Passkeys are just passwords that require a password manager

Passkeys are just passwords that require a password manager You reset your passkey the same way you reset your password. But you’ll find that passkeys make it harder to switch between password managers, because you can’t copy and paste a passkey. Dan Fabulich 3 min read · Just now Just now -- Listen Share Passkeys are randomly generated passwords that are required to be managed by a password manager. All the major password managers support them, including Apple, Google, Microsoft, Mozilla, and 1Password. Passkeys can be public/private keypairs, or they can just be secret passwords. (WebAuthn passkeys were designed by committee, so there’s always more than one way to do it.) Password managers provide no way for you to copy and paste your passkeys. To present a passkey, you have to use a password manager. This provides some anti-phishing protection. A passkey includes metadata, including the site/app that created it, and the password managers simply won’t provide the passkey to the wrong site/app. There’s no social-engineering technique someone can use to get you to copy and paste your passkey to an enemy. A passkey manager is morally required to do an extra factor of authentication (e.g. fingerprint, Face ID, hardware keys, etc.) when you login, but the site/app has no way of knowing/proving whether that happened; they just get the password. You reset your passkey the same way you reset your password Some sites make it easy to reset your password, some make it hard. You know the drill; there’s nothing new or different there. If your site/app is comfortable with a simple “forgot my password” email to reset their password, then you can also send users a “lost my passkey” email to reset their passkey. Email providers and banks don’t use simple “forgot my password” emails. The “forgot my password” flow for Google/Gmail can involve a bunch of factors, including backup email addresses, backup recovery codes, recovery contacts, SMS, and push notifications to other apps you’ve logged into. (Google doesn’t document all of the factors they consider, and neither do any of the other major email providers.) Banks with branch offices can ask you to present photo ID, your bank card, your written signature, and your fingerprint on ink. Whether you make it easy or hard to reset your password/passkey, resetting your passkey works exactly the same as resetting your password. And if your site/app doesn’t have a “forgot my password” process, you don’t need one for passkeys, either. (But, surely you have something in place…? Even Yubikeys/SSH/PGP private keys can be lost.) Passkeys make it harder to switch password managers, because you can’t copy and paste them The password managers are designed not to let you copy and paste a passkey, including from Google’s password manager to Apple’s password manager. I think all the password managers kinda like that lock in. There’s something good and bad about it. (In the future, Apple and Google have agreed to use a “Credential Exchange Protocol” to support transferring passkeys from one password manager to another, but that’s just vaporware for now in 2025.) Instead, password managers recommend that sites/apps allow each user to have multiple passkeys. Sites/apps may or may not actually allow that, but, for now, that’s the only way to be sure a given user can login with both Google’s password manager and Apple’s password manager: give each password manager its own passkey for each site. If you’re happy with your password manager, there’s no real need to switch to passkeys, but even very “sophisticated” password users have been known to fall prey to social-engineered phishing attacks. Are you sure you’re never going to copy-and-paste your password into the wrong hands? I don’t trust myself that much.