kiruasanApr 28, 2024
Techmeme

Google and Apple use passkeys to capture users by locking credentials into their platforms and have made the UX of passkeys worse than that of password managers (William Brown/Firstyear's blog-a-log)

https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/
http://www.techmeme.com/240427/p5#a240427p5

Passkeys: A Shattered Dream

Firstyear's blog

Apr 27, 2024 at 10:45amWeb
Show threadLindsey 🐲Apr 27, 2024
@Techmeme
The UX of it is absolutely egregious. I'm logging into an account that is used for just nothing stuff, it has a decent password, google is harassing me for a keypass. We use google for work and it's now harassing people for a keypass when they try to login on a different account (has to be manually, temporarily shutdown each time). I'm setting up my father's new iphone (gods, why?) and the keypass section is a total dark pattern. I get more ticked off at more people at those companies every single day.
Show threadÉmilio GonzalezApr 27, 2024
@Techmeme Weird that there is no mention of the fact that passkey portability is an active working group at the FIDO alliance. This mostly reads as "I disagreed with a Google or Apple decision so now passkeys are doomed" 😬
Show threadMagnus AhltorpApr 27, 2024
@res260 @Techmeme It would make sense to actually have support, not just “working on it”. Having a working group is no guarantee for consensus or even technical viability, much less actual deployment.
Show threadÉmilio GonzalezApr 27, 2024
@ahltorp @Techmeme I agree, but it's bad faith to imply that this is a lock down strategy. I read on some news sites (though have not seen an official statement) that google and apple plan to support such export mechanism. If we're still not there in a year then I'll start getting suspicious, but releasing passkeys on ios and android without having the export feature is not enough to say "big tech forces lock down with passkeys" imo
Show threadMagnus AhltorpApr 27, 2024

@res260 @Techmeme I think many things regarded as “lock down strategies” are not active strategies, but passive ones. They simply don’t care enough, which from the outside looks like active menace.

Also, even public commitments often collide with other priorities, like the infamous Steve Jobs promise that Facetime would be “open”.

Show threadÉmilio GonzalezApr 27, 2024
@ahltorp @Techmeme Fair points.
Google and Apple are two of the 40+ board members of the FIDO alliance, I'd hope most other members agree that we need a portability standard for passkeys. Also Passkeys is not a closed tech or standard, like facetime is
Show threadBrian in PittsburghApr 29, 2024

@res260 @Techmeme

The tech giants behind the passkeys effort are about as dedicated to actually enabling the porting of passkeys between different identity providers as the Gotham police department is to finding the real identity of Batman and arresting him.

Show threadÉmilio GonzalezApr 29, 2024
@arekfurt @Techmeme The same statement could have been said, but for allowing 3rd-party password managers to have access to passkeys, no? Yet, they have access. Why is that different?
Show threadJohn TinkerApr 27, 2024
@Techmeme
"The Enshittocene Period"
This is the era of elaborated systems following the exit of their elaborators. To elaborate a system is first-ordered, say. Then to perpetuate an elaborated system is second-ordered. The elaborated system decays due to inadequate maintenance, or, far worse, through improvements by those who know not what they do. This is the root of #enshitification . Stick with Micah: do it right, realize that we all make mistakes, and do not expect to understand what must be going on in places where we have never been. I have been describing the natural law, but it gets even weirder when corporate profits are involved.
Show threadLiquidParasyteApr 27, 2024

@Techmeme damn that's... extremely disappointing. An authentication system completely FUBAR'd because the Giants refuse to be Normal and Decent and not lock people in to their platforms.

My KeePass system is random, variable, not great at syncing across devices, and has a fragmented ecosystem. I've lost a few passwords due to some clients syncing poorly. It's not something I'd recommend for the faint of heart.

But I have never had all my accounts, as the author laments, "deleted, 3 separate times."

It's a shame. I really wanted to do security keys as a thing by now

Show threadWyreApr 27, 2024
@Techmeme KeePassXC added passkey support recently and one of its best features is the ability to export them to files. what we need is better hardware security keys, devices dedicated to storing resident keys. crypto bros have all kinds of devices but we are stuck with yubikey and google titan.
Show threadWyreApr 27, 2024
@[email protected] it’s also worth pointing out that have several devices of different types storing additional keys solves a lot of issues.
Show threadSite Reliability Enby🏳️‍⚧️🏁🔦📈🐺👗😷Apr 28, 2024
@Techmeme This is exactly why passwords are good actually, and all this webauthn bullshit is just unnecessary complexity.
Show threadcrdotsonApr 29, 2024
@SiteRelEnby @Techmeme Sorry, have to strongly disagree here. Passwords are terrible even when good passwords are used, because of the ease in phishing them with lookalike web sites. And in practice they’re even worse than that, because lots of users reuse passwords and are then vulnerable to credential stuffing attacks when one of the sites is inevitably breached. Passkeys are the best solution, but it’s fairly early and they definitely have usability and portability challenges right now.
Show threadSite Reliability Enby🏳️‍⚧️🏁🔦📈🐺👗😷Apr 29, 2024

@crdotson @Techmeme I'll take password + TOTP over some brittle protocol with a dubious future of support that's tied to web browsers, while my KeePass DB is portable.

If people want a better system than passwords, why not just use SSH keys? Avoids all this browser bullshit and is well implemented and understood everywhere.

Show threadcrdotsonApr 29, 2024
@SiteRelEnby @Techmeme Well, at the heart of it, passkeys are really just public/private key pairs with a web protocol (webauthn) wrapped around it. If you used ssh keys on the web, you’d have a public/private key pair with … a web protocol wrapped around it. You can argue that webauthn is implemented poorly, and I’d agree to some extent, but in my opinion it or something very much like it is desperately needed.
Show threadSite Reliability Enby🏳️‍⚧️🏁🔦📈🐺👗😷Apr 29, 2024
@crdotson @Techmeme Yeah, it is implemented poorly. Zero reason for it to be tied to a browser other than Google's usual E/E/E play. Could have just used something like ssh-agent instead.
Show threadJayTApr 28, 2024

@Techmeme I've been using passkeys with 1Password which has been working pretty well, and they are portable. However, no way yo use them on Android with Firefox at the moment.

Edit: Ah, I see, the big players are trying to exclude hardware security keys, which is pretty terrible, as well as pushing crappy UX's to encourage using their system over others....

Show threadMarioApr 29, 2024

@Techmeme like, what’s wrong with it?

Aren’t passkeys supposed to be per-device, be used instead of the “don’t ask me for 2FA on this device again” cookie?

Even cloud sharing them between different devices feels kinda icky to me

Show threadPascal GirardiJan 9, 2025
@Techmeme This sounds like another case of big tech prioritizing platform control over user convenience. I wonder how third-party password managers will adapt to this trend.