They want to share them across devices, sometimes even devices made by different vendors. They want to hand a passkey to a family member or friend. They want to not be concerned they will lose the passkey if the device they are on is lost. They want to understand what the passkey is actually doing for them when they log in, rather than it sometimes being both the username and password, sometimes just replacing the password, and sometimes becoming a sort of weird second factor thing. They want to know how they can change their passkey. The rollout of passkeys leaves a lot to be desired.
I don't disagree with you about the UX. It could be better. It could be worse. What's your proposal on what a better UX might look like (along with getting everyone to adopt it)?
> They want to share them across devices
I do this today on Bitwarden, Apple users do this today with Keychain. Who's the "they" here?
> sometimes even devices made by different vendors.
> they want to hand a passkey to a family member or friend
..... Why? What's the use case here?
Tying a credential to a single identity (and therefore, human) is another explicit design goal of webauthn. I seem to remember the original proposal was that locking a private key to a device in an unextractable, un-copyable way was an explicit benefit - if it can't be exported, then it can't be stolen/copied without the device also being stolen. This was softened with the purpose of allowing syncing amongst devices that already have a good story on sharing sensitive data, but this mechanism does not exist generically. There is no standard way, right now, that my iPad and Pixel device can share a private, sensitive piece of information without the help of a 3rd-party syncing provider. Without that, cross-platform credential sharing can't exist out of the box by default.
My wife and I share passwords fairly regularly. Usually in a context where one of us is busy and wants the other to log into something they set up (e.g. to pay a bill), so the entire point is to not spend a few minutes going through an enrollment flow or whatever to give the other access (otherwise they'd just do the task). We may also not be in the same location when things like that come up.
Tying a credential to a single human is exactly not something desirable for a subset of users. Some married couples essentially act as a single person in most contexts (e.g. sharing an email address and/or phone number), which kind of makes sense; legally (in many states) the point of getting married is that everything becomes shared. The goal is to reduce friction around who owns/has access to what.
The real world obviously has different constraints, but works basically in this way. e.g. if I go to drop off/pick up a prescription for my wife, I just tell them her name, not mine. We use credit cards with the other's name all the time. etc.
> What's your proposal on what a better UX might look like (along with getting everyone to adopt it)?
> My wife and I share passwords fairly regularly. Usually in a context where one of us is busy and wants the other to log into something they set up (e.g. to pay a bill), so the entire point is to not spend a few minutes going through an enrollment flow or whatever to give the other access (otherwise they'd just do the task). We may also not be in the same location when things like that come up.
Mine too! We simply register multiple passkeys under the same "account" for a service and we can both log in as the same identity. Have I missed something? Why is this hard?
> Passwords, obviously.
Passkeys are trying to solve the phishing problem. I guess pretending that the problem doesn't exist is also some type of solution, but I don't think it's a very good one.
1. We don't set up accounts together. One just does it, and generally password sharing comes later at some inconvenient time (which is why they're asking the other person to deal with it). Until you can easily copy/send a passkey through an IM, they are less usable than passwords in important ways.
2. Passkeys don't even work on our desktop computer (Linux/Firefox), making them completely unusable.
I'm not pretending phishing doesn't exist, but for us, it creates problems while not solving any problem we have. I'm not really worried about phishing. Autofill and bookmarks already basically mitigate that for us. It's not like I'm going to click on a reddit link that takes me to "fidelity" and think "oh good idea I should check our brokerage".
> Passkeys are trying to solve the phishing problem.
They won't.
AIUI, their solution for this was to refuse to export the key material from its container. Now, they're allowing (or maybe "allowing") trusted third parties to copy that key material to back it up. I predict that within another couple of years, there will be a standard way for anyone to get that key material, which (from what I gather) makes their phishing-protection scheme no better than what password managers have been offering for a long time now.
EDIT: It looks like at least one major password manager will just export your passkey private keys wholesale. I guess this exciting future is here now. Details here: <https://news.ycombinator.com/item?id=42555371>
Tech support for relatives. Accessing accounts from different machines. Joint access for family members and friends. Emergency access when a phone or dongle breaks down or gets lost.
Tightly device-tied authentication mechanisms are fundamentally out of touch with the real world.
> > they want to hand a passkey to a family member or friend
> ..... Why? What's the use case here?
This is the problem, if you can't even imagine this case. Someone in their 70s who isn't great with computers would likely be very happy to share their password with a tech-savvy child who can do some things for them. Passwords make this really easy, and you can even register a second MFA that goes to the child's phone/TOTP.
You don't even need to be in your 70s or not tech-savvy. Password-sharing happens frequently between spouses, children/parents, friends and probably a lot of other cases.
> What's your proposal on what a better UX might look like (along with getting everyone to adopt it)?
The current passkey implementation is: Your google/apple/microsoft cloud account lets you log into websites without a password, using a 'keyring' of 'passkeys'
But we already had countless websites with a "log in with google" button, for users who want to authenticate using their cloud account, and skip entering a password.
So they could have just kept that... exactly how it was?
The analogy is similar to swiping your credit card versus using Apple Pay. With “login using Google/Apple”, you are submitting the username and password which could potentially be harvested by malware or a key logger. With passkey/Apple Pay, you are submitting a one time token that has no value in the Dark Web.
I had a tele-medicine visit scheduled regarding my son. When I logged in, it said I wasn't authorized. My wife had no problem. So she gave me her password. We both logged in as her. Everything was fine. I'm sure this was some record-keeping issue, but if we had been using passkeys, I just would not have been able to participate.
I mean I like them in theory but they should just be passwords you can't easily copy from your password manager. You can export them, which I'm sure someone will trick people into doing, but that's somewhat different from being tricked into pasting ul0vek1tt3ns into legitimateapple-support.info.
As for sharing passkeys: never grabbed a friend's Netflix account? Had to log into your kid's college application page to confirm your income? Sign up for an appointment for your elderly parents? This is a thing people actually need to do, and value more than avoiding being phished. Believe me. It's not worth abandoning for "ok there is a possibility someone can be phished if the key material isn't protected by a hardware key and three layers of DRM".
And why do they do it? What are they trying to achieve?
I'd guess that they most likely want multiple people to be able to access a single account. Passwords are forced to be shared because a password is typically implemented as a single credential - there's one valid password for that account.
This is .... not true for passkeys. If you want two people to access the same account, they both add passkeys to that account.
Sharing passwords happen because of a property of passwords. It's not some fundamental requirement that people have. What people want is shared access.
How do you bootstrap the system? Presumably your spouse/partner/friend and you use different computers? With 1password I can just share passkeys in the UI.
