Let's assume your vault/login has these properties:
- You have a strong unlock password that you don't use anywhere else
- You have a second factor set up for unlocking the vault (TPM in the device you're using, Yubikey, TOTP, etc.)
- The service you're logging into has good account recovery hygeine
The benefit, assuming those things, is that the passkey is phishing-resistant and social-engineering-resistant. If a user gets an email saying "omg, someone tried to transfer your paypal, click this link to log in", then when they try to log in with the passkey, the site the attacker is using won't be able to use the passkey (because the passkey is associated with a particular domain). Even if the user wanted to bypass this, there's specifically no way for them to extract the contents of the passkey.
That is very different from a user having their password stored in their vault. They could easily forget to check the domain, or get tricked by a very similar looking one, and copy/paste their password into the attacker's form.
My password manager (keepassxc) has a browser extension that only lets you autocomplete the password on a page if the url matches the one stored in the database.
Sure I could manually copy the password from the database, but in practice, this is fairly good security. It also doesn't treat the user as an always-idiot, which is a good thing in my book.
I'm struggling to think of a reason why being "treated as an always-idiot" is an actual negative in this specific example.
I use Bitwarden and when the password autofill doesn't work as expected my first assumption from many previous experiences is that it's because a website changed something slightly in their auth flow or a particular page has a weird redirect/embedded login scheme different than the primary login, or similar "modern" web weirdness.
So if I get phished and let my guard down just that one time due to panic, sleep deprivation, or whatever else I'm glad that it gives me a second layer of defense against me reflexively clicking a couple times to copy/paste the password manually. A passkey dropdown with "No passkeys saved for this site" would be a massive red flag and stop me in my tracks before trying to do something else stupid.
Passkeys do protect you from such mistakes in a way the current implementation of the browsers/password managers/web-specs don't.
But that is after 10s of millions of dollars or more have been poured into the development of passkeys, resulting in new standard specifications, diverse implementations of password managers, etc.
Now, imagine the counterfactual world where those same dollars were devoted to improving the password infrastructure. Could we have forced the average person to always password managers with long randomized passwords? Could we have build better webspecs around password entry workflows, and forced websites to fix the issues you face? I think the answer is yes.
Against this counterfactual world, passkeys are not in practice much better.
Except we already are living in that counterfactual world. Companies haven't been sitting on their hands while lamenting how bad passwords are, we've spent many times more money trying to make passwords secure than we've spent on developing passkeys.
That works for you, but the website doesn't know you use a password manager, so they'll often want you to use SMS as a second factor.
Passkeys require some kind of password manager. That's the main benefit. The adoption problems are because a lot of users don't really understand password managers.
I bet that Google+Apple+Microsoft could have gotten 95% of the world on password managers by building excellent password managers into the OS, and demanding that one can only login into their websites with passwords that have at least 100 bits of entropy.
Microsoft and Google forced organizations that were using their services to upgrade to 2FA over a few years. For a short bit it was optional, after that it's basically not possible to use these services without 2FA. Now even many grandmas are familiar with the idea that sometimes you have to copy a code from your sms to a website when logging into your bank account.
They could have done the same thing with passwords. They have 100s of millions of organizational users, who will do whatever corporate IT tells them to do. Microsoft can say, there is a password manager available on Windows. From now on, organizational users must use 100 entropy bit passwords. IT tells users - users must store passwords in the password manager and use the browser extension.
After three years of users resisting, everyone will give in. Same for university students, who will need it. After that the rest will adopt easily because it is the default thing to do.
So your real issue here is with credential managers, but I'll bite. In most cases the vault is not protected only with your master password, but with other cryptographic info that prevents the vault from being opened on untrusted devices. If one of your trusted devices is compromised, I guess you have other issues.
> Users are largely unsure about the implications for their passkeys if they lose or break their device, as it seems their device holds the entire capability to authenticate. To trust passkeys as a replacement for the password, users need to be prepared and know what to do in the event of losing one – or all – of their devices.
- are generated securely and so can’t be guessed
- can’t be phished
- are unique for each website you use, so if one website is compromised it doesn’t put your other logins at risk
