I strongly believe that passkeys are the future of authentication. For those who might be less familiar, passkeys are an alternative to passwords that allow you to login to websites and applications via a single click of a button. A cryptographic key is saved to your device which unlocks your account - requiring you to authenticate and login without needing to remember a long and complicated password.

All of my services are hosted behind single sign-on (SSO) via a passkey, allowing me to instantly login to any website via my computer or phone via the click of a button. While passkeys work for me, I believe there are long ways to go before they are a natural replacement for the average non-technical user.

Fragmentation

Unfortunately, the passkey landscape suffers from an issue of fragmentation. Google, Apple and Microsoft all offer platform-native solutions for integrating and securing passkeys into the operating system, which sounds great! Apple allows you to sync passkeys via its iCloud Keychain — only accessible on iOS or macOS. Google syncs passkeys via Google Password Manager - only accessible on Chrome or Android. Microsoft syncs passkeys via your Microsoft Account and Windows Hello — and you’ve guessed it, only accessible via Edge or Windows.

This is all great - until you have multiple devices that don’t fit into the same ecosystem. If you have passkeys saved on your iPhone or MacBook, they won’t be accessible on your Windows PC or Android, unless you create a brand new passkey for those devices as well.

“What about cross-platform password managers?”

This is an excellent point. Services like Bitwarden, as shown in the image above, can be installed on virtually every platform and allow you to access passkeys from any device. The only problem is, most people using a dedicated password manager are mandated by their organisation, or they are security nerds.

“Can’t you just move the passkeys to a different platform later on?”

Unfortunately, Google, Apple, and Microsoft do not currently allow you to export their synced passkeys for import into a cross-platform manager like Bitwarden. Once you are within the ecosystem, you are trapped, and are left with the only option to manually remove passkeys from every website and service, to then resetup them up in a cross-platform system.

The business reason is to incentivise vendor lock-in within the ecosystem. To use a similar authentication example, Google Authenticator does not allow their users to export TOTP tokens (special tokens that generate one time passwords) to a different app. They do however, allow you to move codes between Google Authenticator on a different device, in the situation you get a new phone.

Solution

Setup a cross-platform password like Bitwarden, and stick to it for all passwords and passkeys. Ensure that you aren’t reliant on services like Google Password Manager, iCloud Keychain and Windows Hello that lock you in to a single platform or ecosystem, but rather use something that emphasises freedom and portability.

The same fundemental principle also applies to authentication codes, it is far better to use a service like Aegis, Proton Authenticator or Bitwarden Authenticator that prioritise freedom and portability of data, rather than the closed solutions provided by Big Tech.