Passkeys – Under the Hood

Non-resident vs. resident keys / passkeys

  • Non-resident WebAuthn/U2F keys derive per-site keypairs from a single secret using a server-stored handle; the token stays nearly stateless, can support “unlimited” sites, and leaks no info about where it’s used.
  • Resident keys (“discoverable credentials” / passkeys) must store per-site entries on the authenticator to enable username-less login, creating capacity limits (dozens to a few hundred slots) and potential privacy issues (authenticator can be queried for whether an account exists for a domain).
  • Several commenters argue passkeys are a downgrade vs. strong unique passwords + hardware 2FA, especially when sites drop non-resident WebAuthn support.

Security vs. usability trade-offs

  • For users with weak or reused passwords, passkeys are seen as a major upgrade (phishing resistance, no password leaks).
  • For security-conscious users already using hardware keys and password managers, passkeys can reduce flexibility or security (single factor, syncable, limited attestation).
  • Some note you can prevent account enumeration with non-resident keys by sending dummy handles, so “need passwords first” is not strictly true.

Hardware tokens vs. synced passkeys

  • Hardware keys: strong isolation, attestation, physical presence, PINs, good fit for regulated / high-value environments; but cost, key-loss risk, user key management, and limited resident storage are real problems.
  • Passkeys on phones/secure enclaves with cloud sync are seen as the only scalable option for the general population; most users won’t manage separate tokens or backups.
  • Concern that FIDO/WebAuthn work is increasingly optimized for platform passkeys, making roaming hardware authenticators second-class.

Ecosystem fragmentation & UX

  • Browser and OS support is inconsistent (e.g., Firefox mobile, Chrome flags, UA sniffing); some sites mishandle WebAuthn, restrict roaming keys, or misuse UX flows.
  • Password managers increasingly support passkeys (desktop and mobile), but integration and flows (e.g., prompts, autofill, fallback to browser) are still rough.
  • Explaining basic “use your face/fingerprint to log in” is easy; explaining recovery, cross-platform moves, and when passwords are still required is seen as hard and under-specified.

Attestation and control

  • Hardware tokens provide strong attestation; some regulated sectors depend on it.
  • Major platform passkey implementations have disabled or limited attestation for synced credentials, frustrating those use cases.
  • Others argue lack of attestation is beneficial for user freedom and against DRM-like control, highlighting a fundamental tension between enterprise control and user autonomy.