alt Hacker NewsThe "Vendors Can Lock You Out" part is what makes passkeys entirely a non-starter for me. Especially the additional risk when someone passes away and the heirs are trying to get access to the deceased's accounts. Vendors are well known for saying "we had an agreement with Samantha, and with her death, that agreement has terminated, and no one can be given access that was not pre-designated."
Replies
Some password managers provide an offline root of trust which family members can use in this scenario. For example, 1Password tells users to print off an "Emergency Kit" which is a physical piece of paper with secret recovery codes printed on it, which they store in one or more safe places. [1]
If someone passes away, their family members can use the Emergency Kit to gain access to and use all their credentials - including their passkeys.
(The Emergency Kit also allows you to recover your data in the event that you forget your master passphrase or lose all your devices.)
> "we had an agreement with Samantha, and with her death, that agreement has terminated, and no one can be given access that was not pre-designated."
It would be nice if you could use some legal apparatus to ratchet these agreements into a trust. Corps would hate it though, so it will probably be illegal to do.
I hate passkeys because when I've encountered them it's always an interstitial between what I just signed in to and where I'm trying to go, it's always a "register a passkey now" with an obfuscated dark pattern bypass, and it's always on a corporate account that I don't need a fucking passkey for.
I don't want a passkey on my logins but there is no way to disable this prompt on the 3 websites that constantly annoy me for them.
Drives me batty. The company I work for is already paying you for the service I'm using. We use SSO for EVERYTHING, I've already 2FA Authenticated the login, and even if I set up a passkey I will still have to 2FA the login.
I don't use these sites in any personal capacity, and I would never use a site that harasses me in any way if I was not absolutely required to in order to earn a paycheck.
You're not going to get any money out of me, why are you torturing me?
That linked story is pretty horrifying too: https://hey.paris/posts/appleid/
If he can't get his account back in any reasonable amount of time what chance do I have?
(I see I missed a big HN discussion on this: https://news.ycombinator.com/item?id=46252114 - 1038 comments)