We had originally planned to go all-in on passkeys for ONCE/Campfire, and we built the early authentication system entirely around that. It was not a simple setup! Handling passkeys properly is surprisingly complicated on the backend, but we got it done. Unfortunately, the user experience kinda sucked, so we ended up ripping it all out...
There was a related news recently, that bitwarden and other pw managers will be able to sync passkeys between devices. Won’t that solve these issues?
My thoughts exactly. I use Bitwarden and passkeys sync flawlessly between my devices. Password managers tied to a a device or ecosystem are stupid and people shouldn’t use them. This is true whether you use passwords or passkeys.
That said, we cannot blame users for bad UX that some platforms and some devs provide.
Isn’t your password manager tied to an ecosystem with Bitwarden ?
I’m surprised people trust third parties to hold their passwords.
Wasn’t there multiple password managers that got powned over the years ?
If you can sync Passwords you are also more exposed than some unhandy secure local password storage.
I can use bitwarden on Windows, Linux, Mac, iOS, Android, on desktop app or using CLI. That’s a stark difference in comparison with built in Microsoft or Apple keychains. And yes, I trust Bitwarden.
Pretty much only LastPass
Bitwarden is not usable on Linux desktop, keeps asking for password. The password can’t be too short, so it takes some time to type it in. I turn off my computer when it’s not needed, so I would just need to type in the password when I turn it on again.
Anyone have a better solution?
Is “keeps asking for the password” the definition of “unusable on Linux”?
I have zero issue using this on Linux fwiw; yes, I am asked for password again on BW when I reboot/start my system. That is not inconvenient to me.
You could use your
to unlock the app instead of the password
A better solution is to disable vault lock. It is very much usable (mostly talking about browser extension).
Not in all situations. And in a way a user will not be aware of. The service or website can define what type of passkey is allowed (based in attestation). You may not be able to acutally use your “movable” keys because someone else decided so. You will not notice this until you actually face such a service. And when that happens, you can be sure that the average user will not understand what ia going on. Not all passkeys are equal, but that fact is hidden from the user.
It does*.
However when I’m trying to login with a passkey in my mobile browser, Bitwarden prompt isn’t showing up. I don’t know what’s wrong.
If you’re using Android it’s more than likely just an OS issue. I have had a lot of issues on my phone trying to use passkeys let alone just the password manager.
One of many reasons I hate android. In my experience the integration with technology: late and poorly polished, early and kneecapped, initially available then removed, or non-existent.
I think its partly the fragmentation in the Android community and mostly Google’s influence.
I’ve found on my android phone that the bitwarden prompt comes up more reliably if I tap on the password field instead of the username field.
This might be true, but I’m talking about passkeys, that never work :(
That’s weird, it works for me. Is there something you need to click on the mobile site?
What’s your browser-Bitwarden setup?
The same flow works for me on desktop (firefox+bw plugin).
I remain hopeful. Initially, when Keypass wanted to include a simple export option there was talk of banning them from using Passkeys.