It's way simpler than you think. You reset your passkey the same way you'd reset your password.
So, how do you reset your password when you forget it? Well, it depends.
Some apps/sites just send you a password reset email. Apps/sites like those would reset your passkey the same way: they'd send you a passkey reset email, you'd click the link in the email, and they'd let you regenerate your passkey then and there.
Some apps/sites try to do something cleverer, e.g. requiring additional factors to reset (MFA), or appointing a "trusted contact" user who can confirm your password reset, or asking "security questions" that only you know the answer to. Those apps/sites would put you through the same process to reset your passkey.
"How do I reset my password when I forget it" is an infamous balancing act between user friendliness and strict security. The "reset my passkey" problem is exactly as hard, no easier and no harder, as the "reset my password" problem.
(Of course, it's possible to have a site that has no way to reset your password, and just assumes that you'll never forget your password. Similarly, those sites could have no way to reset your passkey. In that case, the problem is as you say: there'd be no way to recover your keys if you lost access to them.)
>>So, how do you reset your password when you forget it? Well, it depends.
But I don't! I can write a password in any amount of low and high tech ways! I have them printed on paper in safe deposit box (my wife is bad with passwords, so this is safety if I should perish:), I have them in a password manager on USB sticks at home in a safe, I have them copied on my NAS and laptop and so on.
Whereas passkeys, it seems from everywhere I read to be far more fragile, far more locked in to specific perishable hardware device and a specific vendor ecosystem, and very limited or no ways to handle passkeys in a low tech way or as a file/artifact to be backed up. Basically they assume I live on and with my phone.
To put it bluntly:
Passwords are something I can use if I show up naked at a stranger's house. They can be with me in and through an emergency (physical emergencies exist! Computer geeks forget about those!). Or more commonly, I can use them to check my email or comms if I forget my phone at a friend's house.
That was helpful but there's a difference between "possible" and "feasible in practice for the vast majority of users". Eg, you can theoretically develop your own passkey device as you say, but that doesn't mean most people can.
I'm not sure I really prefer passkeys less than passwords but I do think some of the "misconceptions" aren't really misconceptions, but realistic concerns about what happens in practice. It might be better to be up front about these than dismissive, because that's where the problems in practice develop.
If I have an iPhone, Mac, Windows PC, and Android Tablet I want to know and talk about what I can do with Passkeys, not what could theoretically be done. After all, I'm not looking at Passkeys for an academic exercise. I'm actually looking to see how feasible it is for me to use Passkeys to replace my passwords today.
If that means "install BitWarden on all of your devices. The devices will work with it and you can backup/export your key locally" that's fantastic, I'd love to see a guide on how to get that going on all of my devices. However, if that means "according to the standards, something like a BitWarden could do what you want it to do, if they built it, allowed export, and the devices all allowed integration. Alternatively, you replace your devices with ones that do." then I really don't care what the theory says could be done, Passkeys cannot actually replace my use of passwords at the moment.
Well, I disagree. People aren't saying "I want to use this today and can't because X is missing", they're saying "I'm opposed to this technology because X will never be possible", when it will be.
Look at this comment, as the first example I found:
It basically says "Passkeys = USB keys", which is wrong. If you don't like the tradeoffs that specific authenticator makes, use another passkey authenticator type.
"Passkeys are strictly less secure" is just objectively wrong.
I don't think it is different. I mostly see people dismissing Passkeys as a technology because of X or Y thing that "they don't do", when that's either a mistaken assumption, or something they don't do right now.
Mistaken assumptions, sure. What "mostly" people do maybe, it depends on those conversations. What Passkeys might do in the future is irrelevant to whether it makes sense for people to be dismissing them now, though, and confusing/frustrating to read about in these kinds of threads (maybe not other threads).
Today, you can seamlessly sync your passwords, export them, and utilize auto-fill integration across the aforementioned devices. Not "it could be possible based on the design if the manufacturers and apps wanted to do it", it is possible.
Today, it is not possible to do the same on those devices using Passkeys. That's not the same as claiming "it's guaranteed to forever be impossible because of the inherent design of Passkeys" and reading every conversation as such could well be the source of why the misconceptions seem so common. There is little to no guarantee from any of these manufacturers it will ever be possible either, so predicating the conclusion on that possibility of change definitely occuring isn't sensible. Again, not because the Passkey spec can't, the devices/implementations may just not want to. Remember, the spec doesn't require devices and implementations allow it to happen, it just accommodates for the possibility.
If implementations available for people to actually use change in the future, so will the dismissals. In the meantime, the dismissals of what's not possible are not misconceptions just because it's possible it may change down the line. It still remains impossible right now, even though I'm hopeful it will become possible in the future.
And again, sure - other threads probably have a lot of flat mistakes or different claims. But, if I wanted to discuss what other threads are saying, I wouldn't be reading and replying in this one.
Thank you for eloquently putting this. I am exactly in that boat. I'm reasonably IT savvy but not a security researcher. I help a large number of not tech savvy people with advice.
I don't care to either dismiss or evangelize the technology based on what it may or may not be able to do in the future. My questions are whether these are user friendly and usable today or should I wait and see. I feel all my concerns of "if I and my family adopt this right now, today, on my actual devices, what are my risks and capabilities? How can I safety my family and backup things and set them up for success?" Are answered with "in the future, in theory, somebody somewhere will come up with this solution which is not currently strictly prohibited "
If you don't like Google's implementation, you should use another one. It doesn't make much sense to say "I can't do X with my thing, therefore I can't do it with anything".
The fact remains that, if you want a Passkey you can write down, you can do that.
Thank you. It is disheartening that so many HN readers would rather imagine how passkeys work, and freak out at their own imaginings, than just learn the real thing.
Somewhat fair criticism, but also somewhat unfair. A lot of us are trying to read up and understand, and so we post questions in forums like these with knowledgeable folks, in hopes to enhance our understanding and reduce our concern.
One counter point though is that... if there is a new lifesaving technology, and even the somewhat IT literate / somewhat geeky / folks who WANT to understand it, are struggling... it may not be as simple and easy and safe. If I ask "how do I backup my passwords", I'll have 10 million folks answer "use a password manager, backup the file". When I ask similar questions with passkeys, the breadth,inconsistency and complexity of answers is as insightful as it is worrisome.
No complaints with questions, but many of the questions are in the form of assertions that are incorrect.
"Does that mean that passkeys can't be shared between users or devices?" is a 100% reasonable question.
"Passkeys are a step backward because they can't be shared between users or devices" is not really a question, it's an opinion based on imagination.
And passwords are just as complex. How do you securely share a login with another user?
Yes, there's complexity, but it's complexity born of a change in paradigm. The actual new thing is either equally simple or simpler than traditional passwords, once you factor in scenarios like backup, transfer, multi-device sync, sharing, etc. It's just different.
Have a look around this thread. Lots of smart people having difficulties figuring out how this works. This is a bad sign. It shouldn't be this hard to figure out the basics.
> It shouldn't be this hard to figure out the basics
Why not? There are lots of great things in the world that are easy and a joy to use, but fairly challenging to learn the technical details of. The electricity grid, airplanes, microwave ovens, you name it. Tons of straightforward user experiences that take some work to understand.
I don't see people having trouble grasping the technical specifics, I see a lot of people having knee-jerk reactions and reacting to their own assumptions of how Passkeys work.
I've spent about 10 minutes Googling, and I'm still not sure how I backup and restore passkeys.
I use a password manager with a full backup of the vault, so the answer to most of the parent's question would be solved by getting the vault back from backup. Except:
- passkeys are not yet supported by my password manager, so I'd have to wait for a while
- can I move Safari's passkeys to my password managers afterwards, like I did with passwords ? probably not ?
- can I move my password manager's passkeys to another one if I need to ? I have no idea.
That's where, at least for me, none of this is simpler than I think. The same way reset passwords is an absolute last ditch effort, I hope passkeys can be managed without having to get back to the service every time we change how we want to manage access on our side.
You can set up as many as you want, so just register your phone as one and your PC as other. Eg. using Windows Hello. If you loose or compromise one device, you just delete it as a passkey - rest is still working. If you loose all of them at the same time somehow, there's usually fall back to password or some kind of reset process.
Like, I can keep all my passwords in a password manager. And then copy and replicate that database however I want to.
With passkeys, I'd need to set up and authenticate additional devices... for every of hundreds of accounts I have? Am I wrong? Like if I have an android tablet and iPhone and windows PC and a Linux PC (as I do) that's half a dozen setups for each and every account? And this is a good thing??
It's my understanding that passkeys that are created by platform authenticators or password managers can be backed up. That's how replicating your key through iCloud likely works. Hardware keys on the other hand don't support backups by design. You need to enroll multiple keys to have a backup.
> With passkeys, I'd need to set up and authenticate additional devices
This is true, if you don't use a platform authenticator or password manager and only use hardware keys.
As mentioned by other you can use solution, that propagates your passcode credentials across devices - probably most password managers will offer this soon. I wouldn't, because you loose separation in case of compromise of one device, but if you do - it's still on par with security level of today's password managers with cloud sync.
Also you don't really have to set up everything everywhere all at once - passwords still work and you can use phone passkey on PC via QR.
> I've spent about 10 minutes Googling, and I'm still not sure how I backup and restore passkeys.
In the Apple ecosystem your passkey is / can be sent to your iCloud Keychain, which you can restore when you can a replacement device (and keep using on non-lost/stolen devices):
If you still have access to a device that can handle the passkeys then you can use the scan of a QR code to gain access.
If you do not have access to a device with your pass key on it then using iCloud Keychain is probably not the best service to use for your use case of an Android device. Use one of the many other services that also provide Android support and passkey support. Then you can access that service and access your passkeys.
iCloud is one of many. Bitwarden and 1Password will both support passkeys, both have Android support.
I don't know about Windows, but if you see the example your Mac is putting it in your keychain app, which is usely available on other devices that are connected to your Apple account. Also if you install a new macbook. Most likely also on your iphone. If you have an Android phone that will be a lot less smoot
I had the impression that Apple stores and syncs them for you, but at no point will give you the option to actually backup or restore (have a copy of the info under your management). Let's say I need to move a credential from my account to my wife's, I guess it's probably not allowed. Or god forbid I change Apple IDs.
You can export your password (from Safari or from the Settings app) to a csv file. Not sure how that handles passkeys, if at all, however. Probably not (yet).
The email password reset feature is an overlooked part of modern security. It has become sort of like a master key for every service. Combined with password reuse it becomes really risky (but oh, so convenient).
This approach basically makes all the security provided by the passkeys void, as the whole system becomes no better than login-via-email-link or login-via-SMS-code scheme.
Every time an average user registers to a site with a passkey, they aren’t giving that their reused password that also provides access to their email (I believe that’s the main way email accounts get hacked).
If they registered to their email with a passkey, great.
Either way, passkeys seem to reduce the risk of the email being compromised.
I don't think password reuse is the common vector - I believe the most common one is phishing, where user is tricked into giving up their current credentials, straight for the service that attacker is interested in. But I can be wrong. And, yeah, it is an improvement for sure.
You're definitely right that passkeys drastically improve the bottom line security for the least protected folks (which are probably the majority). It is a step in the right direction, for sure. But they also make things worse for me - someone who uses different random high-entropy passwords for almost everything except local sudo and unlock PIN codes. I want to use PKI instead of shared secrets, but when I try - it's extremely inconvenient, so I know at some point I'll just give up. This, and the fact that my bottom line is not moving up at all - it still remains the same, limited by recovery processes' security - is frustrating.
I had this problem with Dashlane after they suddenly changed their policies, though with a regular password. My solution? Out of frustration I developed my own password manager. Eventually I was able to recover the password from my email provider though. But at that point I had no more nails left.
I had the same issue with LastPass a few years ago. When I reinstalled my OS they decided to lock me out of my account because they thought I was a different person. The only way through is e-mail verification. Guess where that email's password was stored in?
Sorry, I can't remember. They suddenly lowered the amount of clients a few years ago. This locked me out of my e-mail client. Since 2FA updates were sent to my e-mail it lead to a bit of tail-biting. Pretty much the same problem can happen with a passkey. Either way this blew away a lot of the trust I used to have in password managers, so out of frustration I coded my own as a backup that can digest Dashlane output so I never need to rely only on them ever again.
> (Of course, it's possible to have a site that has no way to reset your password, and just assumes that you'll never forget your password. Similarly, those sites could have no way to reset your passkey. In that case, the problem is as you say: there'd be no way to recover your keys if you lost access to them.)
Isn't this the catch though (I haven't been following passkey work much)?
Every site knows users will absolutely forget passwords, so having a reset mechanism is a must. But I can imagine many sites thinking nobody will forget a passkey since it doesn't need to be remembered, thus hardcoding it in ways that make reset impractical.
There's more. Password recovery means that you're changing your password. Every single password reset flow does what it says on the tin - resets your password. After it's complete, old password is gone, account has a new password. This is logical.
For Passkeys, going through the recovery flow may indicate two possible things: 1) that you lost the Passkey and going through the recovery to replace it with a new one; or 2) that you merely want to log in on a different device where the original Passkey is not available.
This, of course, is going to work in practice - much worse designs had worked after all. But it's all logically unsound, and not really addressed by standard bodies or large implementers. It's not a big deal and there are ways to make it logical - but because it's not addressed it's gonna be a mess.
> Some apps/sites just send you a password reset email. Apps/sites like those would reset your passkey the same way: they'd send you a passkey reset email, you'd click the link in the email, and they'd let you regenerate your passkey then and there.
Sounds like email based login with extra steps then.
Not really sure if that is really cleverer to be honest. I think passwords and the common password reset via capability URL is pretty fine. I use stronger credentials for banking and everything else is pretty much only protected by password. I also do cherish the privacy advantages of not using a login provider. I had accounts suspended for no reason and this dependency is just not acceptable.
Even banking with device bound credentials is a hassle everytime you switch devices or you picked up the wrong phone.
I have some apps using login with Microsoft because users are logged in anyway in a corporate environment and it is practical to provide SSO. Here accounts might also be closed and access needs to withdrawn. Practical to do so centrally.
But for cleverness I still believe nothing beats a secret in your head. Quick, fast, secure. Oauth is a mess, so I doubt passwords will be outdated anytime soon.
So, how do you reset your password when you forget it? Well, it depends.
Some apps/sites just send you a password reset email. Apps/sites like those would reset your passkey the same way: they'd send you a passkey reset email, you'd click the link in the email, and they'd let you regenerate your passkey then and there.
Some apps/sites try to do something cleverer, e.g. requiring additional factors to reset (MFA), or appointing a "trusted contact" user who can confirm your password reset, or asking "security questions" that only you know the answer to. Those apps/sites would put you through the same process to reset your passkey.
"How do I reset my password when I forget it" is an infamous balancing act between user friendliness and strict security. The "reset my passkey" problem is exactly as hard, no easier and no harder, as the "reset my password" problem.
(Of course, it's possible to have a site that has no way to reset your password, and just assumes that you'll never forget your password. Similarly, those sites could have no way to reset your passkey. In that case, the problem is as you say: there'd be no way to recover your keys if you lost access to them.)