Tim BrayPasskeys were hot last year, don’t seem to be catching on, here’s one view of why that is. Dark and sobering but convincing: https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/
Stuart Langridge@timbray ah, I have looked at passkeys a couple of times and feared them because of lock-in, and this suggests that I'm not the only one thinking it!
Tanner B 🆓🇵🇸@objc @timbray as far as I can tell, though, I can't move *between* OSes. If I set up my current phone as holding my passkeys, and then I change to a different phone (OS), I am just flat-out stuck; I cannot export my passkeys, or store them myself in some neutral format, or export them to a different device. I might be wrong on this, but every time I've asked I've got that answer, or no answer. If that's changed then I'll be happy to look again.
Lee Fife - old account
Insecurity Princess 🌈💖🔥@sil @objc @timbray
Typically, you can use a device with an existing passkey to add a passkey to another device.
Just yesterday I deleted a passkey from my Android device and then added a new passkey to it using a passkey from my MacBook.
I won't defend that it's a smooth experience. It could be clearer. And for some reason it only accepts one of my fingerprints for biometric authentication. 🤷🏼♀️
@saraislet @objc @timbray that's useful to know! I couldn't find any note on how to export a passkey from an iphone to elsewhere, but maybe I didn't look hard enough, or it's changed since I looked last.
@sil @saraislet @timbray You cannot export them, @saraislet is describing the process of creating *additional* passkeys for separate devices
@sil @timbray Your phone's OS should support moving the passkeys to a new phone when you "upgrade", as well as syncing across devices (iCloud). Going from iOS to Android, yeah, you'll need to make new passkeys.
Alternatively, websites can choose to allow you to set up multiple passkeys. This is ideal because you can set up a passkey for every device/OS you have.
bhcompy@sil So you're saying I should stick to TOTP methods that I can backup and transfer easily
@bhcompy I don’t think I’m expert enough in this area to give advice. I’m saying that I, personally, want an OTP method that I can back up and transfer easily, and I have that currently (OTP Auth for iOS, after a bit of looking around).
Mike Beasley@MikeBeas @sil @objc So if I'm using 1password and syncing between my laptop & phone, the same passkey can be used on both?
[Definitely getting the feeling that 1Password is the leader at making these things usable. Having said, that, I have yet to convince any nontechnical person to use any password manager aside from the ones in the browsers.]
@timbray @sil @objc Yes, it works like anything else you sync via a password manager. Several password managers support them.
For non-technical users, storing them in the system keychain is fine. They’re end-to-end encrypted and synced via iCloud or the Google password manager, same as regular passwords. You can scan a QR code on other devices that aren’t able to sync them (Windows or whatever) and login from your phone. It’s a pretty painless process.
Matthew Abbott@MikeBeas @timbray @sil @objc Do most people “go looking for” posts on a topic on a platform that resisted basic search?
This isn’t a scientific discussion, nor did you back your assertion with the type of “scientific proof” you demand of others. Anecdotal evidence of difficulties *is* evidence a feature is less than intuitive, enough to indicate an observational study. I believe I have a contact at a psych department if you want to fund that.