alt Hacker NewsI'll believe this when pigs fly.
There's a 0% chance it will work. Most websites I've seen have one or all of:
* Force you to use email or SMS as a "second factor" to unlock changing password even if you know the old password
* A stupid idea of password complexity usually requiring one of a finite set of 5-8 "special characters" which is often only revealed after you've chosen a password that doesn't have them. Or in some cases even banning characters other than the ones they check for. There's a standard for this where you put a regex on the password field, which a good password manager will always use, but the kind of idiots who think limiting the entropy of passwords to increase security is the correct way to do things almost NEVER implement this.
* A maximum password length, even as short as 16 characters in many cases
* CAPTCHA etc.
Any effort spent on this would be better spent elsewhere, including even educating other companies on how passkeys should be used.
Replies
Don’t forget those sites/apps that split the sign in process across five screens for bow good reason or those with mislabeled fields that password managers can’t pick up on.
I don’t think I’ve seen a single category of UX fail as hard and as often as auth screens do. It’s like at some point after 2015-2017 developers were struck with mass amnesia and forgot how to build decent login UIs.
Some of your points are addressed by: https://github.com/apple/password-manager-resources
They may be limiting entropy to make it easier for users to remember their password. A user that can't log in is most likely one that will churn.
> Force you to use email or SMS as a "second factor" to unlock changing password even if you know the old password
Apple has detectors for codes sent via email or SMS, if your email account is one that is configured with the OS mail client.
> A stupid idea of password complexity usually requiring one of a finite set of 5-8 "special characters" which is often only revealed after you've chosen a password that doesn't have them. Or in some cases even banning characters other than the ones they check for. There's a standard for this where you put a regex on the password field, which a good password manager will always use, but the kind of idiots who think limiting the entropy of passwords to increase security is the correct way to do things almost NEVER implement this.
An AI agent can read the failure message and craft a new password
> A maximum password length, even as short as 16 characters in many cases
Same deal
> CAPTCHA etc.
While there's always the complex solution of scanning the image and trying to detect what is going on or slide the puzzle with enough of a curve to act like the motion of a human limb, there's also Private Access Tokens, supported by both Cloudflare and Google-provided captcha systems now IIRC. The OS uses an anonymous system to assert a single bit that there's proper browser chain-of-custody.
> Any effort spent on this would be better spent elsewhere, including even educating other companies on how passkeys should be used.
There are proposals as well to provide API to do upgrades from passwords to passkeys as well automatically. Nobody said the feature has to always use AI - but it may help the feature be robust enough for people to seek it out and try it.