PersonalFinanceJam wrote: Tue Sep 23, 2025 3:02 pmMicrosoft has done much the same for passkeys in credential managers on Windows. I think you have to be a part of the Windows Insider program to get a special build of 1Password which will integrate with the system level autofill and storage for passkeys in Windows 11.
You of course still have the underlying security and characteristics of the credential manager to consider.
I feel like reasonable people should be able to fall on opposite ends of this spectrum and still be friends. Acknowledging there are concerns that the other may or may not share.
I am looking forward to this rollout in Windows but still awaiting the details on how Windows Hello is involved. It is hard to understand why to this day that you cannot use a FIDO2 security key to log into a Windows Home machine.
I have no problem with other people’s tradeoffs between security and convenience if they understand the tradeoffs, but unfortunately the industry has made the subject of authentication and FIDO2 so opaque by using simple one dimensional models and cute terms like passkeys (which now it seems means anything FIDO2) and passwordless while disregarding the important aspects like phishing-resistance it is hard for most people to do that with that kind of information.
I routinely encourage people I help to enable their password managers browser extension and use the auto-fill and now with passkeys because I know that they would not use the password manager as often without them. They have a greater risk of getting phished than being compromised by the next browser extension issue.
While some of my accounts (e.g., Azure AD global admin, Vanguard) would be catastrophic if compromised, so browser extension issues bring to much risk for those accounts.
PersonalFinanceJam wrote: Tue Sep 23, 2025 3:02 pm
This is the only site I’m aware of which lists both forms. It’s crowd sourced and far from complete:Note for some it depends on how you set the key up. Google is a good example. You can create a key as a full passkey for username-less and password-less login or you could set up a key only for 2FA. We’ve already had the discussion about Vanguard. One other I’m aware of is AWS. My personal AWS account used to only offer hardware keys as a 2FA option. The offering has now changed and the description has now changed to use a hardware key or your face/fingerprint for 2FA. It appears in the case of AWS it is a true passkey that uses a slot on a hardware key.
Thanks for the discussion
Thanks, yes, I have seen that list. I was looking for a website that allowed a password manager to add what the site and the password manager called a passkey which is only used for 2FA for some testing (since Vanguard does not allow that anymore).
Looks like 1Password considers any FIDO2 credential as a passkey further complicating the terminology. Funny how that list is provided by 1Password and in the vote for passkey support page 1Password has the fourth largest votes.
Are you sure you can do username-less login on Google? Username-less login needs Resident key/Discoverable credentials (what W3C calls a passkey) where it is my understanding Goggle defines passkey as any FIDO2 credential that allows passwordless login which only needs a non-discoverable credential with a mandatory PIN. In my testing I could not get Google to create a Discoverable credential.
Sorry to harp on this but I believe AWS uses the biometrics as the user verification to the passkey (which is a Discoverable credential – i.e. what many believe is a true passkey), it is the first factor to allow access to the second factor (i.e., the passkey). Sorry but the constant conflating biometrics and passkey in the industry is causing so much confusion. You are not logging in with just your biometrics but with both your biometrics and passkey, in fact you do not need to use biometrics but a PIN will work if you wish. Best Buy and Home Depot are examples of this.
