Mastodawn

Jake Sawyer Nov 7

I gave an opening keynote at the FIDO Alliance’s “Authenticate” conference a few weeks ago! Although it featured timely strategies and tips for professionals deploying passkeys, my primary goal was to explain, as clearly as I can, why passkeys are important and how we should use them to reduce the harm that passwords cause.

YouTube link: https://www.youtube.com/watch?v=otObbUSxcqs

I’m really proud of this talk and I hope you’ll watch it and share it with others. I put care in to making it approachable while still delivering my perspective and insights to security professionals. If you don’t get the “why” behind passkeys, this talk will help fill that gap.

Authenticate 2025 Keynote | Ricky Mondello, Apple | Get the Most Out of Passkeys

YouTube

Dayton Lowell Nov 7

@rmondello You're a really good public speaker, Ricky. You speak slowly, clearly, and communicate effectively. Great job!

I'm a web developer and I’d like to begin the investigation of supporting passkeys in our web apps. Do you have any good resources for what they might look like on the client & server?

Djwebdroid Nov 8

@Daytonlowell @rmondello Good resource here:

https://www.corbado.com/blog/webauthn-conditional-ui-passkeys-autofill

Hope this helps.

WebAuthn Conditional UI (Passkeys Autofill) Technical Explanation

Conditional UI / Conditional Mediation / Passkey Autofill is a new feature of passkeys. This article explains what it is, how it works & how to implement it

Djwebdroid Nov 8

@Daytonlowell @rmondello And … oh, oh oh:

https://passkeys.dev/

https://www.passkeycentral.org/home

https://developers.google.com/identity/passkeys/developer-guides

https://developer.apple.com/documentation/authenticationservices/supporting-passkeys/

https://developer.android.com/design/ui/mobile/guides/patterns/passkeys

https://developer.chrome.com/docs/identity/passkeys

Source: https://rmondello.com/blog/#fn:5

Passkeys Developer Resources

Hello passkeys! Goodbye passwords.

passkeys.dev

Gracjan Nowak Nov 7

@rmondello It resonates with me what you said about actually allowing the user to drop the password. Some services allow that (PlayStation does it automatically), but at this stage most don’t yet. I’m happy that I can sign in to some accounts with a passkey, but the password is still there as a fallback, which I don’t need or want. This has further implications, in that I still need TOTP or SMS enabled to protect against password attacks, if a passkey isn’t asked for in that case.

@rmondello <added to watchlist> 🎉

@rmondello Great talk, thanks 🙂

@rmondello Nice talk! Thanks for sharing.

Did you choose “Head over heels" as intro music yourself or was this chosen by the FIDO Alliance?

Christopher Bowers Nov 7

@rmondello maybe it’s the nerd in me but I’m hesitant to use passkeys because they seem so opaque to me. Do you have any advice that might cause me to step of the ledge?

Steve Barnes Dec 22

@chrisipedia –

I share the feeling, and I'd say: traditionally, you assume the work of writing or typing your passwords and keeping them safe someplace. Trusting technology with that job, knowing it offers much more sophistication and speed, and practically never makes a mistake, is the point.

A metaphor might be hesitancy trusting software to perform your arithmetic knowing you can't inspect the annotated long division, et cetera.

Bob Young Nov 7

@rmondello
Ricky, that was an excellent talk. I'm glad I watched it.
I'm one of those people who still has serious reservations about adopting passkeys, and I was hoping you'd provide new information that changed my mind. My main reservation centers around the huge number of people who only have one device.
If their only device breaks, and
If they deleted the password authentication option,
Then they experience permanent account lockout.

I help people globally with tech support, including account recovery. I have a “no fix, no charge” guarantee. I’ve seen this problem first-hand. One device, broken or stolen, and accounts from
Microsoft,
Google,
Apple,
are gone forever.

You asked in your talk for collaboration and input, so here’s my recommendation: any adoption of passkeys, any implementation of passkeys, needs to include “error checking” that prevents a user from ever having only one way into an account.

Nina "Erina" Satragno 💫Nov 8

@fifonetworks @rmondello sites can look at the backup eligibility bit on the response to see if the credential syncs. In practice, it's mostly Windows Hello that produces credentials that don't sync.

If the user has a single non syncing cred I'd make sure e.g. email recovery still works for them.

Chris Mackay 🇨🇦Nov 7

@rmondello Watched the whole talk — really well done. I’ve been aware of Passkeys for ages (for which I mainly blame you 🤪) but have been hesitant to deploy them on client sites. Going to try them out on some in-house projects and see how I like it, armed with answers you gave to some lingering questions I had. 😎👍

Brandon Butler Nov 7

@rmondello What’s your thoughts on sites that use passkeys + a second form of authentication? GitHub is one that comes to mind.

Doesn’t that defeat one of the benefits?

Ricky Mondello Nov 7

@brandonbutler I address this in the talk! Let me know what you think of my argument around this. :)

@rmondello @brandonbutler If you have 2FA on Amazon and setup the passkey (only one), it asks the 2FA code after the passkey

Gracjan Nowak Nov 20

@brandonbutler @rmondello I think every service should allow users to have a fully passwordless account. If I already have an account and I register a passkey — allow me to get rid of my password and other factors (like SMS or TOTP). If I lose access to all my passkeys (which I know won't happen) or I need to sign in where they aren't supported, I can use a “magic link” or e-mail recovery as a last resort.

Also, it should be possible to register an account without ever creating a password.

@brandonbutler I think I’m using passkeys exclusively on GitHub. At least I’m not finding any message verbally abusing them in my sent messages. But maybe I had to disable TOTP after I added the passkey.

@brandonbutler @rmondello Today I discovered that the AWS console also uses passkeys incorrectly, requiring you to input username, password, and then submit the passkey.

They even have their chatbot trained to gaslight you when you complain about it.

@rmondello great talk!

It leads to the obvious question how and when Apple is dropping the password and especially SMS 2FA for Apple Accounts. It seems to be a weak point when storing #Passkeys in the Apple Keychain. Unfortunately quite many processes are asking for a password still (without 2FA 😮) and using a Passkey for the Apple Account itself is missing.

I know you can’t comment, just to mention it… maybe it will increase some internal priority counters or something 🙃

@rmondello
This sounds like a really interesting bit of information, the "why" behind passkeys is definitely a topic I want to understand. Do you have a transcript or a blog post about the topic? I would rather read an ruminate than listen to a keynote, sorry.

@rmondello Great talk, Ricky! You succeeded in the approachable goal. I don't work on anything that can utilize passkeys but I've been enjoying them more and more as a user and look forward to their continued evolution and adoption.

Matt Maddux Nov 9

@rmondello Ricky, THANK YOU for calling out the practice of just adding Passkeys as an option for MFA! It's always so frustrating to see it used in the worst way possible. I want to be able to switch all my accounts from using passwords + OTP to JUST PASSKEYS! Preferably removing the password and other factors from the account entirely.

Michael Cook Nov 13

@matt Yes!

Passkeys: 👍
Passkeys + MFA: 🙄
Passkeys + password: 🤦‍♂️

Jonathan Schofield Nov 10

@rmondello excellent. Thank you :)

@rmondello Terrific talk, thanks!

Ali Shah Nov 10

@rmondello This was communicated so well and easy to understand for someone not in the industry at all :)

Reminds me of that 2018 passwords con talk. Awesome stuff!

Colin Wheeler Nov 13

@rmondello Great Talk, as someone who’s been trying to adopt passkeys when services let me, I leaned a lot.

Graham Ballantyne Nov 13

@rmondello I really enjoyed this talk! I work in IAM at a university and I would love to start introducing passkeys, but something I'm struggling with is that we have far more diverse use cases than a more vertically-integrated organization. Passkeys would work for our web-based SSO, which admittedly is the majority use case for us, but we also have places where a password is still needed (VPN, managed desktops, SSH, RDP, etc). Any advice for navigating that kind of environment?

@rmondello I scanned the talk looking for an answer to this, so sorry if I missed it!

My primary concern with passkeys is the attestation capabilities. I'm fearful of a world where, through network effects, we are all forced to run certain: browsers, OSs, and hardware.

Like the old "requires IE 6", and new "requires Chrome" brick walls, I can envision banks/etc., either through ignorance or background deals, requiring blessed configs because of "security".

Are these concerns unfounded?