Tim BrayPasskeys were hot last year, don’t seem to be catching on, here’s one view of why that is. Dark and sobering but convincing: https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/
OldManToast@timbray I'll admit that I have a half dozen articles open in my browser tabs from the last 12 months, and I still don't grok what supposed to do/expect as end user through my cycle of new devices, new services, credential changes, etc....
7leaguebootdisk𓅽@OldManToast @timbray yeah, I don't want to be screwed if I lose all my stuff, I'm not that organized.
vascorsd@7leaguebootdisk @OldManToast @timbray I feel the same. Phones and other devices usually get lost, get locked or are out of battery in the worst moments possible. Losing access to accounts based on not properly synching or managing the backups or having to trust a third party seems insane.
Jxyzn Sxyzyxn@timbray I've had Google's Passkey work exactly twice on my Pixel 6 Pro. It took a chance finding of needing Android Chrome to be allowed to post notifications to get it to work after months of intermittent trying, and it finally did! Only to fail and never again work since then, several months ago.
Ɲєιƚ Ƃιɍƌ 凤@jxyzn @timbray Similar experience. Sony's PSN recently pushed passkey login, thought I'd bite the bullet after hearing about it, set it up, my Pro 6 instantly lost it (or never saved it) and it took me another two hours to get back into my PSN account (which by then had also disabled 2FA so I had to reset that as well).
Never again.
Alper Çuğun-Gscheidel@timbray The “rollout” of these things has been disastrously bad. I have no idea how to really use them or why they’re better.
ChancerubbageThe only notion I had gotten from them is that they seem to lift the burden from the user; an easier on-ramp for ‘web services’ you think have no reason for a password or account anyway.
But you have to back that up with a faq- if device or cloud does it for you, what happens when the device is lost or stolen, or ‘the cloud’ is unavailable.
@Chancerubbage @timbray For those throwaway services Apple fronted account creation is pretty great already.
Ian@timbray I feel like passkeys are still working towards reaching critical mass with the tech crowd. This probably mirrors the fact that not all major services support them yet. I'm technical and that's why I haven't fully adopted them yet.
However, once that happens, those technical people will tell all their friends and family to start using them.
dpemmons@soviut @timbray did you read the blog post?
Lauren Weinstein
FeralRobots@timbray
I can't honestly say that I fully understand how they're meant to work - but it does seem pretty clear to me that in order for them to work safely & provide the benefit they're alleged to provide, we would need to radically change our behavior, up to & including taking far, far more care with the physical security of our devices than we've to date shown any interest in being.
I can't honestly say that I fully understand how they're meant to work - but it does seem pretty clear to me that in order for them to work safely & provide the benefit they're alleged to provide, we would need to radically change our behavior, up to & including taking far, far more care with the physical security of our devices than we've to date shown any interest in being.
Stuart Langridge@timbray ah, I have looked at passkeys a couple of times and feared them because of lock-in, and this suggests that I'm not the only one thinking it!
Tanner B 🆓🇵🇸@objc @timbray as far as I can tell, though, I can't move *between* OSes. If I set up my current phone as holding my passkeys, and then I change to a different phone (OS), I am just flat-out stuck; I cannot export my passkeys, or store them myself in some neutral format, or export them to a different device. I might be wrong on this, but every time I've asked I've got that answer, or no answer. If that's changed then I'll be happy to look again.
Lee Fife - old account
Insecurity Princess 🌈💖🔥@sil @objc @timbray
Typically, you can use a device with an existing passkey to add a passkey to another device.
Just yesterday I deleted a passkey from my Android device and then added a new passkey to it using a passkey from my MacBook.
I won't defend that it's a smooth experience. It could be clearer. And for some reason it only accepts one of my fingerprints for biometric authentication. 🤷🏼♀️
@saraislet @objc @timbray that's useful to know! I couldn't find any note on how to export a passkey from an iphone to elsewhere, but maybe I didn't look hard enough, or it's changed since I looked last.
@sil @saraislet @timbray You cannot export them, @saraislet is describing the process of creating *additional* passkeys for separate devices
@sil @timbray Your phone's OS should support moving the passkeys to a new phone when you "upgrade", as well as syncing across devices (iCloud). Going from iOS to Android, yeah, you'll need to make new passkeys.
Alternatively, websites can choose to allow you to set up multiple passkeys. This is ideal because you can set up a passkey for every device/OS you have.
bhcompy@sil So you're saying I should stick to TOTP methods that I can backup and transfer easily
@bhcompy I don’t think I’m expert enough in this area to give advice. I’m saying that I, personally, want an OTP method that I can back up and transfer easily, and I have that currently (OTP Auth for iOS, after a bit of looking around).
Mike Beasley@MikeBeas @sil @objc So if I'm using 1password and syncing between my laptop & phone, the same passkey can be used on both?
[Definitely getting the feeling that 1Password is the leader at making these things usable. Having said, that, I have yet to convince any nontechnical person to use any password manager aside from the ones in the browsers.]
@timbray @sil @objc Yes, it works like anything else you sync via a password manager. Several password managers support them.
For non-technical users, storing them in the system keychain is fine. They’re end-to-end encrypted and synced via iCloud or the Google password manager, same as regular passwords. You can scan a QR code on other devices that aren’t able to sync them (Windows or whatever) and login from your phone. It’s a pretty painless process.
Matthew Abbott@MikeBeas @timbray @sil @objc Do most people “go looking for” posts on a topic on a platform that resisted basic search?
This isn’t a scientific discussion, nor did you back your assertion with the type of “scientific proof” you demand of others. Anecdotal evidence of difficulties *is* evidence a feature is less than intuitive, enough to indicate an observational study. I believe I have a contact at a psych department if you want to fund that.
paulfreeman@timbray I simply don’t really understand how they work to the point I’d be happy to use them. I’ve been in the IT industry 30+ years. How are the general public supposed to pick them up?
alice@timbray oh my god i did not know about the whole resident keys and 25-limit on yubikeys this is beyond horrible
Chris Halstead@timbray I was fully on board with them and set up passkeys for every site that I use that had them available, but my experience with them has been utter crap. For whatever reason, I still end up having to auth with regular creds and/or 2FA. Entirely could be user error on my part, but if so then they would be totally worthless for someone who is not at all tech savvy. Disappointing to say the least.
Daniel Lyons
skippy@timbray I’ve been reasonably happy with 1Password’s Passkey support.
Gabriel N@timbray I like the implementation on my Mac: login in or confirming a transactions with the Apple Watch in MacOs feels like magic.
Mark Fischer@timbray noooooooooooooo 😢
Adlangx@timbray Damn, we gotta come up with a solution for this. Passwords are a fucking mess.
Burke@timbray like several others, the only thing that’s made my limited passkey use workable is @1password
I use multiple OS and browsers every day. Having my passkeys tied to a single device or OS was a non-starter. 1Password solved that for me, but I’m having a hard enough time convincing family and friends to use a password manager at all. Passkeys on top of that? I haven’t the energy to fight that good fight.
@atlassilent @timbray @1password
I use the option to use a passkey from a different device pretty regularly
I use the option to use a passkey from a different device pretty regularly
bss, super genius@timbray was there any other outcome when the two options were
james@timbray The headaches of trying to get the browser to let my password manager be responsible for passkeys rather than Apple or Google in the browser was a terrible experience.
Not being able to easily see what sites had passkeys, or which passkey would be used if I had multiple accounts at a site also sucks.
Passwords with a password manager and TOTP for 2FA have at least had multiple years of user experience feedback, and it’s possible to avoid lock-in by choosing your own vendor.
Dennis@timbray For me the biggest problem with passkeys is they aren't fully portable across platforms. I use Debian and Alpine Linux, iOS, Android, and when I have no other choice, Windows. If I create a passkey on one platform it doesn't work on the others. Also there's no system level passkey support in either Linux variant I use and Windows' passkey implementation has been both convoluted and unreliable for me.
@timbray I do like that password managers are starting to support passkeys. I've started using Bitwarden to store passkeys. I store them once and they are available in the Bitwarden browser extension in my Firefox and Blink based browsers on Windows, Linux and presumably MacOS too. iOS and Android support are "coming soon" to Bitwarden. KeypassXC recently added passkey support too but it's Linux only, unfortunately.
Norville "Shaggy" Rogers@timbray I guess I’m in the minority here then because I love them. It’s true some sites have better support than others. My one complaint are the browsers and password managers battling to be the owner of my passkeys. I should be able to set a default Passkey Manager for my device.
loading… HAC (he/him)@timbray I did quite a bit of reading, and building, and talking about Passkeys in the past year or so and I did wrote a final proposal of a talk to a conference: “The promises of Passkeys” to be able to talk what were it failed… :)
Given the previous ones were all about the good stuff!
BTW: my first POC of a product using passkeys were before any of Pass Managers had support to it! :D
Given the previous ones were all about the good stuff!
BTW: my first POC of a product using passkeys were before any of Pass Managers had support to it! :D
Ben Holm@timbray I started letting my password manager handle passkeys. I feel better that way. I’ve been suspicious of them. I don’t understand the security improvement. They were described by one site as a way to trust my (100% portable) devices. So if I lose my laptop and someone gets in then they have access to all my accounts? But maybe I misunderstood that site’s summary of passkeys.