Passkeys Are Short Lived

I was very happy when I discovered that Vaultwarden had implemented passkey integration.

Sadly, I later realized how locked down this feature is.

Passkeys are a mechanism (or login format) that lets you log in to certain sites by verifying legitimacy through your own passkey.

The advantages are that you have high security during the login phase. It also cuts out phishing schemes, as during the login phase, the key is valid for only one login. It might be possible to do some kind of MITM attack, but I am not sure what the capabilities would be to sniff the traffic and use it to your advantage.

Now here comes the worst part about passkeys. While they are really convenient to use and many popular operating systems and password managers have already implemented passkeys, they are not easy to export, unlike TOTP.

TOTP lets you export the private key and import it into another app very easily. With some tricks, it is even possible to export your TOTPs from the Google Authenticator app, as it is not possible out of the box, but it is possible.

Sadly, it is not possible to do the same with passkeys. While the convenience is excellent, if you are like me and like to test different applications and services, it is a must that you can control data as flexibly as a simple text file.

I have been using FLOSS password managers for several years now. I started out with KeePassXC and then later switched to my own self-hosted Bitwarden via Vaultwarden.

Importing and exporting all my required data was easy, including TOTP.

Some months ago, I started to set up some passkeys for common sites that also support them.

The integration was also pretty easy.

Though I am really happy with Vaultwarden, I really like and enjoy the concept of managing things through Git and some other third-party software. That is the reason why I started using https://passwordstore.org.

As I already use Git to manage all my org files, pass fits neatly into my workflow.

Once I exported my data out of Bitwarden, I realized that:

1. There is no way to export the passkeys.
2. There is no passkey implementation for pass.

While I really enjoy the concept and still use the passkey function to log in to certain websites, I’ll stick with TOTP, as its support and implementation are much more mature than passkeys.

If you are interested in reading more about this topic, I highly suggest the following post:

https://www.smokingonabike.com/2025/01/04/passkey-marketing-is-lying-to-you/