alt Hacker NewsYep, Passkeys Still Have Problems
Comments
2 things about passkeys I wish would be fixed.
1. Passkey prompts asking if I want to use a phone or security key when I only have one (or neither!) registered. The UI for this gets in the way and should only ever present itself if I happen to have both kinds of devices registered.
2. Passkeys should have had the portability and flexibility that ssh keys have from the start. Making it so your grandparents can use public key cryptography and gain a significant advantage in securing their accounts in a user friendly manner should have been the priority. Seems like vendor lock-in was the goal from the start.
I'm a bit of a curmudgeon about this.
Until service providers are no longer allowed to:
1) force the type of passkey stores used (e.g. hardware vs software) when I am providing the passkey store
2) force me to MFA (e.g. forcing touch ID, entering pin or unlock password, etc) when attempting to use a passkey
Vendor lock-in a serious concern. Just reading through this KeePass issue again and seeing how much pressure the industry is trying to exert to prevent the users from being able to export their own private keys should be concerning. I come back to this discussion every time I see someone arguing in favor of passkey adoption.
>The unfortunate piece is that your product choices can have both positive and negative impacts on the ecosystem as a whole. I've already heard rumblings that KeepassXC is likely to be featured in a few industry presentations that highlight security challenges with passkey providers
The "Vendors Can Lock You Out" part is what makes passkeys entirely a non-starter for me. Especially the additional risk when someone passes away and the heirs are trying to get access to the deceased's accounts. Vendors are well known for saying "we had an agreement with Samantha, and with her death, that agreement has terminated, and no one can be given access that was not pre-designated."
Passkey just suck, end of story. The UX for them is so bad. I have no idea how many active pass keys I have. I just have to trust the provider knows what they're doing. Sometimes my authenticator app seems to forget my pass keys which is even more annoying.
Stop the insanity.
Passkeys are fantastic for the vast majority of the population. They solve oodles of problems. No more teaching ${FAMILY_MEMBER} about good passwords, password re-use, trying to explain how to use a password manager, etc. Instead: create passkey, done. Then it's seamless login whether they're on their computer, phone or tablet.
As a tech-savvy user fully aware of the underlying machinations involved with passkeys, I greatly prefer their simple, fast login experience over: username submit password submit TOTP submit, and especially over the much-worse "we've emailed you a code" login slog.
Password + TOTP have served me well so far. To port from device to device I just need to log into my Bitwarden account. It is unclear to me what device loss would do to a passkey and the passkey never communicates that information to me. If I set up a passkey on my iPhone, the site prompts me on my Linux desktop. I understand it's fine for people who use single platforms for everything. But as far as I can tell there is no advantage over Password + TOTP. I really hope Passkeys don't become mandatory. I only use them for sites I don't care about or when I've accidentally said yes to setting one up.
So in other words, Passkeys are over engineered and simply too complicated for most users.
Succumbing to lock-in can smooth some (but not all) rough edges and creates it's own restrictions and risks.
TOTP for the win --- it's the simpler practical alternative.
Everyone pretends that you're force to only have 1 passkey. I use 3 "passkey managers": Passwords.app, Bitwarden, YubiKey hardware key. I usually add all 3 or just two (skipping YubiKey).
On Apple devices I get neat experience out of the box, on Linux (+Firefox) I forced to use Bitwarden because Mozilla is being Mozilla.
Never had any issues ever with passkeys.
I feel like a boomer.
I dont want to use google/apple/microsoft for any credential manager because: google is evil; apple has locked me out of my apple id (and lost things like the recordings of conversations with my father during his hospice); microsoft keeps getting worse and more annoying to use.
So ok, I need some credential manager. I used keepass previously... but how do I vet other credential managers? I dont want an online backup. I want my credentials to only be on my computers. So now I gotta learn about which apps are ok, don't have cloud synching, can export files, and be compatible with MacOS.
And I have to learn what is FIDO? Like FICO? why do I need to synch with FIDO? what is it? will it give my credential store to others?
How is this easier or more convenient than a user/pass with 2fa?
I feel like I am going to accidentally leak my credentials and have no way of knowing
It's not really passkeys that are the problem, it's trusting your passkey to a third-party. But this is still a minor part of the market today, a much bigger problem to warn people about is the "log in with your google/facebook/etc account". Where you're handing everything over to a third-party as well, because it's so easy and convenient.
Passkeys, stored in Bitwarden, give a lot of the same convenience, but without the vendor lock-in. We shouldn't be scaring people away from passkeys, when commonly used alternatives are much worse.
Passkeys need a marketing campaign and UX overhaul.
I’m a technical guy, but I really don’t understand what the fuck is going on when I use a passkey. All I know is one day it appeared as an option and it let me login to things. I don’t really understand where it lives, what device it’s tied to, how scanning a QR code on Google Chrome on my phone magically logs me in, etc etc.
The user was not educated on this. Hacker News is the top 1% of computer power users. You gotta understand to someone’s grandma or mom or brother who works in real estate none of this makes any sense nor will they educate themselves on what it is.
Totally agree with this. Passkeys are a solution but not the sole solution. There is absolutely a misconception for seeing them as newest and therefore the best choice.
I update a spreadsheet with all my accounts and money and their values so I know my net worth and its changes, and oh boy every month getting these numbers is such a chore.
Since it's been a few days, sometimes I am logged out of either bank/traders and also the password manager.
So it's open the bank site, click on login/password, password manager browser extension asks to login. Type password manager password. It asks for 2FA. Unlock phone with face. Find app, open app, unlock app with face. Approve password manager login. Click on bank login/password again. I am in! No, bank wants to 2FA with mobile. Unlock phone with face. Open bank mobile app, unlock with face. Get code or approve login. Back to computer, type code or click approve.
Repeat that 12 times for all the accounts, and by the end of it I have neck pain with all the "pick up phone to face unlock" motions.
I am a bit paranoid so I turn on 2FA and passkeys and whatnot, but all of this makes me want to use `123password` everywhere and never change it.
Passkey is a great avenue for hackers because they represent an optional authentication mechanism that users overloook.
Really great article.
I also think there's still an enormous ignorance from passkey devs that lots of people want to occasionally log into personal services from locked down corporate machines, and the flow to deal this is at best terrible but more often non-existent, and developers with typically enhanced privileges just aren't able to conceive how difficult this is.
The biggest problem I have with passkeys is being tied to a single device you still need a flow to reset/get in _without_ the passkey. As you're only as secure as your weakest link passkeys don't add any security.
That said, if you have a mac with a fingerprint scanner they sure are very convenient option.
And don't get me started on terrible vendors like Rippling that only support a single passkey! Madness.
starting to really hate these, regret ever using one
I don't care what you other people in auth do, I work in auth too, please stop making signing into anything 5 steps.
1. First I get redirected to a special sign-in page.
2. Then I sign-in with my email only.
3. Then it finally asks me for a password, even for services that would never reasonably use SSO or have another post-email receive process.
4. Then I get redirected again to enter 2fa.
5. Then these websites ask if I want to create a passkey. No, I never want to create a passkey, and you keep asking me anyway.
6. Then, and only then, do I get to finally go back to using the service I wanted, and by then, you've lost whatever my `?originalUrl=` was, and I have to find it again.
No, don't send me a magic link. Because then I have to go do 4 more steps with Gmail or another mailbox provider and now signing in has become 10 or more steps.
No, don't tell me getting rid of passwords will help most of the population, and then force all of us to do the above, and blatantly lie to us that it's better.
Stop it. Get some help.
Passkeys are a completely seamless experience on Apple platforms in my experience so far.
Please don't use fixed-width fonts to write text. Please use fixed-width fonts to write code.
The author still has one last misconception about passkeys, namely that if you lose a passkey, you have "no recourse."
People wrongly think passkeys are like Bitcoin wallets, where losing them means there's absolutely nothing you can do, your account is simply lost forever.
Losing a passkey is exactly like losing your password, which is to say, that for 99% of services, you can reset your password/passkey really easily. There's a prominent "Reset Password" button right on the login form. It sends you an email or an SMS, you click it, and it lets you reset right then and there. You can reset your passkey in exactly the same way.
It is not that easy to reset if you lose your password to your Apple, Google, Facebook, etc. They all have a bunch of factors that they use to authenticate you if you reset your password, and they don't even document which ones they use.
So, if you care about those accounts, you've got to make sure you have backup access. They all let you generate and print "backup codes" (emergency passwords) and store them in a fireproof safe or a literal bank vault. Do that!
As everybody knows, you can't store all of your passwords in a password manager. You need something outside of the password manager to login to the manager itself. That's why 1Password/LastPass is called that; you still need one last password that you keep and manage yourself.
That's true of passkeys, too. You can login to Google with passkey, but if Google is your password manager that stores your passkey, you need something else outside of Google's password manager to login to Google. Whether it's a password, a backup code, a YubiKey, whatever, you need one more thing to login to Google, ideally more than one, so you can back it up and keep it safe.