I’m still figuring out how to use passkeys properly and I’m struggling a bit to find a workflow that works for me.
For now I’ve decided to use passkeys only as a 2FA mechanism for some critical account, where I can also have additional 2FA mechanism. That means I mainly use them on my Google and Apple accounts as 2FA and I also declared a Yubikey for 2FA to limit the risks of getting stuck.
For now I’ve decided to store my passkeys in Bitwarden but I’ve found the experience to be a bit clunky. Is it the correct way to do it? I’m wondering if maybe I should instead create 1 passkey per device I use and not store them in Bitwarden.
What do you think is the "correct" way to deal with passkeys?
1 passkey per device = someone has to steal that device to steal your passkey ("something you have")
all passkeys in one manager = something has to steal your password manager login to steal all your passkeys ("something you know")
In my experience, passkeys aren't typically 2FA either, since they just replace your password login instead of supplementing it. It's 1FA, either replacing "something you know" with "something you have (your device)" or "something your password manager knows, based on something else you know".
----------------
FWIW, I store everything in a password manager, including all my passkeys. The primary benefit of passkeys for me hasn't been increased security, but improved convenience, since it's much faster than dealing with SMS/email/OTP-based 2FA. It also means I can login from any device to any website without having to manage individual device keys. I just have to memorize one master password for the manager, and everything else is automatically synced across devices & browsers.
The downside is that if my password manager gets hacked, they'd get access to everything and could masquerade as me everywhere. There is no longer a real second factor (something you "have" or "are"), since it's all just info stored in the password manager (something you/they "know"). That's a tradeoff I accept for the convenience. But if you value security more highly, you probably shouldn't do that.
Personally I prefer 1password to Bitwarden because it has a better UI. But it stores everything in the cloud. So far their security record seems solid (at least compared to Lastpass, but that isn't saying much). With any of these things, it's use at your own risk. Device-tied passkeys are safer (assuming the device itself is encrypted and has login protection) since they're not centrally stored in one place in the cloud.