Lots of criticism in the article, some of it valid, none of it constructive.
Sure, there's UX problems as we're still trying to figure out what good looks like here. But in the absence of specific, concrete suggestions about how we improve usability for unphishable credentials, it seems that passkeys are a pretty good go. Perfect? No. Better than passwords? Undoubtedly.
I don't think it's the responsibility of the author to make any constructive input to the passkey problem. The point of the article is to show the valid shortcomings of this technology that a bunch of companies are attempting to force on users.
My workaround to allow passkeys to be reasonably usable is to use my password manager, just like the author of this article. This makes passkeys essentially the same as passwords.
At no point am I tying account access to a device, or series of devices, as this is ridiculous and unusable.
Passkeys as encouraged by the big companies are all about vendor lock-in than security.
> I don't think it's the responsibility of the author to make any constructive input to the passkey problem.
Oh, it's not their responsibility, sure. But moaning about the UX without considering the trade-offs and decisions that got us to this point isn't very useful. Passkeys are badly implemented on some sites. So let's fix that.
> This makes passkeys essentially the same as passwords.
Passkeys in a password manager are fundamentally different to passwords. Try copying the passkey private key into your clipboard from your password manager.
> Passkeys as encouraged by the big companies are all about vendor lock-in than security.
The fact they prevent phishing is just a useful side-effect? This is veering into conspiracy theory territory.
It's not just some sites, the article goes into more detail than this, for example the biggest sticking point to me mentioned in the article is vendor and device lock-in. This is a recipe for getting locked out of your accounts and is far from a conspiracy theory. The only answer to this is create multiple passkeys on multiple devices/services OR use a password manager.
This is hardly the frictionless experience promised by passkeys. And it's perfectly valid to point this out. I don't care about the decisions and trade offs that got us to this point and not should I have to. If you want me to use a shitshow you designed the onus is on you to fix it, not me as the person you're attempting to force it onto.
> Passkeys are badly implemented on some sites. So let's fix that.
It's not the obligation of the Ars writer to fix that. It is their obligation to give the system a solid try and report honestly about what did and did not work.
> Try copying the passkey private key into your clipboard from your password manager.
Yeah, something that's roughly equivalent to that is coming. Used to be that you were not permitted to export key material. Now you can. This will erode further as real-world use continues.
Oh, wait. It looks like secured-only-by-a-password access to passkey private key material is already possible, today:
"Q: Are stored passkeys included in Bitwarden imports and exports?"
"A: Passkeys are included in .json exports from Bitwarden. The ability to transfer your passkeys to or from another passkey provider is planned for a future release."
They want to share them across devices, sometimes even devices made by different vendors. They want to hand a passkey to a family member or friend. They want to not be concerned they will lose the passkey if the device they are on is lost. They want to understand what the passkey is actually doing for them when they log in, rather than it sometimes being both the username and password, sometimes just replacing the password, and sometimes becoming a sort of weird second factor thing. They want to know how they can change their passkey. The rollout of passkeys leaves a lot to be desired.
I don't disagree with you about the UX. It could be better. It could be worse. What's your proposal on what a better UX might look like (along with getting everyone to adopt it)?
> They want to share them across devices
I do this today on Bitwarden, Apple users do this today with Keychain. Who's the "they" here?
> sometimes even devices made by different vendors.
> they want to hand a passkey to a family member or friend
..... Why? What's the use case here?
Tying a credential to a single identity (and therefore, human) is another explicit design goal of webauthn. I seem to remember the original proposal was that locking a private key to a device in an unextractable, un-copyable way was an explicit benefit - if it can't be exported, then it can't be stolen/copied without the device also being stolen. This was softened with the purpose of allowing syncing amongst devices that already have a good story on sharing sensitive data, but this mechanism does not exist generically. There is no standard way, right now, that my iPad and Pixel device can share a private, sensitive piece of information without the help of a 3rd-party syncing provider. Without that, cross-platform credential sharing can't exist out of the box by default.
My wife and I share passwords fairly regularly. Usually in a context where one of us is busy and wants the other to log into something they set up (e.g. to pay a bill), so the entire point is to not spend a few minutes going through an enrollment flow or whatever to give the other access (otherwise they'd just do the task). We may also not be in the same location when things like that come up.
Tying a credential to a single human is exactly not something desirable for a subset of users. Some married couples essentially act as a single person in most contexts (e.g. sharing an email address and/or phone number), which kind of makes sense; legally (in many states) the point of getting married is that everything becomes shared. The goal is to reduce friction around who owns/has access to what.
The real world obviously has different constraints, but works basically in this way. e.g. if I go to drop off/pick up a prescription for my wife, I just tell them her name, not mine. We use credit cards with the other's name all the time. etc.
> What's your proposal on what a better UX might look like (along with getting everyone to adopt it)?
> My wife and I share passwords fairly regularly. Usually in a context where one of us is busy and wants the other to log into something they set up (e.g. to pay a bill), so the entire point is to not spend a few minutes going through an enrollment flow or whatever to give the other access (otherwise they'd just do the task). We may also not be in the same location when things like that come up.
Mine too! We simply register multiple passkeys under the same "account" for a service and we can both log in as the same identity. Have I missed something? Why is this hard?
> Passwords, obviously.
Passkeys are trying to solve the phishing problem. I guess pretending that the problem doesn't exist is also some type of solution, but I don't think it's a very good one.
1. We don't set up accounts together. One just does it, and generally password sharing comes later at some inconvenient time (which is why they're asking the other person to deal with it). Until you can easily copy/send a passkey through an IM, they are less usable than passwords in important ways.
2. Passkeys don't even work on our desktop computer (Linux/Firefox), making them completely unusable.
I'm not pretending phishing doesn't exist, but for us, it creates problems while not solving any problem we have. I'm not really worried about phishing. Autofill and bookmarks already basically mitigate that for us. It's not like I'm going to click on a reddit link that takes me to "fidelity" and think "oh good idea I should check our brokerage".
> Passkeys are trying to solve the phishing problem.
They won't.
AIUI, their solution for this was to refuse to export the key material from its container. Now, they're allowing (or maybe "allowing") trusted third parties to copy that key material to back it up. I predict that within another couple of years, there will be a standard way for anyone to get that key material, which (from what I gather) makes their phishing-protection scheme no better than what password managers have been offering for a long time now.
EDIT: It looks like at least one major password manager will just export your passkey private keys wholesale. I guess this exciting future is here now. Details here: <https://news.ycombinator.com/item?id=42555371>
Tech support for relatives. Accessing accounts from different machines. Joint access for family members and friends. Emergency access when a phone or dongle breaks down or gets lost.
Tightly device-tied authentication mechanisms are fundamentally out of touch with the real world.
> > they want to hand a passkey to a family member or friend
> ..... Why? What's the use case here?
This is the problem, if you can't even imagine this case. Someone in their 70s who isn't great with computers would likely be very happy to share their password with a tech-savvy child who can do some things for them. Passwords make this really easy, and you can even register a second MFA that goes to the child's phone/TOTP.
You don't even need to be in your 70s or not tech-savvy. Password-sharing happens frequently between spouses, children/parents, friends and probably a lot of other cases.
> What's your proposal on what a better UX might look like (along with getting everyone to adopt it)?
The current passkey implementation is: Your google/apple/microsoft cloud account lets you log into websites without a password, using a 'keyring' of 'passkeys'
But we already had countless websites with a "log in with google" button, for users who want to authenticate using their cloud account, and skip entering a password.
So they could have just kept that... exactly how it was?
The analogy is similar to swiping your credit card versus using Apple Pay. With “login using Google/Apple”, you are submitting the username and password which could potentially be harvested by malware or a key logger. With passkey/Apple Pay, you are submitting a one time token that has no value in the Dark Web.
I had a tele-medicine visit scheduled regarding my son. When I logged in, it said I wasn't authorized. My wife had no problem. So she gave me her password. We both logged in as her. Everything was fine. I'm sure this was some record-keeping issue, but if we had been using passkeys, I just would not have been able to participate.
I mean I like them in theory but they should just be passwords you can't easily copy from your password manager. You can export them, which I'm sure someone will trick people into doing, but that's somewhat different from being tricked into pasting ul0vek1tt3ns into legitimateapple-support.info.
As for sharing passkeys: never grabbed a friend's Netflix account? Had to log into your kid's college application page to confirm your income? Sign up for an appointment for your elderly parents? This is a thing people actually need to do, and value more than avoiding being phished. Believe me. It's not worth abandoning for "ok there is a possibility someone can be phished if the key material isn't protected by a hardware key and three layers of DRM".
And why do they do it? What are they trying to achieve?
I'd guess that they most likely want multiple people to be able to access a single account. Passwords are forced to be shared because a password is typically implemented as a single credential - there's one valid password for that account.
This is .... not true for passkeys. If you want two people to access the same account, they both add passkeys to that account.
Sharing passwords happen because of a property of passwords. It's not some fundamental requirement that people have. What people want is shared access.
How do you bootstrap the system? Presumably your spouse/partner/friend and you use different computers? With 1password I can just share passkeys in the UI.
I just wanted a standard data exchange interface between my browser and my preferred password manager, so that my password manager didn't have to try to emulate a human being typing or pasting a password.
That way the password would only "live" in the password manager and wouldn't need to even be easily visible to me. I almost never care what the password actually is.
But it would still be a password so compatible with most sites as-is, and easily backed up and restored on new devices.
“Huh, wonder why that didn’t autofill this time.” Person copy/pastes password from manager into phishing site.
Browser extensions do not prevent copy/pasting, or typing in, passwords. In contrast, there is no way to copy/paste or type in a passkey if the phishing site fails the key check.
Now you might say that YOU have the discipline to never do this. And it might be true. But that’s not the same as saying autofill passwords are not phishable.
What stops the user pasting their password out of their password manager into a random evil site? Auto-fill isn't infallible.
This isn't a controversial topic, the data is pretty unambiguous. If you give humans a secret they can put in their clipboard and train them to enter it into text boxes, some fraction of them will send their credentials to the wrong people.
The same thing that stops the user from going through an account recovery flow to enroll an attacker's key. Such flows are of course more necessary in a world where you can easily lose/damage the only place where your keys are stored.
We're not aiming for "perfect", we're just trying to make some progress on the phishing problem.
The irony here is that many of the complaints in this thread seem to be complaining about how imperfect passkeys are. No-one disagrees that they're imperfect!
Yes, and passkeys generally help. But your concern upthread was that any mechanism that lets users share or export passkeys (or other authentication material, such as passwords) allows a user to be phished. Basically, the very fact that this is somehow accessible means a user can be tricked into disclosing it. This is correct, but my point is that perfection in that area necessarily means that a lot of things that are useful (some of which have been shared in sibling threads) are now impossible. So we should not actually aim for perfection on phishing, but just to make improvements where possible.
This. In other words, password managers have all the benefits and none of the drawbacks of passkeys. And passkeys require a password manager anyway, so why are we trying to switch?
Sure, there's UX problems as we're still trying to figure out what good looks like here. But in the absence of specific, concrete suggestions about how we improve usability for unphishable credentials, it seems that passkeys are a pretty good go. Perfect? No. Better than passwords? Undoubtedly.