{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreidlojzwd4h5udngqdcwavwumu2f6ti7fohduteeekv2swmpibthyu",
"uri": "at://did:plc:haakkg7y3xdghcdmprxeexso/app.bsky.feed.post/3mlk2y4ysiv62"
},
"path": "/t/threat-models-for-storing-passwords-totp-and-passkeys-in-a-single-password-manager/37761#post_6",
"publishedAt": "2026-05-10T23:11:59.000Z",
"site": "https://discuss.privacyguides.net",
"tags": [
"secure element"
],
"textContent": "SomeRandomPrivacyUser:\n\n> That’s if I store the passkeys on devices separate from my iPhone (like a YubiKey) but if my passkeys are stored in Apple’s password manager on my phone then malware can get the secret, couldn’t it?\n\nPasskeys can be stored in a secure element so it should be well protected against malware. I believe Apple now defaults to storing passkeys in their password manager to provide better portability but you might still have the option to store it on hardware instead.\n\nSimilar to the advice I gave before, if you go this route be sure to have multiple devices with registered passkeys for all your important accounts, ideally one of which should be stored away from home.\n\nSomeRandomPrivacyUser:\n\n> I see, so I guess I confused temporary access with permanent access. Now I’m wondering if I should sacrifice the convinience of having all credentials in a single database or separate them (password on `.kdbx`, TOTP on Ente Auth on iPhone, and Passkeys on iPhone) for a feeling of increased security (I don’t know how likely it is for my computer to get compromised).\n\nStoring everything in 1 database means you don’t really have true 2nd factor forms of authentication, but whether you should make a change is entirely up to what you feel is necessary for your threat model.\n\nSomeRandomPrivacyUser:\n\n> I was thinking of getting a physical key but it seems like a pain to always keep in hand and making sure to have backup copies and so on.\n\nAssuming Apple still allows you to store passkeys on hardware, a YubiKey could just be your backup passkey device so simply having your phone would suffice. Backups are a pain but you can limit them to your most important accounts and just store less important account passkeys on KeePass.\n\nSomeRandomPrivacyUser:\n\n> Also, sadly my phone doesn’t have USB-C so I can’t even use it on both PC and phone .\n\nYubiKey also works with NFC so I think it should support both an iPhone and PC. I personally use an adapter as sometimes NFC is unreliable on my phone.",
"title": "Threat models for storing passwords, TOTP and passkeys in a single password manager?"
}