Passkeys – Under the Hood
Non-resident vs. resident keys / passkeys
- Non-resident WebAuthn/U2F keys derive per-site keypairs from a single secret using a server-stored handle; the token stays nearly stateless, can support “unlimited” sites, and leaks no info about where it’s used.
- Resident keys (“discoverable credentials” / passkeys) must store per-site entries on the authenticator to enable username-less login, creating capacity limits (dozens to a few hundred slots) and potential privacy issues (authenticator can be queried for whether an account exists for a domain).
- Several commenters argue passkeys are a downgrade vs. strong unique passwords + hardware 2FA, especially when sites drop non-resident WebAuthn support.
Security vs. usability trade-offs
- For users with weak or reused passwords, passkeys are seen as a major upgrade (phishing resistance, no password leaks).
- For security-conscious users already using hardware keys and password managers, passkeys can reduce flexibility or security (single factor, syncable, limited attestation).
- Some note you can prevent account enumeration with non-resident keys by sending dummy handles, so “need passwords first” is not strictly true.
Hardware tokens vs. synced passkeys
- Hardware keys: strong isolation, attestation, physical presence, PINs, good fit for regulated / high-value environments; but cost, key-loss risk, user key management, and limited resident storage are real problems.
- Passkeys on phones/secure enclaves with cloud sync are seen as the only scalable option for the general population; most users won’t manage separate tokens or backups.
- Concern that FIDO/WebAuthn work is increasingly optimized for platform passkeys, making roaming hardware authenticators second-class.
Ecosystem fragmentation & UX
- Browser and OS support is inconsistent (e.g., Firefox mobile, Chrome flags, UA sniffing); some sites mishandle WebAuthn, restrict roaming keys, or misuse UX flows.
- Password managers increasingly support passkeys (desktop and mobile), but integration and flows (e.g., prompts, autofill, fallback to browser) are still rough.
- Explaining basic “use your face/fingerprint to log in” is easy; explaining recovery, cross-platform moves, and when passwords are still required is seen as hard and under-specified.
Attestation and control
- Hardware tokens provide strong attestation; some regulated sectors depend on it.
- Major platform passkey implementations have disabled or limited attestation for synced credentials, frustrating those use cases.
- Others argue lack of attestation is beneficial for user freedom and against DRM-like control, highlighting a fundamental tension between enterprise control and user autonomy.