Roaming Passkeys like in IOS, Android and i.e. Bitwarden are very convenient.
Devicebound Passkeys like yubikeys are much more secure but you need to onboard multiple onto every service in case you lose one. Replacing them is a lot of work.
I‘m a big fan and happy to answer questions.
On Linux using Bitwarden, I set up a passkey for Amazon.
1. It only works on the laptop, not on Android. Why?
2. It still requires 2FA, is that necessary?
Make sure you passkey provider is set to bitwarden in settings? Also, if using chrome or a variant i had to go into chrome://flags and set the passkey provider to 3rd party.
1. Also Android 14 and google play services are required. See https://bitwarden.com/blog/bitwarden-passkeys-mobile/ for more Details.
2. the service determines if is requiring additional 2fa after signin with a passkey. PayPal for example requires 2fa despite using a passkey. Most others like Microsoft etc. do not.
Interesting. I use GrapheneOS without play services so that might be my limiting factor.
Regarding the 2FA, I figured it was an implementation detail, but in your opinion, do you think 2FA is necessary if you're using passkeys?
Bitwarden looks interesting, I haven’t used it yet though.
Start today not tomorrow. Bitwarden is amazing. They have a lot of educational content on their YT channel.
What's your rebuttal to the vendor lock-in concern?
bitwarden is FOSS, worst case scenario you can migrate the key to a different application
For the average person on the street, passkeys in Apple/Google are a huge benefit because they mitigate phishing attacks, password reuse, etc. Law enforcement and nation-states are not really a concern for them. But you're right, the vendor lock-in is real. Going through all the passkeys and adding another one when you leave the ecosystem of a single vendor is a lot of work. But as @danny mentioned, you can choose to store them in something like Bitwarden if you need the convenience of a roaming passkey. That’s fine for, in my opinion, 90% of services. For my most “valuable assets,” I use two hardware tokens from two different vendors. Thats my approach Bitwarden + two different hardware tokens.
