From the article: You can create a new passkey in each password manager, though! As a one-off, it's not so hard, but it will become more work when you have lots of passkeys. ... There are a lot of...
From the article:
The import/export feature, which Apple demonstrated at this week’s Worldwide Developers Conference, will be available in the next major releases of iOS, macOS, iPadOS, and visionOS. It aims to solve one of the biggest shortcomings of passkeys as they have existed to date. Passkeys created on one operating system or credential manager are largely bound to those environments. A passkey created on a Mac, for instance, can sync easily enough with other Apple devices connected to the same iCloud account. Transferring them to a Windows device or even a dedicated credential manager installed on the same Apple device has been impossible.
You can create a new passkey in each password manager, though! As a one-off, it's not so hard, but it will become more work when you have lots of passkeys.
The FIDO Alliance, the consortium of more than 100 platform providers, app makers, and websites developing the authentication standard, has been keenly aware of the drawback and has been working on programming interfaces that will make the passkey syncing more flexible. A recent teardown of the Google password manager by Android Authority shows that developers are actively implementing import/export tools, although the company has yet to provide any timeline for their general availability.
...
The transfer feature, which will also work with passwords and verification codes, provides an industry-standard means for apps and OSes to more securely sync these credentials.
There are a lot of people who assume that vendors are always trying to lock people in. Sometimes that's true, but not always.
That’s assuming the service you’re trying to log into supports multiple passkeys. I’ve run into quite a few that only allow one passkey per account. It’s a bad implementation for a number of...
You can create a new passkey in each password manager, though! As a one-off, it's not so hard, but it will become more work when you have lots of passkeys.
That’s assuming the service you’re trying to log into supports multiple passkeys. I’ve run into quite a few that only allow one passkey per account. It’s a bad implementation for a number of reasons but it does happen.
As of now, yes. Or you’re using a password manager that can sync to multiple devices. I’d guess if you’re using a password manager at all, it’s syncing to all your devices. Though once this is...
As of now, yes. Or you’re using a password manager that can sync to multiple devices. I’d guess if you’re using a password manager at all, it’s syncing to all your devices.
Though once this is implemented, I wonder if you can make a passkey in Apple Passwords, export it to BitWarden and use it in both places.
Maybe I'm wrong but I thought one of the points of passkeys was that they couldn't be easily transferred. You can't be phished into giving someone your passkey if you literally can't transfer your...
Maybe I'm wrong but I thought one of the points of passkeys was that they couldn't be easily transferred. You can't be phished into giving someone your passkey if you literally can't transfer your passkey.
It's a risk, but it's not something you do every day. This web page has a screenshot of the UI: https://9to5mac.com/2025/06/13/ios-26-passkeys-password-transfer/
It's a risk, but it's not something you do every day. This web page has a screenshot of the UI:
This may have come up on Tildes before, but am I the only one who finds passkeys insecure? I acknowledge they are a step up from having no password manager. But they seem less secure than a...
This may have come up on Tildes before, but am I the only one who finds passkeys insecure?
I acknowledge they are a step up from having no password manager. But they seem less secure than a password manager + 2FA.
It depends which risk you're worried about and which alternative you're comparing with. If you mean, compared to a Yubikey or similar device, I don't think it's adding any security against...
It depends which risk you're worried about and which alternative you're comparing with.
If you mean, compared to a Yubikey or similar device, I don't think it's adding any security against phishing. But if you're comparing to SMS authentication, or one-time passcodes from an app, it's possible to trick people to copy authentication codes to a malicious website.
For the masses, getting them to use a password managers at all (as is required to use a passkey) is more secure.
I believe the first-class integration could constitute a security improvement, depending on the password manager in question. LastPass for example has proven to be an awful mess over the past...
I believe the first-class integration could constitute a security improvement, depending on the password manager in question. LastPass for example has proven to be an awful mess over the past several years, and so someone using passkeys might actually be in better shape overall than a LastPass user.
On my phone or tablet, logging into Github seems easier for me, since I don't need to type anything. (I only do that occasionally, so it's likely that I have to log in again.)
On my phone or tablet, logging into Github seems easier for me, since I don't need to type anything. (I only do that occasionally, so it's likely that I have to log in again.)
I think TPM changes that - you now can have device bound passkeys that cannot be exported from the TPM even by rootkit, and requires a biometric before every use. I wonder if that is what Google...
I think TPM changes that - you now can have device bound passkeys that cannot be exported from the TPM even by rootkit, and requires a biometric before every use.
I wonder if that is what Google now silently enroll uses to
Technically passkeys are 2FA, as it's something you have and something you know/are - on a PC, you need to enter a password/PIN on Windows, a phone can use your fingerprint if you have that set up.
Technically passkeys are 2FA, as it's something you have and something you know/are - on a PC, you need to enter a password/PIN on Windows, a phone can use your fingerprint if you have that set up.
From the article:
You can create a new passkey in each password manager, though! As a one-off, it's not so hard, but it will become more work when you have lots of passkeys.
...
There are a lot of people who assume that vendors are always trying to lock people in. Sometimes that's true, but not always.
That’s assuming the service you’re trying to log into supports multiple passkeys. I’ve run into quite a few that only allow one passkey per account. It’s a bad implementation for a number of reasons but it does happen.
Yeah, good point. I’ve only created a few passkeys so I haven’t run into that yet. I guess then you have to choose?
As of now, yes. Or you’re using a password manager that can sync to multiple devices. I’d guess if you’re using a password manager at all, it’s syncing to all your devices.
Though once this is implemented, I wonder if you can make a passkey in Apple Passwords, export it to BitWarden and use it in both places.
Maybe I'm wrong but I thought one of the points of passkeys was that they couldn't be easily transferred. You can't be phished into giving someone your passkey if you literally can't transfer your passkey.
It's a risk, but it's not something you do every day. This web page has a screenshot of the UI:
https://9to5mac.com/2025/06/13/ios-26-passkeys-password-transfer/
This may have come up on Tildes before, but am I the only one who finds passkeys insecure?
I acknowledge they are a step up from having no password manager. But they seem less secure than a password manager + 2FA.
It depends which risk you're worried about and which alternative you're comparing with.
If you mean, compared to a Yubikey or similar device, I don't think it's adding any security against phishing. But if you're comparing to SMS authentication, or one-time passcodes from an app, it's possible to trick people to copy authentication codes to a malicious website.
For the masses, getting them to use a password managers at all (as is required to use a passkey) is more secure.
I believe the first-class integration could constitute a security improvement, depending on the password manager in question. LastPass for example has proven to be an awful mess over the past several years, and so someone using passkeys might actually be in better shape overall than a LastPass user.
I feel TOTP is ergonomically better. For a technical user there’s no benefit to passkeys at the moment.
On my phone or tablet, logging into Github seems easier for me, since I don't need to type anything. (I only do that occasionally, so it's likely that I have to log in again.)
I think TPM changes that - you now can have device bound passkeys that cannot be exported from the TPM even by rootkit, and requires a biometric before every use.
I wonder if that is what Google now silently enroll uses to
Technically passkeys are 2FA, as it's something you have and something you know/are - on a PC, you need to enter a password/PIN on Windows, a phone can use your fingerprint if you have that set up.