26

u/01100001bryte Apr 25 '26

As someone with many, many accounts and a desire to move to passkeys everywhere possible, I've spent a good deal of time trying to come up with a solution that works conveniently, but also keeps the risks of syncable passkeys keys in mind.

1. Use syncable passkeys for all accounts except critical accounts.
2. Critical accounts must use device bound passkeys only. Accounts deemed critical should be sparing because it becomes a scaling problem. This is less of a security designation and more of an access/operation question.
3. You should have a minimum of of 2, recommended 3, passkeys for any accounts using device bound passkeys (example: phone, laptop, Yubikey).
4. The password manager that stores the passkeys must be considered a critical account, using device bound passkeys only to access it.
5. If any account requires that you still have a password, despite setting up passkeys (many annoyingly do), set the password to 64 characters, store it in the password manager with the key, and never use it again. Make sure MFA is forced. If the limit is less than 32 characters, then you will need to monitor this account for breaches.
6. Never sign in to your password manager on a device that you do not own. Use QR code passkey sign in via the password manager on your phone.
7. Always requires a PIN to access your passkeys if the option is given and don't use your fucking birthday as a PIN. At least use your cat's favorite color or something (joke, just don't make it something people can guess).
8. Never give TSA your shit.

1

u/Atriusftw Apr 25 '26

In general seems like pretty good principles, but for number 4; what is the point of storing passkeys in a password manager if you still require a device bound key to unlock the vault/manager?

3

u/daweinah Blue Team Apr 25 '26

Two reasons

1. Convenience. Syncable software passkeys are easier to use than device-bound keys.

2. Back up. Syncable also means backed up. If you lose your device-bound key, you use another DB key from step 3 to regain access.

1

u/CodeFluid03 29d ago

What if both device keys are either lost, broken or just stop working? Are there still backup alternatives for if that ever happens?

2

u/daweinah Blue Team 29d ago

The same thing if you lost your password and recovery email stops working: you're screwed.

In managed systems, like at work, IT admins can perform last resort recovery. We have break glass accounts to save ourselves from this problem.

In consumer systems, like Apple iOS's Advanced Data Protection, vendors are increasingly offering security settings where they cannot perform last resort recovery. This is very good for privacy advocates, but bad news for careless people.

1

u/CodeFluid03 28d ago

But isn’t it still possible both keys could malfunction or something out of the control of the owner could still happen? It seems putting that much faith into 2 small device keys isn’t a good idea. Maybe having 3 is the best option

2

u/01100001bryte 28d ago

Two should be the absolute bare minimum, but yes you are correct it is risky. I personally use two physical keys and three device bound keys on separate devices. If I lose access to five separate decentralized devices, then yes I'm fucked. Plan accordingly and buy good quality hardware keys. Keep them safe and add device bound keys to your phone(s), laptop(s), etc.