alt Hacker News> Don't use passkeys
Better title.
Mom can't figure out what they are or how to use them. They bind you to your device/iCloud/Gaia account so if it gets stolen/banned you're out of luck (yeah yeah multiple devices and paths to auth and backup codes, none of that matters). It's one further step down the attested hardware software and eyeballs path. Passwords forever, shortcomings be damned.
Replies
>They bind you to your device/iCloud/Gaia account so if it gets stolen/banned you're out of luck
This is the biggest myth/misconception I see repeated about passkeys all the time. It's a credential just like your password. If you forget it, you go through a reset flow where a link is sent to your email and you just setup a new one.
And if it happens to be your Gmail account that you're locked out of, you need to go through the same Google Account Recovery flow regardless of whether you're using a password or a passkey.
I'm also completely against passkeys. A safe password and a good password manager are way better, they don't lock you into any platform.
It's super sad to see all kinds of websites offering you to add a passkey when you log in.
I love passkeys in my selfhosted vaultwarden, but I agree the UX for older people is not quite there.
> They bind you to your device
Isn't it why good practice is to bind at least 2 hardware passkeys and/or have recovery codes?
Sure someone can steal your phone/laptop/yubikeybio but then you can use the NitroKey you have at home in your drawer to recover your account.
KeepassXC has exportable passkeys, so you can avoid the stolen case at least.
Also a password could be the passkey, the passkey protocol is basically a way to send to a server an authenticated public key. The client could deterministically convert passwords to key-pairs and authenticate with those
> They bind you to your device/iCloud/Gaia account
Then don't use Apple's/Google's/whatever Gaia is as your passkey provider?
> Mom can't figure out what they are or how to use them.
Then do something nice for your mom and set her up with Bitwarden, 1Password or KeepassXC, which prevents the platform lock-in.
> It's one further step down the attested hardware software and eyeballs path.
None of the synchronized passkey implementations, which big tech has been pushing lately, support attestation, so this is just FUD.
Yubikeys do, but fortunately they don't seem to have the (non-enterprise) weight to make it mandatory for all passkeys.
Unfortunately some vendors are now REQUIRING passkeys; specific example:
https://www.healthequity.com
> As of October 2025, passkey login has been fully rolled out and is now required for members with Health Savings Accounts (HSAs) and Reimbursement Accounts (RAs) who use the HealthEquity Mobile app and web experience.
https://help.healthequity.com/en/articles/11690915-passkey-f...
The FAQ is a little misleading by saying WHEN your account has a passkey this and that, but reality is that after October they made them completely mandatory, no bypass, no exceptions. 100% coverage.
Oh, and by the way, passkeys have been broken on PC/Linux when using Firefox for months:
> There Was A Problem: We encountered an error contacting the login service. Please try again in a few minutes.
Neat. You have to use Chrome or Edge.... For months, after making it mandatory...