Charon wrote: Thu Sep 11, 2025 12:40 pm
gavinsiu wrote: Wed Sep 10, 2025 4:57 pm
I am informing everyone on the thread since they might not be aware of the differences between passkey and 2FA. Let’s not get too confrontal on technical exchanges. we are all trying to figure things out.
Update: Vanguard does allow passkey use, and ironically on the website they only allow it as a second factor in 2FA See PersonalFinanceJam’s comment about how to set up a software security key on Vanguard, which is a passkey and which Vanguard only uses in 2FA.
The original post asked about “security keys”, and it was not clear what they meant by that. It could include hardware or software security keys, which could include passkeys. I agree with you that we should keep things as simple as possible, but as Einstein said, not simpler than that.
Given the goal of securing logins without allowing SMS 2FA, it was highly relevant to this discussion that Vanguard did allow passkey use on their app (standalone multifactor authentication) and on their website (as the second factor in 2FA). I was responding negatively to your repeated insistence that this wasn’t relevant, because it was. I’m sorry if my tone was too confrontational.
The thing is, gavinsiu is correct. Technically, the key created using this process in iCloud Keychain is not a passkey because there is no user information defined for it and it can’t be used to replace the user/password combo. In fact if you look at the key in the Apple Passwords app, the user field just says “a registered user”. However, as you note the distinction barely matters to users using and storing those keys in a password manager. It’s a bit like someone complaining that the tissue I gave them is the off brand when they asked for a Kleenex. People using hardware keys have to know the distinction because any key created as an actual passkey uses a “slot” on the hardware and there are limited slots available. In some versions, if you want to get rid of a key from a slot you have to reset the whole hardware device.
The industry isn’t even consistent with regards to this. I’ll note the OP was looking into this for their AWS account. For my AWS account using a hardware yubikey for 2FA the key generated was a slot using passkey. It shows up as a passkey in Yubico Authenticator and it has user information assigned to it. But, it’s not the user info used to log in and AWS only uses the key for 2FA. AWS is also not the only service to do this. Look at the somewhat confusing way Bitwarden defines and then describes passkeys. Using a basically correct technical definition but then in the next paragraph saying there are these other types of keys that are kind of like passkeys that BitWarden can store and the user can use with sites with “passkey capabilities”.
In my opinion passkey is becoming the generic term for all FIDO authenticators that can be used in WebAuthn. That could be for full passwordless login or as the token in 2FA. Just like Kleenex is a paper product I use when I need to blow my nose.
