Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: 1 passkey per device, or store it in password manager?
12 points by thiht 7 months ago | hide | past | favorite | 4 comments
I’m still figuring out how to use passkeys properly and I’m struggling a bit to find a workflow that works for me.

For now I’ve decided to use passkeys only as a 2FA mechanism for some critical account, where I can also have additional 2FA mechanism. That means I mainly use them on my Google and Apple accounts as 2FA and I also declared a Yubikey for 2FA to limit the risks of getting stuck.

For now I’ve decided to store my passkeys in Bitwarden but I’ve found the experience to be a bit clunky. Is it the correct way to do it? I’m wondering if maybe I should instead create 1 passkey per device I use and not store them in Bitwarden.

What do you think is the "correct" way to deal with passkeys?




It's a tradeoff, as usual, between convenience and security.

1 passkey per device = someone has to steal that device to steal your passkey ("something you have")

all passkeys in one manager = something has to steal your password manager login to steal all your passkeys ("something you know")

In my experience, passkeys aren't typically 2FA either, since they just replace your password login instead of supplementing it. It's 1FA, either replacing "something you know" with "something you have (your device)" or "something your password manager knows, based on something else you know".

----------------

FWIW, I store everything in a password manager, including all my passkeys. The primary benefit of passkeys for me hasn't been increased security, but improved convenience, since it's much faster than dealing with SMS/email/OTP-based 2FA. It also means I can login from any device to any website without having to manage individual device keys. I just have to memorize one master password for the manager, and everything else is automatically synced across devices & browsers.

The downside is that if my password manager gets hacked, they'd get access to everything and could masquerade as me everywhere. There is no longer a real second factor (something you "have" or "are"), since it's all just info stored in the password manager (something you/they "know"). That's a tradeoff I accept for the convenience. But if you value security more highly, you probably shouldn't do that.

Personally I prefer 1password to Bitwarden because it has a better UI. But it stores everything in the cloud. So far their security record seems solid (at least compared to Lastpass, but that isn't saying much). With any of these things, it's use at your own risk. Device-tied passkeys are safer (assuming the device itself is encrypted and has login protection) since they're not centrally stored in one place in the cloud.


1Password would also need to be compromised in a way that someone needs to have your secret recovery key as well.

My understanding is that the 1Password Secret Recovery key is encrypted on your local device.

Thus for 1Password would need to be compromised including your secret key, password, & email.


I use Apple devices and 1Password heavily. I’ve decided that passkeys sync to iCloud for me and passwords remain in 1Password. I think Apple’s built nice integrations across their devices for passkeys and they’re the future of authentication. 1Password is trying to build them in to stay competitive. Given that my 1Password experience continues to decline (they don’t really support safari profiles - autofill still broken over a year after safari launched those), I’m okay with using both tools until hopefully passkeys win


Share the passkey.

If you have 3 devices and create 3 passkeys, you need to enroll all 3 of them in each service you want to use. It’s unnecessary overhead. Someone stealing any of your devices (unlocked) will get access to the service. There’s no security benefit.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: