Passwordless logins are becoming more common. Moving from passwords and 2FAs to a single passwordless login is more convenient, especially when managing multiple devices and accounts. That convenience comes with a trade-off: portability. If I create a passkey for my Gmail account on my Android device, that passkey often ends up tied to that device. I often still depend on that device or ecosystem to log in. Over time, something designed to simplify authentication starts adding more friction than passwords and 2FAs.

I was already using Bitwarden to save all my logins, and I discovered that it also supports passkeys. I had already moved most of my daily workflow, such as photo backups, media streaming, and cloud storage, into self-hosted setups. That led me to self-host my own password manager, Vaultwarden, which can store passkeys. With Vaultwarden, I could keep the convenience of Bitwarden while taking full control of where my credentials are stored and how they sync.

Passkeys work — until you step outside the ecosystem

Locked in faster than you expect

Passkeys are often considered the future of authentication: no password, no phishing, just a seamless way to log into your accounts. They are seamless and convenient when used within the same ecosystem. That convenience starts to add more friction when you move to a new browser, OS, or device.

For example, I use an iPhone as my primary smartphone, and the passkeys are stored in the Apple iCloud Keychain. It syncs across all my Apple devices, such as my MacBook and iPad. When I have to log in to an account on a browser on my Debian server, either I need to have my Apple device nearby or scan the QR code. Similarly, when using Firefox while the passkeys are saved on the Google ecosystem.

The extra steps, such as QR codes, Bluetooth requirements, and the device being nearby, break the expectation of a seamless login. Inside an ecosystem, passkeys are the most convenient way to authenticate; outside that ecosystem, they become an additional step.

The real issue isn’t security — it’s portability

Convenience comes with invisible limits

Security isn’t the concern here. Passkeys are considered one of the safest options for authentication. Authentication methods such as 2FA, hardware keys, and passkeys are among the most secure options available. It is a matter of convenience and user preferences as to which one to use. Passkeys are marketed as the most convenient way, but that convenience comes with a trade-off: portability.

Passkeys are often stored in secure environments such as iCloud Keychain, Windows Hello, and Google Password Manager. When you are in the same ecosystem as your passkeys, they become the most convenient way to authenticate yourself. But when you try to use that convenience on different devices outside the ecosystem, it becomes more of a friction point.

When you move to a new ecosystem permanently, it becomes very difficult to move your passkeys. There is no easy way to export and import the keys, nor does a universal sync layer exist. In simple terms, there is no concept of bringing your passkeys anywhere. This is why I needed something else that could solve this portability problem.

My setup: Vaultwarden + cross-device sync

One vault, every device, no lock-in

I needed something that was convenient, portable, and free from dependence on any ecosystems. After some research, I realized that Bitwarden could address this and decided to move ahead with it for two reasons. First, I was already using Bitwarden as a password manager. Second, it natively supports passkeys.

Since I was already interested in self-hosting, I decided to make the transition more under my control by hosting Vaultwarden on my homelab server. Vaultwarden is a community-driven server and is fully compatible with the Bitwarden client.

I already had a NAS for storage, a homelab server for self-hosted services, and a VPS for my web apps. I chose to run it on my homelab Debian server since it’s limited to my own use. Like my other self-hosted services, I made it accessible through my domain via Cloudflare Tunnel. I installed Vaultwarden on my server via Docker Compose and exposed it through my domain.

The setup was simple and available across all my devices via the Bitwarden client. Passkeys were now stored in my secure vault on my server. This setup is not tied to any operating system or browser. My devices just needed the Bitwarden client and access to the self-hosted server. For all the passkeys and passwords (which I imported from Bitwarden), I controlled the sync layer and was not dependent on Apple/Google ecosystems.

The vault became the ecosystem.

What this fixes (and what it doesn’t)

Freedom, with a few trade-offs

The setup was convenient and portable, but it added one more trade-off: responsibility. Since Vaultwarden was hosted on my local server, managing and maintaining it was up to me.

The uptime and security of the vault depended on how I configured my server’s firewall and Cloudflare. If either of them were down, it would directly affect the vault, or if my server failed, my data would be at risk. I was responsible for access control and exposure, such as user management, domains, and tunnels. Since Vaultwarden is a community-driven project, there is no official or enterprise support like Bitwarden.

In my case, the benefits outweigh the trade-offs, and for a homelab user like me, it is manageable. I gained control when I took the responsibility of managing it.

Portability is the missing piece

Passkeys are often considered a convenient and secure way to authenticate. They solve the real problem of managing multiple passwords, reduce phishing risks, and simplify logins. But they don’t fully fix portability. When you are inside the ecosystem, passkeys are fast, secure, and effortless. As soon as you leave the ecosystem, they start to feel less seamless.

By hosting Vaultwarden on my local server, I kept the convenience of passkeys and removed the dependency on a single platform. Instead of relying on Apple or Google to sync my credentials, the self-hosted vault works across my devices. It takes a bit more effort to maintain, but I achieved passwordless logins with true portability.