The War on Passwords Is One Step Closer to Being Over

If the passkeys aren't managed by your devices fully offline then you're just deeper into being hostage to a corporation.

Literally just use a password manager and 2/MFA. It’s not a problem. We have a solution.

I'll switch when it's fully implemented in open source and only I am the one with the private key. Until then its just more corporate blowjobs with extra steps.

If you tell corporations there’s a way to increase lock-in and decrease account sharing, they’re gonna make it work.

ITT: Incredibly non-technical people who don’t have the first clue how Passkeys work but are convinced they’re bad due to imaginary problems that were addressed in this very article.

I always feel like an old granny when I read about passkeys because I've never used one, and I'm worried I'll just lock myself out of an account. I know I probably wouldn't, but new things are scary.

Are they normally used as a login option or do they completely replace MFA codes? I know how those work; I'm covered with that.

The real problem is not passwords so much as trusted sources. Governments should have an email account that citizens have a right to and will not go away and have local offices to verify access issues.

I'm not convinced this is a good idea. Resident keys as the primary mechanism were already a big mistake, syncing keys between devices was questionable at best (the original concept, which hardware keys still have, is the key can never be extracted), and now you've got this. One of the great parts about security keys (the original ones!) is that you authenticate devices instead of having a single secret shared between every device. This just seems like going further away from that in trying to engineer themselves out of the corner they got themselves into with bullshit decisions.

Let me link this post again (written by the Kanidm developer). Passkeys: A Shattered Dream. I think it still holds up.

I still have no idea how to use passkeys. It doesn't seem obvious to the average user.

I tried adding a passkey to an account, and all it does is cause a Firefox notification that says "touch your security key to continue with [website URL]". It is not clear what to do next.

Am skeptical

My password manager supports passkeys just fine, across Windows, macOS, Linux and iOS (and probably Android but I haven't tried). Surprisingly, iOS integrates with the password manager so it's usable just like their own solution and it works across the system (not just in the browser).

This seems to be more about finding a standard way to export/import between different password managers/platforms?

It's enough to read the title. The rest of the article doesn't provide much else other than being one step closer. 😄

I remember when Microsoft made a big deal about this on Windows and then their "implementation" was making the local signon a number PIN.

And not a proper separate auth operation lol. You either set up almost everything with the PIN or use a regular password, not both. Makes it useless on enterprise.

Realistically we should all be using a key/pass vault since that would make using passkeys much easier, but that's too complicated for the internet in 2004 2024.

If it were me, I'd just issue everyone a yubikey.

Meanwhile mobile Firefox doesn't even support YubiKey / FIDO2 for some godforsaken reason.

I'm lost on this - is this better than GPG?

What is the difference between a crypto wallet and a passkey?

Is it just that a passkey has less functionality (and therfore better usability)?

They are really satisfying when they work. I have been impressed by how well they work cross platform in the new bitwarden. It even worked from Android one time with a key made on windows! However, I dread when my mom tells me she needs help with an account and I can't do anything because the key is on her iOS Keychain I don't have access to