No, the biggest issue with passwords is phishing. You can't phish a passkey.

bgbntty2 · 2025-12-23T08:24:18 1766478258

The problem with this is requiring everyone to own a device with a secure enclave or similar hardware capabilities because some people are prone to being phished. Let me choose the level of risk I find acceptable.

stavros · 2025-12-23T08:32:56 1766478776

Passkeys don't require this.

bgbntty2 · 2025-12-23T08:34:27 1766478867

How else would you make the private key unexportable and the passkey uncopyable?

stavros · 2025-12-23T08:35:53 1766478953

You wouldn't, and still passkeys don't require this.

coldpie · 2025-12-23T13:23:33 1766496213

Passkeys don't require it, but relying-parties may: https://github.com/keepassxreboot/keepassxc/issues/10407#iss... If enough RPs ban clients that let users manage their own data in the name of "security," then it is effectively required by passkeys. The passkey spec could have been written to be resilient against this type of abuse, but instead this abuse is explicitly considered a feature of the spec.

NoGravitas · 2025-12-23T15:06:20 1766502380

Sort of. Passkeys push the phishing to the account recovery or passkey enrollment process.

stavros · 2025-12-23T15:13:58 1766502838

How do you phish the account recovery or enrollment process?

AlotOfReading · 2025-12-23T00:03:55 1766448235

Are there any credential managers that don't validate the domain with passwords? Sure, there are issues with PSL subdomain matching, but at the end of the day it's good enough in the real world. All the other stuff (MITM, malicious site, etc) falls under the other case I already mentioned.

stavros · 2025-12-23T00:07:22 1766448442

There's a big difference between "generally doesn't get phished" and "it's impossible to be phished".

AlotOfReading · 2025-12-23T00:22:19 1766449339

It's security, so we're not discussing impossibility. You can still phish a passkey, we're just hoping the cryptography is good enough that it remains astronomically unlikely to succeed. Since we're all reasonable people, that chance is low enough that we're fine accepting it. What I'm saying is that the chance with passwords is still low enough that I'm fine accepting, even though it's much higher than the cryptographic security of passkeys. We're simply disagreeing about where we draw the line of "good enough".

stavros · 2025-12-23T00:25:32 1766449532

How can you phish a passkey?

AlotOfReading · 2025-12-23T01:04:58 1766451898

You crack the private key and forge the challenge? Maybe the other IDs sent alongside it are hard to get for some reason, but the security of passkeys comes down to the cryptography. Cryptography can always be broken, but a good cryptosystem makes the probability low enough that any reasonable person considers it good enough.

otterley · 2025-12-23T02:53:27 1766458407

If you trust that the cryptography employed in passkeys is effectively unbreakable, then it follows that for all intents and purposes, passkeys cannot be phished. It’s the same thing as trusting that your browsing sessions cannot be MITMed because the end to end encryption is sufficiently strong.

immibis · 2025-12-23T11:31:55 1766489515

What happens if i drop my phone in a river? Am I unpersoned, or is there a way to recover all my accounts? Just phish that flow instead.