Look, I get it. We're all supposed to be excited about passkeys and "passwordless authentication" because some tech companies decided passwords are too hard for us mere mortals to handle. But here's the thing nobody wants to admit: the current implementation of passkeys and mandatory OTPs is a disaster that's making the internet worse, not better. ## The Problem: Nobody Asked for This You know what's happening right now? You're trying to log into Amazon, Lowe's, eBay, or your bank, and suddenly you're getting bombarded with: * Unsolicited passkey setup prompts from Windows 11, Bitwarden, or your browser - often right from the orders screen without any warning * Mandatory OTP codes sent via SMS or email, even when you have a perfectly good secure password * Hidden password login options buried under "Other sign-in methods" or similar nonsense And the worst part? You can't turn it off. Amazon made passkeys the default sign-in option for mobile users in October 2024, and many sites don't let you disable OTP prompts at all. ## "But Aren't Passkeys More Secure?" Yes. Technically, passkeys are more secure than passwords: * **Phishing-resistant** : Your device won't unlock a passkey for a fake site, even if you try. You can't accidentally type your credentials into evil.amazon-login.com because the passkey is cryptographically bound to the real domain. * **Unguessable** : 256-bit cryptographic keys vs. human-memorable passwords * **Breach-proof** : The public key stored on servers is useless to attackers. Even if the site's database is compromised, there's nothing to steal that would let attackers log in. * **Better than TOTP** : Can't be phished in real-time like 6-digit codes can If you're currently using weak passwords, password reuse, or no 2FA, passkeys are a massive upgrade. But here's what the tech industry won't tell you: **If you're already using a password manager with unique passwords and TOTP 2FA, passkeys offer marginal real-world security gains** at the cost of breaking shared account workflows. For me, using Bitwarden: * Password login: Click → passcode unlock → done * Passkey login: Click → passcode unlock → done * **They're functionally identical in daily use** The only difference? Passkeys skip the occasional "now grab your phone for a TOTP code" step. That's nice, but it's not worth forcing on everyone and breaking shared household accounts. ## Why I Don't Use Biometrics (Except When I Do) I use Bitwarden with a passcode, not Face ID or fingerprint. Why? Because a determined attacker can shove a phone in your face or force your finger onto a sensor. They can't force you to remember a passcode you claim to have "forgotten." Full disclosure: My iPhone itself unlocks with Face ID. I turned it on one day to try it and... never turned it off. So apparently my threat model is "I'll think carefully about password manager security but also I'm lazy about unlocking my phone." **This is exactly my point.** Security isn't about perfect consistency—it's about making informed choices based on what matters to you, even if those choices are sometimes contradictory or convenience-driven. Some days I care deeply about the theoretical $5 wrench attack. Other days I just want my phone to unlock when I look at it. The tech industry wants to make these choices _for_ you: * "Just use Face ID!" (Okay, I did for my phone) * "Just use Face ID for your password manager too!" (No, I thought about that one) * "Just install Bitwarden on all your devices!" (I did, my wife didn't want to) * "Just adopt passkeys everywhere!" (What if I have shared accounts?) My wife uses her iPhone's built-in password manager with a passcode—no Face ID, no Bitwarden. She didn't want to upgrade from her iPhone 8 Plus until iOS updates broke compatibility with too many apps. She definitely doesn't want to learn a new password manager just to order from Amazon. **Security is messy. People are inconsistent. Households are complicated.** ## Why This Is Broken: The Real-World Use Cases Nobody Considered ### Shared Household Accounts Here's a scenario the Silicon Valley geniuses apparently never thought about: families share accounts. When my wife needs to order something from Amazon or check a Lowe's order, she shouldn't need: * Access to MY Bitwarden vault * MY phone to approve an MFA prompt * To wait for an OTP code sent to MY email But that's exactly what happens when you enable a passkey on a shared account. The site stops offering easy password login, and suddenly a simple purchase becomes a support ticket to me. Sites can register multiple passkeys, but most bury this option or make it unnecessarily complicated. The real kicker? Even if you use a cross-platform password manager like Bitwarden that technically solves the sync problem, your spouse still needs to: * Install and set up Bitwarden on their device * Navigate an unfamiliar interface * Find the right login among hundreds of entries (especially if naming doesn't match exactly) * Keep the vault unlocked when they need it Most people just want to use their phone's built-in password manager and get on with their day. They don't want to learn a new system just to order lightbulbs. ### The Platform Lock-In Problem Let's talk about what passkeys actually are versus what they're supposed to be. **The Promise:** Open standard (FIDO2/WebAuthn) that works everywhere **The Reality:** * Apple locks passkeys to iCloud Keychain - they sync across your Apple devices but nowhere else * Google locks them to Google Password Manager - expanded cross-platform support in early 2025, but only through Chrome * Microsoft locks them to Windows Hello by default - device-bound unless you use their password manager So if you create a passkey on your iPhone, you literally cannot use it on your Windows gaming PC or Android work phone unless you're locked into the same ecosystem. This is vendor lock-in disguised as security. Yes, third-party password managers solve this problem—Bitwarden, 1Password, Dashlane, NordPass, Keeper, and LastPass all offer platform-agnostic passkey support. But that only helps if everyone in your household is willing to use the same tool. For shared accounts where one person uses iOS Passwords and another uses Bitwarden, you're back to square one. ### The OTP Regression Here's the real kicker: remember when the security industry pushed authenticator apps (TOTP) as the secure alternative to SMS? Well, now sites are defaulting to SMS/email OTP instead of passwords, which is: * **Less secure than authenticator apps** - vulnerable to SIM swapping (which surged over 1,000% in 2024), SS7 protocol exploits, phishing * **Slower than password autofill** * **Breaks shared accounts** - OTP goes to one person's phone/email * **Can't be disabled on many sites** The security industry regressed to make things "easier," and we're all dealing with the consequences. ## The "Solutions" All Suck ### Option 1: Use a Cross-Platform Password Manager (The Least Terrible Option - If Everyone's On Board) Several password managers now handle passkeys correctly with platform-agnostic sync: * **Bitwarden** (what I use) * **1Password** * **Dashlane** * **NordPass** * **Keeper** * **LastPass** (added support in August 2025) All of these sync across devices (Windows, Mac, iPhone, Android), work across different browsers, and avoid vendor lock-in. **I use Bitwarden specifically because:** * It's open-source * Syncs across all my devices * Handles SSH keys (huge plus for dev work) * No vendor lock-in But here's the reality: Even when it works perfectly, there's still friction. **When the entry name matches:** It's actually pretty quick - passcode unlock (or biometric unlock if you use that), autofill, done. **When the entry name doesn't match:** Now you're digging through hundreds of logins trying to find the right one. Did I save it as "Amazon" or "Amazon.com" or "Amazon - Shopping"? Is it under "L" for Lowe's or "H" for Home Improvement? Either way, it's still an extra step compared to iOS Passwords just going "oh, you unlocked the phone, here's your password." Most people hate getting saddled with extra clicks, and that's exactly what cross-platform password managers require - even the good ones like Bitwarden. For someone who just wants to quickly check an order status? That friction adds up fast. Sure, they could install Bitwarden (or 1Password, or Dashlane), set up passcode unlock, and hope the entry names match. But that's objectively more steps than their phone's built-in password manager just handling it automatically. You still need to disable Windows/Apple/Google passkey prompts to prevent competing systems from intercepting passkey creation. Plus, Bitwarden's excluded domains feature only works when your vault is unlocked - which is yet another thing to remember. **The tech industry's push for passkeys assumes everyone:** * Wants to use the same password manager * Is willing to install and learn new software * Has the same threat model and security preferences * Doesn't share accounts with family That's not reality. ### Option 2: Disable All the Prompts (Good Luck) **For Windows 11:** * Settings → Accounts → Passkeys → Advanced options * Turn off "Allow apps to use passkeys" **For Bitwarden:** * Settings → Excluded Domains → Add problematic sites * (Only works when vault is unlocked) **For websites:** * There is no option. You're out of luck. ### Option 3: Just Use Passwords (The Actual Solution) For shared household accounts, secure passwords still work better than passkeys or OTPs: * Everyone knows the password * Works with any password manager (or none at all) * No app required * No waiting for codes * No navigating unfamiliar interfaces The tech industry's push for passkeys ignores that families share accounts, and there's no good solution for this use case yet. ## The Security Theater Let's be clear about what's happening here: **SMS OTP is objectively insecure:** * SIM swapping attacks (surged 1,000%+ in 2024) * SS7 protocol exploits * Interception vulnerabilities * Phishing attacks Yet it's now the default on most consumer sites, replacing the actually secure authenticator apps that the industry spent years promoting. Why? Because it's: * Easier for companies to implement * Collects verified phone numbers for marketing * Follows the "passwordless" buzzword trend **This isn't about security. It's about convenience for companies at the expense of users.** The security benefits from passkeys don't justify: * Removing user choice * Breaking shared account workflows * Forcing specific password managers * Hiding password login behind extra clicks When Amazon or eBay forces passkey prompts on me, they're not improving my security—I already have strong, unique passwords and TOTP where needed. They're just making it harder for my wife to check an order status without texting me for a login. ## What Should Actually Happen Here's what a sane passkey/authentication system would look like: 1. **Opt-in, not opt-out** - Stop forcing passkeys and OTPs on users who don't want them 2. **Easy password login** - Don't hide the password option under three layers of UI 3. **Platform-agnostic by default** - Passkeys should work across ecosystems without vendor lock-in 4. **Shared account support** - Allow multiple passkeys per account, or just let families use passwords 5. **Respect user choice** - If someone wants to use their phone's built-in password manager instead of a third-party app, let them 6. **Disable options** - Let users turn off OTP/passkey prompts entirely But we're not getting any of this because the tech industry is more interested in pushing their preferred authentication method than actually solving user problems. ## The Bottom Line Passkeys and mandatory OTPs are solving a problem that doesn't exist for most users: * Strong, secure passwords + password managers work fine * Authenticator apps (TOTP) are more secure than SMS/email OTP * Shared household accounts are incompatible with device-bound authentication * Forcing everyone to use the same password manager creates unnecessary friction The current implementation is worse security (hello, SMS OTP everywhere) and worse usability than what we had before. It's security theater that benefits Big Tech's platform lock-in strategies while making the internet more annoying for everyone else. **My advice?** * Use a cross-platform password manager (Bitwarden, 1Password, Dashlane, etc.) for passkeys if you're tech-savvy and can get your household on board * Disable OS-level passkey managers to prevent competing prompts * Keep using secure passwords for shared accounts - they still work better * Look for the hidden "Use password instead" option * Complain loudly to companies that force this on you Because until enough people push back, we're stuck with authentication systems designed by people who apparently don't understand how real humans actually use technology. Got your own passkey/OTP horror stories? Reach out to me on Mastodon @[email protected]