Royce Williams

RE: https://mstdn.social/@TechCrunch/116807118492991232

This is incorrect. Physical security keys are more secure than passkeys. All of the strong phishing resistance, none of the software-brokered attack surface.

To be clear, passkeys are safer than push or SMS or email or passwords. And physical keys are a pain to maintain for the same reason they are more secure: you can't synchronize their secrets anywhere.

Jun 24 at 9:29pmWeb
Show threadBrooke Vibber 3d ago

@tychotithonus the primary purpose of passkeys is to promote operating system vendor lock-in

(the purpose of a system is what it does)

Show threadMatt Palmer3d ago
@tychotithonus also passkeys are a UX madhouse, I gave up trying to implement them for an authentication service.
Show threadDavid Nelson3d ago
@tychotithonus Not to nitpick but there’s still more nuance to it since there are different ways of implementing passkeys. They can live on an external physical key, or on-device and syncable (like in a password manager), or on-device and non-syncable (tied to a Secure Enclave / TPM chip.) So whether they are or are not the most secure option depends on how the end-user sets theirs up.
Show threadRoyce Williams3d ago

@dmnelson Very fair. This nuance is also not delivered on the original site that is asserting that "passkeys are better". The fact that a physical security key can protect a passkey is virtually unreachable to any but the most advanced and experienced users, usually due to poor UX. So I'm not disagreeing with you, but I also think that it's it's a nuance that more proves my point than counters it. 😅

Edit: but also I want to support your original point more fully -- you are absolutely not wrong.

Show threadBen Zanin3d ago
@tychotithonus that passive-voice "which are considered" is doing a lot of heavy lifting there, and it wafts a scented plume of marketing with a note of consent-manufacturing.