Help me figure out if I can use passkeys

Factual Questions
1

I’m old (pushing 72) and not really all that tech-savvy, so please, bear with me.

I’ve read a bit about passkeys on the web, and I kinda understand how they work and why they might be a good thing; however, I have trust issues with new tech, and my current situation presents some unique challenges.

My wife doesn’t do internet. At all. She has an iPhone and an iPad that she uses primarily for conversations and/or entertainment. She doesn’t understand anything about the devices she’s using beyond how to turn them on. She doesn’t do email, voicemail, refuses even to open the text app let alone send/receive texts; she struggles to find numbers stored on her phone when she wants to make a call, struggles to then make calls, struggles to answer calls, can’t deall with swipe up, down, sideways, in short, she’s not just a neophyte, she resists any effort to be taught or learn because she simply doesn’t understand and gets immediately frustrated beyond reason. And, just to top it all off, she’s having significant short-term memory issues. Our doctor (at least as of about three months ago) says she’s not presenting any symptoms of, and therefore is not going to issue a diagnosis of either dementia or other disease. For now.

The result of this is that I have to become her when dealing with any of her online accounts, such as banking, doctors, prescriptions, SSA, emails, etc. That means I have to use separate email addresses, usernames, and passwords for each of us. I’m currently using Lastpass to help me keep all that sorted out, but as you might imagine, it gets complicated at times - it’s not unmanageable - I’ve been doing this for the last year and a half since I retired.

I can see where creating a passkey on my phone would simplify my life for all of my shit, but how do I then create a different passkey on my phone to use on her accounts? It’s not practical for me to have my wife’s face nearby so I can switch back and forth when necessary. Right now, I can log into her medical records or her SSA account, do what I need to there, then log out and log right back into my medical records or SSA account and do what I need to do.

So, considering all of the above, am I pretty much relegated to sticking to my present system of usernames and passwords, or is there a practical workaround? If I set up a passkey on my phone and start using that for the sites where I pay bills, can I keep using a username/password for her stuff, like Social Security? Is that possible? Or is it, as I fear, an all-or-nothing proposition…

Lucy

2

Is there anything stopping you doing all your wife’s stuff on a PC? Download a browser, (say Vivaldi) that you don’t currently use, and then never use that browser for anything other than “wife stuff”, you can then agree to store all passwords.

3

I don’t think that passkeys are a solution to your problem.
They are tied to a particular device, so you would need to create a passkey for each app that she uses - on your device.

A better solution would be to just record all her logins and passwords in your password database, and just login that way. Note that you will likely have to approve your device the first time you do this.

As for her difficulty - just have iOS remember her logins, and then she won’t ever have to look up the password. It will be autofilled as long as she authenticates with faceID or fingerprint.

4

Actually, I do almost everything on this here Mac mini. I have two browsers on here, I use Chrome exclusively - never occurred to me to dedicate Safari to exclusive use for her shit. I will have to ponder how that’ll interact with Lastpass … Lastpass is a little wonky as it is.

Lucy

5

I think what you want to do will work, because I do an equivalent thing when I have multiple accounts at the same place, for example personal and business Amazon, or me and my kid frequent flyer, etc.

I use Bitwarden, not Lastpass or any of the browser or OS based password managers or passkey managers. For me, say I go to Amazon and click login, I am then asked which of my several Amazon accounts I want to use. That works for both password based and passkey based logins.

There is some magic to allow passkeys to work across devices, but I haven’t explored that because Bitwarden handles it for me. Lastpass, Apple, or Google may also manage it.

Your wife’s passkey doesn’t have to be tied to her face, it can be tied to yours. Passkeys should work fine if the idea is to have a passkey tied to her account on your devices.

If the idea is to let her use passkey on her phone (though it sounds like she would never use this), and you also use her passkey on your phone, then that might not work.

6

I’m not sure I understand this, so let me restate it and see if I’m close …

I can set up one passkey using my face and device for all of my accounts, then set up a separate passkey for my wife’s stuff using my face and device and then when I try to log it the website will ask me which passkey I want to use? How does the website know which account I’m trying to access?

Setting up a passkey for her device isn’t even an option - tried to get her to use fingerprint and she consistently managed to screw it up. Setting up face ID was even worse.(If you facetime her, she answers, sets the phone down and you end up looking at the ceiling, or she waves it around like she’s swatting flys. Drives our daughter nuts. Yes, she does.

Lucy

7

It strikes me that the “two browser” solution is ideal. You can use, say Bitwarden in Safari, and, say Lastpass in Chrome.

Two independent browsers, two independent password managers.

I personally use LastPass everywhere, but I am only one person.

8

Back when my late wife was alive & well we used a single LastPass instance for both of us for years. Which instance was synced between all our 6 devices (2 each PC, tablet, and phone). We had no secrets from one another, so had no concern about one person having access to the other’s online whatevers.

This arrangement made the transition as she declined from fully functional to semi-functional to utterly disinterested to eventually dead very easy for me administratively.

The OP seems to have a wife stuck at about the “utterly disinterested” stage. Which is a fine way for her to be, albeit at some inconvenience to the OP.

I have since migrated from LastPass to BitWarden for technological reasons. But the same shared arrangement is available with either.


Which is along-winded way to say that I’m not understanding why / how the OP is dissatisfied with their current arrangement and how they would expect any other arrangement to be better. You’re always going to be stuck with two userIDs & two passwords for those apps/sites that have to remain individual. And you’ll have to select one of the two each time you access e.g. the bank. Whether that’s by choosing which browser to activate, or picking between the his and hers accounts from a drop-down you’re still stuck choosing.

9

I do something like the two-browser solution, but with one browser. Chrome allows you to create a profile. On my personal laptop, I have three Chrome instances running:

  1. My personal stuff
  2. My main work stuff
  3. My deceased Mom, which now serves as an estate/family resource.

Chrome acts as my password manager for all three, with appropriate separation. I keep my Mom’s stuff open to monitor e-mail and text messages, since they are used for password resets and notifications. My Dad’s finances are managed through her profile too - Dad has memory issues and can’t be trusted with access. Other random things, such as Dad’s insurance and pharmacy stuff is done there too.

10

It’s not that I am ‘dissatisfied’ per se, I’m attempting to figure out how to be proactive for once and figure out a way to migrate from username/passwords to passkeys, which appears to be the up and coming thing. I’m usually more that just a couple of years behind on tech, and I hate getting into a position where I’m trying to catch up to where everybody else was two or three years ago and still be behind the times, as it were.

The system I use right now is working for me, and will probably continue to work for some time to come. However, I’d really like to avoid getting into a situation where I can’t access the web without passkey and I’m two years behind on understanding the tech.

See, this is what I’m talking about. I was unaware that Chrome allows this. I’m going to have to spend some time today learning about this to see if it might be an improvement over my current usage.

But it still doesn’t address what I perceive to be a shift from the present username/password to passkey in the future. I simply don’t yet understand passkeys well enough to make a transition now, and I’d like to get a firm grip on this before everyone starts asking me why I’m still using seriously outdated unsecure passwords that everybody else stopped using two years ago.

I have grandchildren and one great-grand child who are farther ahead on this shit than I am.

Lucy

11

Thank you. All makes sense. I too am clueless on passkey, but probably should not be.

I’m gonna shut up and learn from the others now.

12

I think this might be what is tripping you up. You use a different passkey for each account.

Passkeys have to be saved in some sort of password manager, be it third party (Lastpass, Bitwarden), the one built into your browser, or one built into your OS. Accessing the passkeys requires authenticating to the password manager with biometrics or a password.

So I go to a website, say Amazon, and Amazon asks what account I want to login into. I put in the username for my personal account, and select the “passkey” login option. A passkey request is transferred from Amazon, to my browser, to my password manager. The password manager pop ups, and asks for authentication. Once I authenticate it asks if I want to send my personal or business Amazon passkey to Amazon. I select the personal one, some math happens, and Amazon logs me in.

13

As it has always been,
so shall it always be.

14

The major websites where security is extremely important are the financial ones: banks, credit cards, brokerages, Social Security… My impression is that the universal security methods is the user name/password combination; that a significant number require 2FA with sms and a mobile phone–and that other security methods such as passkeys have very little usage. And instead of universal systems there are Apple, Google, Microsoft and multiple other systems. So I think it will be a long time before a major shift.

15

For my banking and my wife’s, I use Chrome and MS Edge. I have each remember one of the logins (bank card number). I do NOT store the passwords. I don’t know how secure stored passwords are, but for financial information I type the password every time.

I won’t use face recognition on my phone, and I try not to tell assorted apps my phone number if I can get away with it. (Unfortunately, getting harder to do).

The less things tying information together out there, the better.

16

How long is your password?

17

Also email. Email can often be used to reset the password on any other website, so it must be treated as being as sensitive as the most sensitive thing it is a gateway to.

The most important thing is to use different passwords for your different accounts. A password manager, writing them down, or using a mental algorithm all are far superior to just using the same password everywhere.

18

Do mobile devices support having multiple browser profiles? That’s standard on desktops, but I’ve never looked into it on a phone. That might be a little simpler than two completely separate browsers.

19

They’re very secure in the sense of no malware being able to break into the browser and extract them in plain text so they’d be usable by somebody else elsewhere.

OTOH, they’re very insecure in the sense that if somebody gets physical possession of your unlocked device, the first time they hit the bank’s website the browser will helpfully fill in the password with no further authentication.

OTGH, a password easy enough for you to remember and short enough for you to type accurately is inherently insecure against various brute force attacks.

So which threat are you most worried about encountering and most inclined to mitigate?


This is the key issue for each of us, not just “you” specifically. Some solutions are objectively awful (“I use P@ssw0rd!” on every site and app"), but once you get into realistically decent solutions, they each have drawbacks.

20

The basic question has been answered (i.e., you should use different browsers or browser profiles or phone user accounts to separate your and your wife’s concerns).

To address the secondary questions about passkeys vs passwords:

  • A passkey lets users and websites (or apps) authenticate each other. The user knows that it’s the real website asking for the passkey, not a phisher, and the website also knows it’s the real user’s device (…in theory… see more below). With a password, neither is true, since 1) phishing websites can ask for your password and 2) malware or hackers can steal your password and use it to login as you.

  • Contrary to popular belief (and official passkey marketing docs), a passkey does not actually have to be tied to a particular hardware device like a phone or a laptop. They CAN be, but don’t HAVE to be.

  • Passkeys are more secure and less convenient when they are tied to a specific hardware device. But you can actually generate & sync passkeys to cloud password managers like Bitwarden or 1password instead; these synced passwords, conversely, are more convenient and less secure. This form of synced passkey is more user-friendly (since you can re-use the same passkey across all your devices), but less secure (since it’s no longer tied to a specific hardware device, but to your password manager login, which is usually a username + password + secret random characters you write down somewhere). Thus, as with all this sort of stuff, it becomes a tradeoff between convenience and security depending on which particular kind of passkey you choose.

  • Passkeys don’t automatically solve the problem of “my wife and I both use the same computer”. That is where profiles come in, and that can be done via different browsers, Chrome profiles on the same browser, different operating system user accounts (like in Windows or on your phone), etc.

  • Passkeys also don’t solve the problem of “I sometimes need to login as my wife on her behalf”. That can also be solved via profiles.

  • Those issues are adjacent to passkeys, but not really the same thing. You can use profiles with or without passkeys, and I’d argue they are generally simpler and easier to manage without passkeys — not for any inherent cryptographic reason related to security, but just because the user interfaces around passkeys are, at this point, still immature and not the easiest to use and reason about, especially when you’re juggling multiple passkeys for the same website in the same browser. It’s not always clear which one you choose, whereas with a username & password, you can clearly see whether it’s trying to log you in as “myself@email.com” or “wifey@email.com”. This will eventually get better as passkeys become more common and the user experience around them get better, but for now… IMHO… it’s a total clusterfuck and they look totally different between Windows, Chrome, Firefox, iOS, Android, 1password, Bitwarden, and every permutation therein.

  • Password managers, like Bitwarden or 1password, often have their own system of “profiles” or “accounts”, which are typically more secure but a little less convenient than just using different Chrome profiles and Chrome’s own password syncing. These profiles can store both passwords and passkeys, but again, it’s more a matter of keeping separate profiles for you and your wife’s logins, rather than a question of passkeys vs passwords.

Suggestion: Don’t use Lastpass. It is the most insecure of all the password managers, having been subject to multiple, repeated security lapses.

Either switch to Chrome’s own password syncing, or use Bitwarden (which is open source and can be free as in dollars), or 1password (an excellent paid proprietary service that requires a subscription). With any solution, make a separate profile or account for your logins vs your wife’s.

Don’t worry about passkeys for now. They are not a hard requirement, yet, in most places, and would only add minimal security and additional mental complexity. They don’t really help with your particular dilemma. Just use strong passwords and save them in Chrome or your password manager, in separate profiles.

It’s the profiles, not passkeys, that let you easily separate logins by person.