We had originally planned to go all-in on passkeys for ONCE/Campfire, and we built the early authentication system entirely around that. It was not a simple setup! Handling passkeys properly is surprisingly complicated on the backend, but we got it done. Unfortunately, the user experience kinda sucked, so we ended up ripping it all out...
Every time I’ve tried to understand passkeys I either don’t get it and it’s scary to potentially be locked out or I do understand it and I still find it scary to potentially be locked out.
Even 2fa is tricky.
If my phone is stolen and I don’t have my laptop with backup codes, then I’m not getting into my accounts.
What if both are stolen or damaged at the same time?
Passkeys are basically passwords that you don’t send to the server. So they are safer against phishing.
Basically the server has a message. They will scramble it with your public key. And send it to you. Your private key unscrambles the message and then you send the message back to them. So if they receive the original message back. They know you are you. And they never got their hands on your private key at any point. It’s awesome.
2fa is an entirely different thing. And I do wish it was more standard how it works. Some places if you lose it you lose your account (bitwarden). Others you don’t (protonmail).
Everyone should use passkeys. 2fa you have to decide if your case warrants it.
Edit: example of passkeys:
Step 1: they have the message “cat”
Step 2: they encrypt it with your public key and it becomes “acm”
Step 3: they send you the encrypted message “acm”
Step 4: you decrypt the message “acm” into “cat” with your private key.
Step 5: you send them back the message “cat”
Only your private key would be able to decrypt something encrypted with your public key. So they now know you are you. And they never got a hand on your private key. It’s the same as a password except you never send it directly to the server.
Bitwarden has a passkey service + a paid totp service, so I can always use either to log into whatever within two clicks. Yeah it’s less secure than a physical keychain but… Whatever, it’s better than passwords and as easy to use.
In any case, if you atore the backup codes in a place where you can lose them, that’s on you. Upload them into somewhere you control that has good privacy laws.
Do you memorize all of your passwords? If so, I take that to mean that you don’t use a password manager. Password managers - really, any app with 2FA - have this problem, too. But if you use a password manager and store your 2FA methods in it, then you only need to be able to regain access to your password manager.
If you use a cross-platform password manager with Passkey support, like Bitwarden, you can use it on any of your devices. In the event that you lose all of your devices, if you don’t have an Emergency Contact set up, you will need your password and one of the following to gain access to your account:
If you use security keys for 2FA, then you should have at least two - one that you keep with you and a backup that you keep in a safe place, like at home in a lockbox.
If you use a TOTP app to log in, or if you use security keys and want another backup, then making sure you’ll have access to the Recovery Code should be your priority. You can write it down and keep it in a few different places - at home, in your car, in your locker at work, etc… You can share it with someone you trust in person or over an encrypted channel (like Signal). You can store it on a flash drive, encrypted by a second password (which can be much easier than your primary password) or even unencrypted, if you generally keep the drive somewhere safe, disconnected from your computer. As long as you remember your password and can access your recovery code, you’ll also be able to regain access to your account, including all of your passkeys.
Emergency Access requires someone else to have access to their Bitwarden account, but assuming you don’t both lose access, it’s a pretty solid solution. When they request access, Bitwarden will send you an email allowing you to accept or reject their request. If you accept or don’t respond within the allotted “Wait Time” (which you configure: 1 day minimum, 90 days maximum) then they’ll be granted access. You also get a choice (when setting this up) to let them takeover the account (resetting your master password) or to just get read-only access.
Maybe you don’t like Bitwarden and want to use some other app, like 1Password, Dashlane, Roboforms, etc… Whatever your choice, familiarize yourself with how to restore access to your account in an emergency. Then you only need to worry about that and not about how to get access to your passkeys that are on your Windows laptop or only synced to your Apple devices.