@cy @dirksche @eingfoan @kuketzblog

100% agree ❤️ Ich fummel halt lieber noch selber in Dateisystemen rum und finde alles mit grep/ack und find/fd 🤓

"With passwords and SSH keys, I can look at them. I can copy and paste them. I can write them down on a piece of paper. I can import and export them. I can back them up to external hard storage. Whereas in my testing with macOS Ventura and Safari, none of this is possible with Passkeys. In fact, Apple requires you to enable iCloud and iCloud Keychain in order to save a Passkey on a macOS or iOS device."

― Jeff Johnson (


#passwords #passkeys #sshkey
#selfdetermined #digitalsovereignty

Thomas Cannon
20 hours ago

A big #Ruby/ #Rails/ #passkeys milestone: hacked together automated testing infrastructure for logins via passkeys, for both selenium & plain old rack-test.

I’ll try to get the code extracted in the next few days 💪

23 hours ago

»Was sind Passkeys?«

Nun ja, kein neues Thema aber alle die mit #IT und/oder mit sicheren Zugang im #Internet arbeiten, sollten sich zumindest oberflächlich um deren Anwendung sich interessieren, denn #Passkeys gelten als sicherer als nur den #Passwort Einsatz.


Thomas Cloer 🇪🇺 🇺🇦
2 days ago

Nutzt du schon #passkeys?

(Gerne teilen für mehr Reichweite)

Oliver D. Reithmaier
2 days ago

Silly little #Passkeys world. We were testing passkey usability (specifically #FIDO2 passkeys with #Google, #Microsoft and #Amazon) when we discovered that the implementation side has gone awry. Results:
1. Passkeys mostly don't work on mobile browsers, despite most passkey tech being fit for mobile use.
2. There is a huge difference between operating system/browser combinations when it comes to setting up and using passkeys.
3. Even between close OS versions, certain versions might have different properties (eg between win11 and win10 there are differences).
4. Windows is especially messy. Setting up passkeys often works through windows hello (on chromium based browsers). Don't have that enabled? Well, shucks. Better look somewhere else.
5. Firefox lacks setup support but once you've set up a passkey in chrome on windows11, you can use it on Firefox (not on win10 though, punk. Better back off). You cannot use it on MacOS with Firefox. Linux is weird when it comes to that. Depends whether Devs had time to implement it, it seems.

TLDR: While passkeys are great in theory, adoption/implementation seems to have been botched or not fleshed out yet. The best implementation (to our surprise) we have seen from the big ones was Amazon.

What good are standards when implementation is that?

Note: we haven't done too much reproduction of this yet, so take these results with a grain of salt.

Sven Geggus
3 days ago

Alle reden von #Passkeys und ich frage mich ob das technisch etwas anderes ist als Smartcards, die es ja schon ewig gibt und die man auch schon ewig im Web benutzen könnte.

Ronald Klip
4 days ago

Leuk hoor, passkeys. Het zou nog leuker zijn als de Nederlandstalige it-sector een eenduidige vertaling zou kunnen kiezen. Heb al vier varianten gezien: wachtwoordsleutels, wachtwoordcodes, toegangssleutels, toegangscodes. Vind zelf toegangssleutels het mooist. #passkeys

Abimelech B. 🐧🇩🇪 | wörk ™️
4 days ago

Ich glaube diese #passkeys könnten das Rennen für die meisten "normalen" Endanwender machen.
Aber ich habe (noch?) kein gutes Gefühl dabei, wenn meine privaten keys meinen Rechner verlassen und auf fremden Rechnern ("Cloud") gespeichert werden. Warum kann ich die nicht einfach als "Pro" in meiner Private Cloud oder auf meinen Rechnern speichern? Warum MUSS ich sie mit dem sichersten Passwort aller Zeiten besonders gut absichern? Oder werde ich auch weiterhin 100-stellige zufällig generierte Passwörter mit zweitem Faktor nutzen? 🤔

koehntopp ~ :
5 days ago

Mehr Bullshit-Security-Theater bei Kleinanzeigen. Kann es kaum erwarten.
Wie wär's mit #Passkeys ?

Maarten Kremers
5 days ago

🔍 The Trust & Identity Incubator from the @geant project (GN5-1) has released an insightful white paper on Passkeys Use and Deployment for R&E Services.

🔐 Explore the secure and convenient alternative to passwords, detailing how they function, usage, implementation aspects for R&E services, and future development steps.


#passkeys #security

dexternemrod :qubes:
5 days ago

Sieht so aus, als würde #paypal nun endlich #passkeys und #securitykeys anbieten!

Stephan Windmüller
6 days ago

#PayPal unterstützt für 2FA neuerdings auch #Passkeys, #FIDO-Sticks und Authenticator-Apps wie Aegis.

Aus mir unerfindlichen Gründen kann man nur exakt einen Sicherheitsschlüssel registrieren, aber trotzdem ist das besser als "nur SMS" wie bisher.

Thomas Cannon
6 days ago

Okay, have a #selenium question related to #passkeys:

Does anyone have good working examples of using Virtual Authenticators in WebDrivers? Particularly; adding a credential. The use case is pre-loading a credential as part of the test suite

The documentation is sparse, and I'm chasing my own tail while searching; and only getting a very vague error: {"code":-32000,"message":"An error occurred trying to create the credential”}

cc: @rmondello @nsa ?


Michael Babcock
6 days ago

Did you know that a couple of months ago @damashe and I sat down and published Unmute Presents - Passkeys? If not, listen at this link: #Passkeys #Technology

Harsh Shandilya
1 week ago

Are #PGP encrypted #passkeys too cursed of an idea because I'm thinking of giving it a shot for Android Password Store :thinkSpin:

Benedikt Roth
1 week ago

Are there mailclients and servers which can use #passkeys to authenticate users?
Is it technically possible?

Sander Dijkhuis
1 week ago

Are there any comparisons between:
- SIOPv2 / Self-Issued #OpenID Provider v2 used for pseudonymous authentication and
- #FIDO2 #passkeys?

SIOPv2 is mentioned in the #EUDIW ARF but would passkeys not have been a more ubiquitous choice?

My #passkeys aren’t working again, and I was bored yesterday, so I played a game of “keep tapping try again”. At some point, the #passkey was loaded/found. 🤷‍♂️ I can reproduce that all the time. I went to the Feedback Assistant and opened this one: FB13408819. I hope the logs shared can give them some light.

1 week ago

Do I get that right? With the upcoming of #passkeys it is finally time to get a hardware key such as #Yubikey? Especially for implementations like Apple‘s, where the passkeys are stored on their servers?!

I’ve just disabled Advanced Data Protection and restarted my iPhone (ctrl+alt+delete life). #Passkeys are working again and let’s see for how long. If you want to follow my passkey issues saga, follow the hashtag #PasskeysSaga 😉

reboot GIF

Hey Joe! Yeah, you Mr. President! Can I use #passkeys on my iPhone?

Oh ok.. sorry! 🫥


Im Serious Joe Biden GIF by The Democrats
Hasko 🇪🇺🦄🌻
2 weeks ago

I thought configuring #Passkeys would make logging into accounts easier but PayPal proved me completely wrong: Now I have to enter my password, authenticate with FaceID AND with a code from the 2FA app. Every fucking time.

2 weeks ago


Soll darin nicht auch was mit #Passkeys kommen?

#Passkeys aren’t working on my #iPhone… again!!! 😕🙁🙁☹️😔😣😖😫😩😭😭😭😭😭

i hate everything fml GIF by funk
2 weeks ago

👋🏻 hey #passkeys

jakob 🇦🇹 ✅
2 weeks ago

Ich muss ja gestehen... diese #Passkeys hab ich nicht verstanden...

Wem geht es noch so?

2 weeks ago

Mal zwei #Google #Titan Hardware-#Security-#Token bestellt. (Mit Newsletter-Anmeldung gibt es 10 EUR Rabatt.)

Die #Passkeys möchte ich mir mal genauer anschauen und mein #YubiKey kann das leider nicht. Wenn die OS-Hersteller das nicht wieder verkacken indem sie das mit irgendwelchem Cloud-Sync verdongeln, hat das glaube ich Potential. Im Prinzip die ssh-Auth auf Webseiten übertragen.

"Google bringt neue Titan-Sicherheitsschlüssel mit Platz für viele Passkeys"


TapTap 🎮
2 weeks ago

#Passkeys with Windows Hello are really cool. I set it up with my surface studio's camera (I know, I know) and since it's WINDOWS storing the passkey, not the browser, I set it up in Chrome and it works in #Firefox with 0 input on my part!!

I saw someone mention passkeys and it made me think, is there a way to have them in iCloud password manager AND in 1Password? #passkey #passkeys #iCloud #1Password

Matthew Miller :donor:
2 weeks ago

This "BPoP" (Browser Proof of Possession) proposal out of Microsoft is really interesting! If you've bemoaned the loss of Token Binding then you owe it to yourself to read this explainer they just published:

I think the tl;dr is "bind session tokens to browsers using browser-managed public-key cryptography."

And I'm excited by the idea as a potential solution to the question of, "how do we defend against session token theft after passkeys lock down credential theft as a vector of attack?" 🤔

#bpop #passkeys #webauthn

ITX Mike
2 weeks ago

The sheer amount of packaging for a #TitanKey is insane. What happened to do no evil? Next time do a little card in a padded envelope. #Google #Passkeys #FIDO2 #InfoSec

Google Titan Key dwarfed by the non recyclable packaging
Sebastian Cohnen
2 weeks ago

With #passkeys arrival in Enpass I am more actively looking into adopting it and finally leaving 1Password 7 (yes the old one with local vaults) behind. What I want from my password manager is relatively simple: Good and native integration to macOS and iOS, Safari support, export and backup option (no, syncing to vendor’s cloud is not a backup) and option to use my own storage/sync provider (or none).

Sebastian Cohnen
2 weeks ago

I really like some aspects of #passkeys, but I'm not quite there yet to start adopting it for my private use cases. What I don't like at all is that no password manager (iCloud Keychain, 1Password, Enpass, …) supports manual, full backups, including o/c the private keys! This also prevents transfers between tools. IMO a -major- disadvantage to good old passwords 🙁

Royce Williams
2 weeks ago

Well, that answers that question. 😭​

And I assume this error was mistakenly put in a transient-error bucket, for which "try later today" is an applicable response. This error doesn't appear fleeting.

#passkeys #securitykeys #yubikey #coinbase

Coinbase settings response "USB security keys are not allowed as Passkeys", but oddly also saying " Please try again later today."
Royce Williams
2 weeks ago

Missing from

  • whether security keys are supported for passkey storage

  • whether passkeys are supported in the desktop website vs the mobile app


So! Signing out from iCloud and signing back in worked. #Passkeys are working again. But it is painful! Now my phone is hot and angry synching everything. Oh, and I will have to spend the next few days adjusting things like adding my cards back to the wallet app, answering infinite — Windows Vista — permission requests, and usual problems with Apple Watch. :prami_upset:

Yeah, it’s broken! All my #passkeys are invalid on my iPhone. I will try to contact Apple Support later this week. Good luck to me. 😞

oh no... something wrong with #Passkeys. I'm generating them with my Mac, and I can't use them on my iPhone… :sweat_blob:

Avoid the Hack! :donor:
2 weeks ago

Third-party data breach affecting Canadian government could involve data from 1999

Canadian friends dealing with a lot right now… two third-party contractors to the Canadian government breached. Lots of data compromised, scope is hard to determine.

Tighten security on your accounts (use MFA, use strong passwords, consider using #passkeys or hardware keys where supported) and be extra cautious of unsolicited communications. Monitor personal accounts for anomalous (potentially malicious) activity.

#databreach #cybersecurity #security #infosec

Ajay Kelkar
2 weeks ago

Yubico has a cyber week 50% off sale on a second key #passkeys #mfa 📚
2 weeks ago

How to use passkeys to secure your Google account on Windows, macOS and mobile devices

#passkeys #google #windows11 #macos

Avoid the Hack! :donor:
2 weeks ago

FCC adopts new rules to protect consumers from SIM-swapping attacks

FCC mandates wireless service providers adopt "secure methods" for authenticating a users before transferring out phone numbers.

Services (financial sector, I am looking at you) should also do their part... make SIM-swapping even less attractive by moving to TOTP #MFA / #2fa or supporting hardware keys / #passkeys

#cybersecurity #security #opsec #simswap

2 weeks ago

#Development #Showcases
The web can do what!? · A showcase of the incredible capabilities of the modern web

#WebDev #WebPerf #WebTechnologies #PassKeys #WebAssembly #WebGPU #API #Frontend #HTML #CSS #JavaScript

Marcus "MajorLinux" Summers
2 weeks ago

Hey, Google! Can you send me an updated one?

Google Titan Security Keys have been refreshed to store passkeys - Desk Chair Analysts

#FIDO2 #Google #Passkeys #Security #Titan

Google's new Titan Security Keys, available with USB-C or USB-A
ITX Mike
3 weeks ago

These look interesting! I had a set of the originals. Eventually replaced with my Yubikey 5. But definitely like the idea of my critical passkeys on a HW token and not in my password vault. Plus the PIN unlock.

#Titan #Google #InfoSec #Passkeys #Yubikey #FIDO2

Guilherme Dea
3 weeks ago

Spent the entire holiday studying. Still having lots of difficulty with React, my head just can't wrap around the syntax of this thing.

At least I finished setting up my old laptop with Ubuntu. Thanks to passkeys on @1password, setting all my apps and browsers was a breeze. It's nice to live in the future!

#react #ubuntu #passkeys #security

Royce Williams
3 weeks ago

Well, that's the source of the key I found on eBay. How did I not hear about these new security keys sooner??

"Google’s new Titan Security Keys let you store passkeys"

And the Google blog post says they hold up to 250 passkeys.

Blog post:

Google Store link (waitlist only at this writing):

#passkeys #securitykeys

Googlde Store / PR "hero" image of the new security keys - USB-C is wider than previous, and USB-A has a new round outer border on the symbols of touch surface.
Front of bubble pack of the new key.
3 weeks ago

In the midst of the Passkeys hype, a quick reminder for browser makers that developers would definitely benefit from an open API that could be used to listen WebAuthn/Passkeys requests directly in a friendly way. Currently every password manager browser extension injects JavaScript to all web pages because they don't have any other option.

Ping @mozilla


#Passkeys promise to prevent #phishing. What are they and how do they work?

3 weeks ago is a community-driven index of websites, apps, and services that offer signing in with #passkeys.

Charlie Fish
4 weeks ago

It seems like there is a huge split between how #Passkeys are implemented currently. Some sites have used them as a password replacement, while others have used it as a MFA replacement. Which is correct? #Web #Auth

F. Maury ⏚
4 weeks ago

Neither @protonmail nor @Tutanota support passkeys as a password-less authentication method, and at least @protonmail does not support security key/passkey only 2FA. (I don't know if @Tutanota does)

I mean, these providers are supposed to be top-notch secure email providers. Why are they so far behind? Any serious alternatives? Paying customer here.

#email #smtp #fido2 #passkeys #authn

Craig Newmark
4 weeks ago
Deepu K Sasidharan
4 weeks ago

Hello J-Fall folks, huge thanks to everyone who attended my talk. Hope it was worth your time. Here are the slides from the talk. If you have feedback please send them my way

#java #passkeys #webauthn #springboot #auth0 #jfall

@quincy @thomasjorgensen @lobingera @glynmoody in fact didn't they try countless times to force shit that noone wants onto people, from #Passkeys to removing the #URL to "#WebIntegrityFramework" aka. mandatory #ads that one can't disable...

Let's not forget #Google - like all #GAFAMs - was a #PRISM collaborator, is subject to #CliudAct and #ITAR and thus not only capable but able and willing beyond the legally mandated minimums to do so.

DON'T TRUST GOOGLE - or anyone!

Mark Gardner ‍:sdf:
1 month ago

@bitwarden Really really need mobile #passkeys, but I understand it may be difficult especially on #iOS. Kudos

1 month ago

New! Manage #passkeys inside your Bitwarden vault! Use the latest in secure passwordless technologies with the Bitwarden browser extension. Learn more in this blog and by joining the webcast on Nov. 9:

#security #cybersecurity #passwordmanager #passkey

Manager Passkeys in Bitwarden Password Manager

It seems that moving between Password Managers with #Passkeys will become a nightmare! I’ve moved back to iCloud Keychain, and sometimes I have to re-enable :1password: 1Password because the Passkey is there. 😕 Fortunately, I don’t have many Passkeys, but in the future, this will be a problem if I plan to change my Password Manager again. 🤔

News for all security enthusiasts and Bitwarden users! 🎉

The latest update of the Bitwarden browser extension allows you to save passkeys! Say goodbye to the hassle of remembering complex passwords. 🔒✨ #BitwardenUpdate #Passkeys #OnlineSecurity

The logo of Bitwarden
Phillip :unverified:
1 month ago

#Passkeys have a lot of confusion and valid criticism against them. However, there is one huge benefit that I feel like no one is talking about: they effectively eliminate password breaches as we know it!

#security #cybersecurity #passwords #technology


Matthew Miller :donor:
1 month ago

It looks like BitWarden is following suit with 1Password and returning "uv:true" in WebAuthn authentication requests even though the user isn't prompted for anything more than to confirm the use of a passkey. The unlocking of the vault is considered the user-verifying event...

As an end user I appreciate the streamlined experience. But as an RP I'm disappointed - what if vault unlock occurred 5/10/30 minutes prior? Someone could cruise by someone's desk when the vault is unlocked and auth as the vault owner and the RP would be none the wiser 😢

It's a tough middle point that passkey providers have to try and find 🥴

#passkeys #bitwarden

A debug view of a WebAuthn registration response's authData flags shows that userVerified is returning true.
ricardo :mastodon:
1 month ago

#Bitwarden Adds Support for #Passkeys - Release Notes :bitwarden:

Osma A
1 month ago

I've rooted for so many methods to finally retire the password from our toolbox of authentication methods, I can't even remember what got me started. So I hold a lot of hope that Passkeys are finally the thing that will stick. But security is messy, and everything comes with downsides. What are some of the the downsides of the passkey? A review.
#passkeys #authentication #infosec

@stevetex Safari also has full support to #passkeys I should say.
I am sad I had to stop using #firefox more often now because it is the only major browser that doesn’t support it.
Do you have any insight of what could be going on?!?
BTW: Firefox is still my Decatur browser but yesterday I had to switch to use safari… :/

Hey @mozilla : yesterday I was poking around #passkeys and had to stop using #firefox because it was not working… I could not sign in into a service I use everyday…
Do you have an insight of when it will be fully supported?
It is becoming more difficult for me to continue using Firefox as my default browser…

Royce Williams
1 month ago

Only the YubiKey 5 series supports creating and storing passkeys ("resident WebAuthn credentials"), and you can only store 25 of them.

Also, non-passkey use of YubiKeys appears to no longer be [reliably*] supported by Google's Advanced Protection Program. You have to create a reliable passkey, then delete and re-add all of your existing keys (listed under "2-step verification only security keys"). Some of my keys are ... extremely offsite, so it will take time to restore my previous levels of redundancy.

I think I'm starting to understand how we got here, but I'm still unhappy that the benefits of the previous model - in which unlimited sites could be used with each security key, and U2F keys were backward compatible - are gone.

I also feel as though Google, Yubico, and others could have done a better job of communicating the consequences for advanced users ... in advance. Instead, Google searches for "2-step verification only security keys" currently only produce 5 results, which are Reddit threads full of commiserators and Google support threads like this one that are locked without response:

* Once any passkeys use is enabled, some APP users (including me) can sometimes do a fresh Google login from scratch on a new device with only a security key .. but other times, any "2-step verification only" key you try is rejected as unrecognized. I do not know what the variability is - and the forums are full of people with similar complaints.

UPDATE: On further testing, and based on reports from others on the side, it may be that the symptoms I (and the folks in the forums) experienced were a problem for the first few months at launch, but may have been fixed. It last failed for me about a month ago, but I'm unable to recreate from Incognito. But since Google uses many signals to determine how to prompt for what kind of MFA, I am not at all confident that I will be able to use non-passkey security keys from a fresh computer in a new geographic location away from my phone. If Google fixed something , I do wish they'd say something about it somewhere, so that I can key with confidence!

Update 2: a friendly, authoritative reply that we don't think anything has changed, so the symptoms are still mysterious (and maybe more common if a PIN is set on the key?):

Update 3: And to head off some side questions - this doesn't diminish my YubiKey fanboy-ness. :D I do see the trade-offs, and the middle ground for me will probably look something like storing my "top 20" critical passkeys on YubiKeys, and keeping all the others in a password-management layer.

#YubiKey #Passkeys

Osma A
1 month ago

My other toot on this topic from a couple of days ago:

I think I'll write a longer post on these issues, actually. If you'd like to help me by reading a draft before I hit publish on it, please let me know. I might have something for you over the weekend.
#passkeys #authentication #infosec

Osma A
1 month ago

Here's a good primer on Passkeys, the finally-it's-here standard to kill off passwords.

I just don't believe that those corporate polcies which incorporated 2FA will recognize a passkey being a sufficient replacement of both password and TOPT, or that those policies which didn't, would recognize passkeys at all. Please prove me wrong, though!
#passkeys #infosec

Marcel Waldvogel
1 month ago

@eff has a great writeup how #PassKeys work, why they are an important step forward in security, and talk about which password managers and devices currently support it (and which ones do sync, see above).

1 month ago

#Business #Explainers
Passkeys and privacy · How does the password alternative affect your privacy?

#Privacy #Security #Development #WebDev #Website #Authentication #Passwords #Passkeys

Matthew Miller :donor:
1 month ago

The EFF published a pretty optimistic article about passkeys and privacy 🎉

For most purposes, passkeys will represent a significant improvement in security at nearly zero cost to privacy. As described in the previous post, there are still significant growing pains in the passkey ecosystem, but they will likely be resolved in the near future.


1 month ago

@bitwarden Are you still hoping to launch #passkeys in October?

Thinking about getting myself a #Yubikey, but I'm a little worried if newer technologies like #passkeys and #fido2 or whatever may be better? I honestly don't know much about the world of hardware keys for #authentication and #security stuff

1 month ago

Join the Bitwarden team Nov. 9th for a discussion about #passkeys, how they make you more secure, and how Bitwarden users can leverage them today.

#passkey #cybersecurity #passwordmanager #security

Osma A
1 month ago

Now that the rollout of Passkeys is at the point where consumers are encountering them - is the future of MFA:

- Needing both a passkey AND a password?
- Passkey and TOPT?
- Two passkeys from separate devices?
- F passkeys, MFA will be passwords and TOPT forever
- What's MFA?

#passkeys #authentication #mfa #infosec

1 month ago

I wonder when #firefox will get onboard with #passkeys?

Hey @mozilla what's up?!