Passkeys: They're not perfect but they're getting better

Original Article ↗ Hacker News Discussion ↗

Perceived security benefits

  • Passkeys are praised for being:
    • Phishing-resistant, via strict binding to a specific domain.
    • Unique per site, avoiding credential reuse across breaches.
    • Non-extractable in normal flows, unlike passwords that can be copied.
  • Compared to passwords + SMS/TOTP 2FA, they remove common weak points like SMS codes and reused/guessable passwords.

Password managers vs passkeys

  • Some argue that modern password managers with URL-matching autofill already provide strong phishing protection and good UX.
  • For “power users” with unique, long passwords and 2FA, passkeys are seen as only a marginal improvement.
  • Others note that passkeys’ main win is forcing everyone into a password-manager-like model without requiring users to understand password hygiene.

Device loss, backup, and portability

  • Losing a device (or just not having it handy) is a major concern; users fear “losing their fingerprints.”
  • People want:
    • Multiple passkeys per account and easy registration of new devices.
    • Reliable backup and recovery that doesn’t secretly depend on a single cloud vendor.
  • Current import/export between ecosystems (Apple/Google/Chrome/Bitwarden/etc.) is immature or opaque; some fear being stuck if they ever want to switch.

Vendor lock-in, attestation, and user control

  • Strong criticism of FIDO Alliance and big tech for:
    • Pushing device attestation that could let websites refuse certain passkey providers (e.g., open-source managers, non-attested devices).
    • Discouraging plaintext export, which critics see as undermining user freedom and enabling lock-in.
  • Defenders say plaintext export is dangerous and encrypted backup/transfer should be the norm.

Usability and real-world deployments

  • Non-technical users struggle with confusing OS/browser flows, hidden options to use non-default managers, and surprise migrations (e.g., shared Amazon accounts on Apple devices).
  • Good implementations (e.g., a simple “choose passkey → you’re in” flow) are rare but cited as the desired model.

Threat model limitations

  • Passkeys don’t protect against a fully compromised device: malware can hijack sessions or wait for reauthentication prompts.
  • Critics call parts of the TPM/device-bound story “security theater” layered on top of a power grab; supporters respond that hardware binding is still valuable defense-in-depth.