Ricky MondelloDec 30, 2024
I vibe with this. Does anyone have any examples of where and how any vendor’s dialogs around passkeys might lead people astray? The more feedback, the better.
https://infosec.exchange/@adamshostack/113743707996398149
Adam Shostack :donor: :rebelverified: (@[email protected])

@[email protected] I think the biggest thing is to (a) ensure dialogs are clear about what software is presenting them (b) where it plans to store the key and (c) letting people configure what their preference is for passkey management. Err, “things are”

Infosec Exchange
Show threadArianDec 30, 2024

@rmondello @ruuda is one of the most intelligent and technically inclined friends I have and he got stuck on how to use a yubikey on android because he didn't understand the Google Password Manager prompt when doing passkey login and that he had to click the "Use a different device" button.

If he can't figure it out we're doomed.

Show threadArianDec 30, 2024

@rmondello @ruuda password managers hijacking navigator.credentials.get is personally what completely trips me off. Having to click through a bunch of inconsistent dialogs -- first bit warden dismiss that I don't want to use it, then 2 clicks in iCloud passkey manager, just to use my security key, is not good UX.

Seems non of the password managers integrate with the native passkey APIs so they do this hijack thing. When i asked 1password about it they said the couldn't because they support a too wide range of MacOS versions.

Show threadArian
@rmondello @ruuda like. I know Apple has all the hooks to make the password managers feel just as native as iCloud. But seems nobody is using it. :(
Dec 30, 2024 at 9:06pmWeb
Show threadArianDec 30, 2024
@rmondello @ruuda i I wonder if a WebExtensions API as opposed to a native API would lead to better integration for password managers. As they get nice integration on all platforms instead of having to do native integration for each.