Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
degamad 9 days ago

Passkey are more like password managers, and less like MFA tokens - despite the fact that many passkey implementations can function as MFA tokens as well.

Bitwarden the password manager includes a full passkey implementation, which doesn't involve any MFA.

valenterry 9 days ago | parent [-]

> Passkey are more like password managers, and less like MFA tokens

No: - I can always export and import all my passwords from/into my password manager - My passwords always work independently of a password manager or any specific app/OS/hardware

That is not true for passkeys and makes them much more like tokens. Of course they don't have to be used in MFA, just like passwords.

jerf 9 days ago | parent [-]

I just exported my Bitwarden vault and the resulting .json file has my passkeys in it. I'm not going to try to test import, but if it doesn't work that would obviously be more "bug" than anything else. Clearly "export" is the high concern functionality and once exported, importing them is not a big deal.

This is only about your first paragraph, it doesn't affect your second.

geodel 9 days ago | parent | next [-]

Indeed. Credential Exchange Protocol (CXP) is already been worked on and all major vendors are planning to support it. There was talk also in Apple WWDC 2025 about Passkey related APIs including exporting them.

valenterry 9 days ago | parent | prev [-]

Unfortunately just because it's possible with Bitwarden doesn't mean it is always possible.

palata 9 days ago | parent [-]

Are you saying that it's not always possible to import/export passkeys because you can manage them with some program that doesn't allow it, but the same is not true for passkeys?

Counter-example: I can write a password manager that will not allow you to export/import passwords.

valenterry 8 days ago | parent [-]

No, that's not what I meant.

There are cases where bitwarden doesn't work but chrome for example does. Easy to Google up.

For passwords however, I never heard of a case where a website only accepts passwords from a specific password manager - and how could they even do that right?

palata 8 days ago | parent [-]

I don't think your reasoning holds. You say "I know situations where one passkey client works with some websites and not others, but I don't know situations where a website works with some clients and not others".

If the website accepts a password, then it can't prevent you from using the password manager you want. But if the website accepts FIDO2 passkeys, it's the same thing, isn't it?

valenterry 8 days ago | parent [-]

> but I don't know situations where a website works with some clients and not others

For example: https://www.w3.org/TR/webauthn-2/#dictdef-authenticatorselec...

> If the website accepts a password, then it can't prevent you from using the password manager you want. But if the website accepts FIDO2 passkeys, it's the same thing, isn't it?

Unfortunately not...

palata 7 days ago | parent [-]

> For example: [...]

Those sound like requirements similar to those that can be enforced with passwords. My company enforces an SSO system with an MFA scheme that is controlled by the IT department. I can use my password manager for the password part, but I must use the mandatory MFA app.

In that sense, I am not sure it is so different from passkeys?

valenterry 6 days ago | parent [-]

Now you are not comparing passwords with passkeys anymore, but MFA with passkeys. Not sure what the point is in the context of the discussion.

> In that sense, I am not sure it is so different from passkeys?

Yes, if it means "company specific SSO* and a company chooses to force you to use the hardware they decided on, then that is in fact not very different from the passkey constraints.