Security: are passkeys really that good?

I am finding 2FA more and more annoying by the day, but don’t really trust the alternatives that much either: authentication apps? meh, what about a rootkit? passkeys? what about the algorithm being cracked?

What’s your stance on this?

From the broad perspective of society as a whole, passkeys are superior. This is in part because

  • Some people won’t stop re-using passwords across sites.
  • Some people use weak or easy to guess passwords.
  • Some people save their passwords in insecure ways.
  • People are susceptible to social engineering attacks that leak their passwords too easily.
  • Many implementations of password security are deeply flawed. Especially those that are older.

However, that tells us nothing about if passkeys are the best option for you personally. You need to consider your own personal risk factors as well as what you care about.(i.e. privacy)

Personally, I always want at least two factors controlling my access to anything even remotely sensitive. However, neither of those factors should involve my phone number.



TOTP is far more superior and safe from all of possible downsides of 2FA, for those who can…handle yourself.
But it’s pretty obvious passkeys would be forced down everyone throats soon.

1 Like

for 2FA I normally get texted a code, so, ergo the 2 factors are phone and text message–one could argue that’s 1-Factor authentication but I digress. If you keep your phone out of it then you get a code sent to an email account? (sorry just sat down with coffee; brain not caught).

No, using e-mail as a second factor is about the worst thing you can do in my opinion.

In my case, I prefer TOTP as my second factor.

1 Like

thank you all for the replies.

I have different phones for different tasks, it would never cross my mind to install on the main one (a privacy phone) an app from the “generic appstore”. But it might be an old mentality, I am willing to be open minded on this, I just need more data perhaps.

Would you mind elaborating on why it seems like TOTP is considered safer than passkeys?

Is it the same as PubkeyAuthentication for ssh? Or is it some other new fashion?
I like the idea that I have a secure private key that does not leave my device. Then on the other hand I have to trust my device (which is very difficult for a phone for example).

But in this day and age Google already knows it is me so why do I have to authenticate anyway. :rofl:

No phone, no e-mail, no identifiable information, no big tech, no vulnerable tech and absolutely no :ox: :poop: - just simple number generator as 2nd factor, and that’s it.

You can use most powerful FOSS password managers like KeePassXC on both PC and Android phone to mange TOTP…or some other foss app.

1 Like

pwgen is the best foss generator I ever used. constant companion. it’s in the CLI so it doesn’t manage anything but it’s better than KeepassXC imo.

it sells itself doesn’t it?:slight_smile:

Yeah, the only thing you really need to think about - always backup your TOTP entries…but this also goes to passwords, so… :upside_down_face:

Everybody should always backup anything sensitive in separate physical devices anyway…better in 2-3 places :clown_face:

1 Like

“it’s pretty obvious passkeys would be forced down everyone”

that password managers are incorporating passkeys and some sites are also adding passkey access does not seem to me like a forced switch.


No phone, no e-mail, no identifiable information, no big tech, no vulnerable tech and absolutely no :ox: :poop: - just simple number generator as 2nd factor, and that’s it.

And phishable, that’s it. Is a passkey phishable?

You have to be very cautious about backing up password databases. I normally don’t include my password database in my regular backup, I back it up separately.

This is because you want to be aware of every copy of that database in existence, so if any of your backups get compromised, you know to reset every password in the database as soon as possible. Of course, the master password has to be strong enough to give you plenty of time to do that.

If you regularly delete your old and obsolete backups like I do, to reclaim space for newer backups and other data, there is no guarantee that the old password database won’t be recoverable from those drives, and it’s very easy to lose track of it.

Anything can be accessed using social engineering.

I’m much more concerned with idiotic implementation of passkeys running around, that can be vulnerable for many other things, except user’s IQ level and control…and especially i’m concerned about every big tech company responsible for creating it and pushing for it down everyone’s throat…

Unfortunately, TOTP uses a symmetric method (public key in anywhere = private key in your hand). Your original, random public QR code is generated by server and can also be copied to other people or AI bots.
But I think many servers delete public key immediately after creating TOTP. You decide whether you trust server or not.

Think that any asymmetric method is generally safer than any symmetric method.
Not every server knows your private key, as it is only in your own hands.

that is one of the reasons for my low trust on third-party solutions. My systems have remained unbreachable over the decades because I do things “the old good way”: manually.
Unfortunately, some service companies are ‘adapting’ their policies to gradually accomodate for passkeys while getting rid of “less efficient” (which I read as “safer”) practices.
Everyone is lately losing their minds, they prefer “fast and simple” to “effective and secure” which, in IT more than other fields, is complete madness in my eyes.
Believe me, it’s frustrating to witness clients get in trouble hours after delegating them to manage the product you built with wisdom, experience and care. It must be the same feeling Lamborghini dealers experience when a rich kid buys one and crashes it right out of the shop.


I appreciate your insights, but I want to clarify some points about TOTP and cryptography. TOTP uses a shared secret, not a public-private key pair, which is characteristic of symmetric cryptography, not asymmetric. There’s no “public key” in TOTP; the server and user’s device keep the same secret key. The security level between symmetric and asymmetric methods varies based on implementation and use case; one isn’t inherently safer. Also, in TOTP, there’s no concept of servers deleting keys post-creation, as they need them for ongoing verification. Hope this helps clear things up!

Managing 200 passkeys can be more problematic than managing passwords. Losing a passkey can cause issues as well. To be very clear, with my experience in big corporations, I don’t expect anything from passkeys.