Passkeys seem like a great idea, and we are at a point where, although things are still very much in flux, software passkeys managed by password managers are starting to be usable. I thought I’d share the workflow that’s working for me on Linux with some sites, and ask the community for more tips & tricks.
A passkey is a client certificate - which is an old idea, but now there are some new standards in place*. When you log into a website, instead of sending a password you send a message signed using the private key on your hardware security device, or stored in your password manager. If you use a password manager the flow is about the same as with passwords: your password manager pops up and asks if you want to log in to the given website. But instead of sending a password to the browser, message signing takes place in the password manager. Unlike passwords those signed messages can’t be replayed. Arguably you can skip sending MFA codes and get about the same (or maybe better) security with passkeys than you were getting with passwords + MFA.
Complications come up because support for passkey APIs is still patchy. On Linux I think there is system-level support for hardware keys, but not for passkey managers (password managers that can do passkey signing). But you can close that gap using browser extensions! I’m using Enpass with it’s Firefox extension. Signing into websites in Firefox using passkeys works quite well in some of the sites I’ve tried. (I’ve also tested with Bitwarden’s browser extension, and it works just as well.**) Although creating passkeys doesn’t work on all of those sites.
- I was able to create a passkey on Github, and sign in with it.
- I was able to create a passkey for the demo at https://www.passkeys.io/, and sign in with it.
- I couldn’t create passkeys for Google, but I could log in with passkeys created on another device, and synced by Enpass to my Linux machine.
- I can use a passkey for MFA on Discord, but they don’t seem to be using them for logins yet.
- I’m not getting options to use my passkeys on Amazon or Paypal, but I was able to create passkeys for these sites on Android.
Without using a browser extension Chrome on Linux does have a feature to sign in with passkeys on mobile devices. I don’t think this works with third-party passskey managers. On some sites Chrome gave me the option to log in using the automatically-generated, Google-managed passkey on my phone. It didn’t actually worked for me - my phone showed a message saying “connecting to device” but never actually connected.
That brings me to the Android side. Since some sites will let me log in with passkeys but not create them it’s helpful to have another option for creating passkeys. Android is further along in implementing system level passkey support (only in Android 14 or later). But it’s not perfect yet. Firefox for Android is not working with passkey managers yet, but there is a ticket to track this. Third-party passkey managers work in Chrome for Android, but only if you enable an experimental flag:
- open
chrome://flags/
- find the setting “Android Credential Management for passkeys”
- set the value to “Enabled for Google Password Manager and 3rd party passkeys”
- “Passkey” seems to be an umbrella term for WebAuthn or FIDO U2F. It looks like WebAuthn is a part of FIDO2.
** From a cursory look at the two I feel more comfortable with Enpass’ browser extension than with Bitwarden’s. I’m not positive, but it looks like Bitwarden loads credentials in the extension itself which puts all of your secrets in the browser process. OTOH the Enpass extension uses IPC to send requests to the Enpass desktop app. But as many will point out, Bitwarden’s clients are open-source and audited while Enpass’ software is closed-source.
Nice! I may take a look. I’ve been happy with Enpass except that I recently switched to a window manager that doesn’t implement xwayland, and Enpass is one of only two apps that I haven’t gotten working in native wayland mode, or found a substitute for. So I’ve been running Enpass in a rootful xwayland window running a nested i3 session. The IPC connection to the browser extension still works so it’s not too bad, but I’m a little tempted to try alternatives.