laptop it works just fine.

I have way too many accounts that I would prefer not to lose access to I use them mainly with my siblings on other games. I really hope someone has a solution since I can't use my laptop all the time since it can barely run a game on Roblox already and having to go through possibly 50 accounts would be hell.

I will be happy to try anything and give more information if needed!

u/iLOOOOVEmining — 12 days ago