Tech News
← Back to articles

Passkeys are just passwords that require a password manager

2025-10-31 | original
read original related products more articles

Passkeys are just passwords that require a password manager

You reset your passkey the same way you reset your password. But you’ll find that passkeys make it harder to switch between password managers, because you can’t copy and paste a passkey. Dan Fabulich 3 min read · Just now Just now -- Listen Share

Passkeys are randomly generated passwords that are required to be managed by a password manager. All the major password managers support them, including Apple, Google, Microsoft, Mozilla, and 1Password.

Passkeys can be public/private keypairs, or they can just be secret passwords. (WebAuthn passkeys were designed by committee, so there’s always more than one way to do it.)

Password managers provide no way for you to copy and paste your passkeys. To present a passkey, you have to use a password manager. This provides some anti-phishing protection. A passkey includes metadata, including the site/app that created it, and the password managers simply won’t provide the passkey to the wrong site/app. There’s no social-engineering technique someone can use to get you to copy and paste your passkey to an enemy.

A passkey manager is morally required to do an extra factor of authentication (e.g. fingerprint, Face ID, hardware keys, etc.) when you login, but the site/app has no way of knowing/proving whether that happened; they just get the password.

You reset your passkey the same way you reset your password

Some sites make it easy to reset your password, some make it hard. You know the drill; there’s nothing new or different there.

If your site/app is comfortable with a simple “forgot my password” email to reset their password, then you can also send users a “lost my passkey” email to reset their passkey.

Email providers and banks don’t use simple “forgot my password” emails. The “forgot my password” flow for Google/Gmail can involve a bunch of factors, including backup email addresses, backup recovery codes, recovery contacts, SMS, and push notifications to other apps you’ve logged into. (Google doesn’t document all of the factors they consider, and neither do any of the other major email providers.) Banks with branch offices can ask you to present photo ID, your bank card, your written signature, and your fingerprint on ink.

... continue reading

Related:
Apple, Microsoft, or Google: Whose platform authenticator rules our passkey future?
What is a passkey authenticator? Only the key to our passwordless tomorrow
So jealous: Samsung phones in one major market will get a ton of system utilities
2B email addresses and 1.3B passwords compromised in multiple data breaches
Kerberoasting in 2025: How to protect your service accounts

© 2025 GoKawiil