BTW, when the Big Tech bros wax poetic about eliminating passwords by requiring passkeys, you can bet they probably don't deal with anyone who doesn't have a phone and whose only access to the Internet is public computers like in libraries. And please don't suggest that someone who may have all their possessions in a shopping cart carry and use a Yubikey (even if USB ports weren't blocked on public computers, as they often are). The Bros often don't have a clue about the real world.
@lauren exactly right. After the Australian MyGov team rolled out passkeys they discovered that many folks living in remote parts of Australia don’t have phone coverage and access internet via shared computers at community centres. They weighed giving every Australian a YubiKey as it would be cheaper than sending 2FA codes via SMS. Ultimately, they left passwords as an option.
@ben @lauren But when you log into MyGov right now and see your 'security review', it literally tells you that you should turn off your password as a security measure. It'll be one of the first things you see after logging in.
@rainynight65 @lauren People with the ability to use passkeys _should_ use them. Apparently a micro-phishing kit for a fake MyGov site costs $30 on the dark web and passkeys are completely effective against these.

The point is we shouldn’t leave behind folks that can’t use passkeys or other smartphone-demanding tech. MyGov allows users to ignore the ‘security review’ recommendations to accomodate diverse needs.
@ben @rainynight65 And how many of those people who have those "diverse needs" do you think understand enough about these systems to know the risks they'd be taking in accepting passkeys. Keep in mind that most people know just BARELY enough about how any of these systems work to do the tasks they need, and no more than that.
@lauren @rainynight65 So far I’ve been discussing the physical ability to access a phone and/or carry a security key.

As for users who barely understand these systems, passkeys were designed so that users only need to know how to unlock their phone — still an assumption, I know — but I think a poor job has been done with making that clear.

And I get that some folk won’t understand how that’s different from being asked to remember a separate password. Especially after a decade of being told to use different passwords for different systems.