I have often thought that we need a non-profit, audited, third-party authority for online authentication. I don't want to have my passwords managed by Google or Facebook or Apple, whose products I may or may not choose to use.

I understand passkeys aren't bound to the majors, but I'm a "best tool for the job" kind of guy, and use macOS and Windows and Linux, Android and iOS, all of which may be used on a day-to-day basis and in different contexts. Passkeys have proven baffling the more you cross contexts and operating systems. I completely understand passkeys in theory, and even if I'm in favor of some sort of public/private key structure replacing guessable passwords - and I am in favor of that - the current implementation and corporate stewardship simply doesn't fit my multi-OS, multi-device use case.

I may be an outlier but this does not seem to be happening, either within the tech world or with users with more simple needs.
posted by eschatfische at 11:59 AM on April 26 [11 favorites]

Passkey well not succeed in its current form for one simple reason:

"Passkeys are an evolving specification..."
posted by Dysk at 12:10 PM on April 26 [7 favorites]

The second I heard about passkeys, I thought “here’s yet another lump-o-tech dreamed-up by a crowd with an utter ignorance of, and often disdain for, the needs of the consumers. See also: TFA.
posted by Thorzdad at 12:14 PM on April 26 [20 favorites]

Uuuuuuuuuuugh, dammit, I wanted passkeys to work. Because MFA is shit UX.
posted by humbug at 12:19 PM on April 26 [7 favorites]

I think I set up passkeys for my Google account and a bunch of others a year or two ago, but I'm still barely cognizant of when any given website that takes passkeys is using the passkey, versus simply leaving me logged in from an earlier session. It's a technology that is so unintrusive (when it works) that I barely even know it's doing anything for me. In the meantime, I feel like I've got a perfect handle on my password situation thanks to the readily available, mostly-unbreakable password managers I have at work and at home.

The only thing anyone really has to remember with passwords is to not use the same damn one every time they create an account, and modern password managers remove 99% of the mental labor and fiddling that used to be associated with that. It's easy.

Meanwhile, passkeys ask me to place all my trust in some fully opaque online cryptography doodad to not let anyone who isn't me into my stuff; The doodad never asks me any questions or demands proof that I am who I say I am, it just kinda lets me through, which makes me wonder what it does on those occasions when it's not me.
posted by Strange Interlude at 12:25 PM on April 26 [6 favorites]

Functionally, for the end user, isn't a passkey just using a cell phone as a much easier token key fob? I agree that Google etc. should not have control over security, but I guess I don't get the opposition to it on the basis that it seems more or less like an easier way to implement a key fob (which was also vendor-specific).

MFA is shit UX

I mean, this, basically?
posted by They sucked his brains out! at 12:26 PM on April 26 [2 favorites]

My first reaction was, "Apple and Google and Microsoft and PayPal want passkeys to happen? No, thank you."
posted by ob1quixote at 12:28 PM on April 26 [6 favorites]

The doodad never asks me any questions or demands proof that I am who I say I am

I'm not sure about Google, but passkeys via iOS doodads use biometric recognition (or revert back to the doodad/device key code, if you choose not to use biometrics).
posted by They sucked his brains out! at 12:28 PM on April 26

From brainwane's reply to the recent checklist post:

On Replacements for Passwords
posted by genpfault at 12:31 PM on April 26 [10 favorites]

On Replacements for Passwords

not really being a tech type, I particularly like this part:

the following philosophical objections may also apply:

□ It relies on a psychologically unnatural notion of "trustworthiness"
□ People want to present different facets of their identity in different contexts
□ Not everyone trusts your government
□ Not everyone trusts their own government
□ Who’s going to run this brand new global, always-online directory authority?
□ I should be able to authenticate a local communication without Internet access
□ I should be able to communicate without having met someone in person first
□ Anonymity is vital to robust public debate
posted by philip-random at 12:49 PM on April 26 [17 favorites]

I think part of the challenge is that for something like this change needs to be forced on most people, it won't be from most folks voluntarily changing. The number of conversations I've had to have with my own friends and family to get them to use multiple passwords, to say nothing about trying to push for a password manager, is so high. For a lot of people, passwords work and they understand them. I'm my experience, people don't realize the downsides until they get hacked, and then it's too late. I've heard a few times oh I should have listened to about basic password security stuff. And even that was thought a too high bar to clear.
posted by Carillon at 12:54 PM on April 26

I'm very technical and have generally good password practices (unique, random, etc) so should've been a good candidate as an early adopter, but I noped out right away because I couldn't find a way to migrate them to another platform.

Nowadays, when considering adopting any service (e.g. notes, feed reader, payment service, credential service) my first questions are "What are the switching costs? How do I get out? What can I take with me?"
posted by microscone at 12:56 PM on April 26 [23 favorites]

This is weird because i’ve been really impressed with the seamlessness of 1Password’s passkeys implementation. It works cross-platform with zero friction, and if i’m on a device where my 1Password isn’t logged in, i only have to open my camera on my phone, and i think it’s two taps after pointing it at the QR code.

That said, i use 1PW religiously, have a high level of trust in 1PW, and have no plans to migrate off.

(1PW also make MFA nearly-seamless, but that’s because i’m not *really* using it correctly, given that it’s store alongside my (strong, unique) passwords.)
posted by supercres at 1:07 PM on April 26 [2 favorites]

I associate Passkeys with asking me with if I want to use biometrics, and in the U.S., cops can force your accounts open with biometrics but not with passwords.
posted by tofu_crouton at 1:10 PM on April 26 [27 favorites]

I associate Passkeys with asking me with if I want to use biometrics, and in the U.S., cops can force your accounts open with biometrics but not with passwords.

100% this! The whole "biometrics" push whenever I read about passkeys is what kept me from continuing to read about passkeys. Absolutely nobody should be using biometrics for security (or allowing their biometrics to be recorded by others for "security" purposes), and not just b/c of what cops can do with it. "Biometrics" is just a fancy term for turning your physical features into data, and data will always be hacked! When your facial recognition pattern or fingerprints are stolen by hackers and used to impersonate you (and they will be), what are you going to do - get plastic surgery?
posted by Pedantzilla at 1:40 PM on April 26 [16 favorites]

Just a quick FYI for iOS users: If you're using FaceID to unlock your phone and/or a password manager and get into a situation where you need to protect your phone, tap the lock button 5 times.

The phone will require a password to unlock it. FaceID will be disabled.
posted by JoeZydeco at 1:47 PM on April 26 [17 favorites]

Just a quick FYI for iOS users: If you're using FaceID to unlock your phone and/or a password manager and get into a situation where you need to protect your phone, tap the lock button 5 times.

The phone will require a password to unlock it. FaceID will be disabled.

Alternatively you can hold the power + one of the volume keys for about two seconds until you feel a light vibration, which may be easier to remember or faster for you.
posted by General Malaise at 2:01 PM on April 26 [11 favorites]

I knew about the former shortcut but not the latter. Pure fantasy but I really want to believe whoever at Apple implemented these had NWA’s Fuk Da Police on loop that whole afternoon.
posted by Ryvar at 2:13 PM on April 26 [5 favorites]

Just a quick FYI for iOS users

For Android users using fingerprint/face unlock, you can quickly and temporarily disable biometric login at ANY time by long-pressing the power key and touching the "Lockdown" icon, after which your next login will require the passcode.
posted by Greg_Ace at 2:27 PM on April 26 [6 favorites]

None of these "solutions" approach the flexibility, power, and usability of password managers + passwords. It's not even close. They're not solving anything.

More importantly: everyone needs to be able to use authentication. Everyone. This includes older people, children, people with sensory or cognitive impairments. Every time you introduce a new mechanism for authentication you are heavily impacting all of these users and simultaneously increasing the chance that they'll be deceived or defrauded. The impact of changing an existing, working authentication mechanism across the entire population is devastating. This includes the constant deluge of UI changes. Authentication needs to be a consistent experience. Good enough is good enough.
posted by phooky at 2:38 PM on April 26 [14 favorites]

It’s essential to be able to lock your phone without looking at it, with your hand in your purse/pocket, under duress. If you need to do anything but grab and squeeze it’s just not gonna happen when you really need it.

Thanks for the note about power and volume squeeze and hold to lock
on iOS. It even works on my ancient 6S.
posted by seanmpuckett at 2:38 PM on April 26 [4 favorites]

For Android users using fingerprint/face unlock, you can quickly and temporarily disable biometric login at ANY time by long-pressing the power key and touching the "Lockdown" icon, after which your next login will require the passcode.

fortunately, my Android phone erratically and randomly and at least once every fucking day will tell me it needs me to enter my slightly complicated password to unlock instead of just opening with biometrics (fingerprint or camera), an act which while it doesn't take more than a couple of seconds does seem to interrupt me trying to grab that photo or make that call or whatever.

O Android, my Android, why do you suck so much?
posted by chavenet at 3:01 PM on April 26

my Android phone erratically and randomly and at least once every fucking day will tell me it needs me to enter my slightly complicated password to unlock instead of just opening with biometrics (fingerprint or camera), an act which while it doesn't take more than a couple of seconds does seem to interrupt me trying to grab that photo or make that call or whatever.

Oddly enough I believe that's a security feature as well. The idea is that if someone (police, or phone-thieves if you need a publicly acceptable adversary to blame) has your phone, they can't know if you performed an action to lockdown your phone (in which case they could potentially compel you to unlock it, depending on jurisdiction/legal state), or if it's at random. Or if someone's got your phone for an extended period of time, eventually they couldn't rely on your biometrics.

(at least, I believe I saw something to that effect when lockdown mode was announced)
posted by CrystalDave at 3:12 PM on April 26 [2 favorites]

I don't think I've even encountered anything trying to get me to use a passkey. I really have no idea how they are supposed to work, or how they are theoretically better than a password, or 2fa.

Also god 2fa is fucking annoying and I guess I sort of assume that any other attempt to replace passwords/2fa will be equally annoying, so I'm sure not gonna waste any energy on trying to use them until something I want to use forces me to use it.

I just tried the demo on passkey.org and the resulting passkey only seems to be accessible on my Mac by searching the horrible new interface to passwords in the horrible new System Preferences, Keychain Access shows me nothing. Wonderful. Great. That sure makes me want to use them. Hopefully they'll die before anyone tries to make me do that.
posted by egypturnash at 4:05 PM on April 26 [2 favorites]

I'm 100% on board with the passkeys vision but the user experience now is terrible. I spent some time in April trying to get them working again in my environment, some mix of Google Chrome, Windows, Android, and 1Password. Total disaster. 1Password still doesn't work on Android. It sort of works on Chrome in Windows but not entirely, removing it was a key step in making anything work sort of OK. I kind of got login working using Google to store my keys but then I hit a different bug that made Chrome unable to delegate to the right device. Lots more details of my experience in this blog post.

My problems were mostly variants of "this product doesn't work right yet". The linked primary post here talks about a different set of problems, the way Google and Apple aren't working in good faith. I'm convinced that's a big part of why 1Password doesn't work well: either Google and Apple aren't very motivated to help with that integration or else are actively thwarting it.

It's absolutely unacceptable that we're over a year in to passkeys being available and no vendor has any answer for "how do I migrate my authentication tokens to a different system?"
posted by Nelson at 4:06 PM on April 26 [4 favorites]

Oddly enough I believe that's a security feature as well. The idea is that if someone (police, or phone-thieves if you need a publicly acceptable adversary to blame) has your phone, they can't know if you performed an action to lockdown your phone (in which case they could potentially compel you to unlock it, depending on jurisdiction/legal state), or if it's at random. Or if someone's got your phone for an extended period of time, eventually they couldn't rely on your biometrics.

I suspect this is sort of right but also sort of wrong. I don't think it has to do with plausible deniability because having just used the Lockdown feature for the very first time, when you attempt to unlock the phone again it tells you "[fallback method] is required after lockdown." This is different from the message you get when Android randomly decides to lock your phone down more than usual.

However I think the general principle does apply, as the other message I think says it's for enhanced security. So the second reason you put forth (eventually they'll be locked out of the phone because biometrics will no longer work) might be the real reason. I think Android prevents you from changing unlock options if you don't have the PIN/pattern/etc as well so this method would be effective in locking unwanted people out of your phone... eventually.
posted by chrominance at 4:15 PM on April 26 [1 favorite]

And it's not like even 2fa is great, I just overheard the people sitting down at the next table in the cafe say "I absolutely despise Authenticator".

Passwords suck but nobody's come up with a replacement that doesn't suck even more.
posted by egypturnash at 4:25 PM on April 26 [3 favorites]

Really, what sucks is that passwords have to get more and more convoluted that you yourself can't remember them, except you HAVE to remember them when they don't get saved or get purged off your computer, and you still get hacked every 4 months.
posted by jenfullmoon at 5:18 PM on April 26 [1 favorite]

And it's not like even 2fa is great, I just overheard the people sitting down at the next table in the cafe say "I absolutely despise Authenticator".


Google is like enter your password, now click ok on your phone, wait, are you sure this is you? Like shit, Google, you know damn well it's me, and I feel like this pw and 2fa business is a fig leaf hiding the fact that you know where I am and what I am doing at all times.
posted by Literaryhero at 6:19 PM on April 26 [5 favorites]

...fortunately, my Android phone erratically and randomly and at least once every fucking day will tell me it needs me to enter my slightly complicated password to unlock instead of just opening with biometrics (fingerprint or camera)...

My Samsung phone is set for fingerprint unlock. This is easy and reliable. But when I carry the phone on bike rides, it's in the center rear jersey pocket, against my lower back, with the screen inward and the camera side outward. The fingerprint method is typically turned off after carrying it for a while. I assume the fingerprint reader gets confused when carrying it this way.
posted by jjj606 at 6:29 PM on April 26 [1 favorite]

Google’s forced “use the app on your phone to verify” is awful and not at all helpful when for example I’m trying to help my in-laws who are out of state and have no clue what’s up. Or when I’m setting up my new phone, a d it asks me to open some app on the iPad I don’t have with me, with no workarounds?
posted by caution live frogs at 7:24 PM on April 26 [1 favorite]

I am using possibly one of the oldest Apple iphones 6 in daily use - it has the 2fa for my most important work portal on it and the phone basically lives next to my laptop.

I'm not sure what will happen first - I retire or I get a new phone.
posted by Barbara Spitzer at 9:06 PM on April 26

None of these "solutions" approach the flexibility, power, and usability of password managers + passwords. It's not even close. They're not solving anything.

I have zero experience with passkeys and I am not a security researcher, but it seems to me that past of the issue is the sheer lack of standardization - everybody just does their own thing and it's usually the cheapest, crappiest option. Most of my US financial institutions force username/password and when they get inevitability hacked, they slap on SMS 2FA as the ONLY 2FA option, no alternative. Not only is it stupid and insecure, as someone who spends a significant amount of time outside the US, paying for US roaming mobile service for this one reason is incredibly inconvenient, expensive, and annoying.

What I think would be great (at least from the end-user angle) would be something like the Swedish/Norwegian BankID. A single ubiquitous app that lives on your phone, is universally recognized by everyone, and is dead-simple to use. Of course a system like that depends on trust in institutions, which is basically nonexistent in the US, so I'm not counting on ever seeing it.
posted by photo guy at 12:37 AM on April 27 [1 favorite]

I know we are talking about passkeys, but can someone explain to me why SQRL didn't take off when it was introduced to fanfare 4 years ago? It seems like it solved these problems already, (and even solved a few novel problems, like how to safely login on a shared and untrusted computer) ... but no big sites ever adopted it.
posted by warreng at 4:40 AM on April 27

I just spent 30 minutes going down the Passkeys rabbit hole. In my environment day to day: Linux, GrapheneOS, IOS, MacOS, virtual Win10, tablets, cell phones, laptops and PC's, plus various IOT devices scattered around my home network...and that's before I get to work.
Given I'm a technical dilettante who paradoxically often is the one who suggests and helps people at my employment to do basic security things and other technical problem solving because I go down rabbit holes for my own use....I have no clue how 1Password is implementing this system across my devices. It seems like it's saving me some steps or logins yet the sum total of all the password prompts/logins/biometric challenges/ 2FA....jesus, kind of a rats nest of potential fails that I only manage because I'm paranoid and risk averse.
If I end up or get one 'uber' password (Passkey) that in some sense seems like a way to get uber-hacked. Only a platform like 1PW, LP or something similar is going to manage this across all the implementations of it in a way that lets me get something actually done rather than using another auth mechanism that's inconsistent. While I think I have 1PW locked down 9 ways from Sunday, I could have left a blazing gap in my defenses due to user error. Never going to support this for others as I'm unable to consistently apply it now.
posted by diode at 6:39 AM on April 27 [1 favorite]

The article starts from an entirely false premise. Passkeys can be transferred between devices but the whole point of passkeys is to enroll devices into the trust chain. You're supposed to be able to put multiple public keys on the same username. That's the whole point. Apple just shortcuts this process by having passkeys sync via the iCloud Keychain because the devices have already been bootstrapped into the iCloud chain of trust.

The point is, people need to think of passkeys as enrolling devices to trust, not single passwords for usernames. They're utterly brilliant pieces of tech and probably vital for thwarting the next generation of security threats and actors.
posted by Your Childhood Pet Rock at 8:35 AM on April 27

The point is, people need to think of passkeys as enrolling devices to trust, not single passwords for usernames.

This limits the use cases dramatically though.
posted by Dysk at 8:42 AM on April 27 [2 favorites]

This limits the use cases dramatically though.

No it doesn't because even if you need ad-hoc access on an untrusted device that's not yours or you don't directly control (work, school, friend's PC) there's still workflows to have enrolled devices sponsor them for ad-hoc access.
posted by Your Childhood Pet Rock at 8:46 AM on April 27

...which doesn't work if you don't have immediate access to an already enrolled device, and haven't been able to foresee the need.
posted by Dysk at 9:23 AM on April 27 [6 favorites]

the whole point of passkeys is to enroll devices into the trust chain.

99% of Internet users, if they've heard of passkeys at all, understand them as "the thing that lets me log in by pressing a button on my phone". (Or maybe on their desktop computer.) The whole idea of "trust chain" and multiple devices is completely opaque to ordinary users. Which is as it should be! But the requirement that civilians have to understand this complex thing is part of the problem with Passkeys as a consumer product.

I'm technical enough to know what "enroll devices into the trust chain" means. As Dysk says, it's really limiting. My main concern is what happens if I use my phone as my passkey store and then get a new phone. Do I have to enroll the new phone separately into 100 different websites? I think that's the only answer if you want to do something as rash as switch from an Android phone to an iOS phone. Unless maybe if you use 1Password, only that doesn't work very well at all in my experience.

Also as you say the whole "enroll devices" thing gets highly confused by the way Apple and Google and 1Password are actually sharing the passkeys among your devices in some opaque, proprietary, non-interoperable way. The point of the essay in the post here is how the vendors seem to be working to protect their silos as a form of user lock-in. That is unacceptable for a consumer authentication technology.

It's all just really confusing as a product. And like I said above, even trying to do the one supported thing in one vendor (Google Chrome for me) doesn't really work right.
posted by Nelson at 11:25 AM on April 27 [3 favorites]

Tl;Dr: human security is really hard, and we have no good answers for it today.

I work for a big tech company that you statistically deeply hate, and I don't know anyone who has an at all good answer for these problems.

The big problem with passwords, honestly, is that no one actually uses them well, and a lot of the reason is that the threat model is fundamentally unintuitive for people, and the workarounds very inconvenient. In particular, people Believe they are better at keeping them secret and secure than they actually are, because they don't control the other the of the equation, and don't necessarily realize the cost of losing them - okay, so it's just your Gmail... Except that can password reset your bank. So it's just Facebook... Which you can use to fool your spouse into giving up your Gmail etc.

This goes with the "I'm not a target" fallacy. Passwords on their own have been an unmitigated disaster, because systems are used by humans.

So we have password managers, with I can use because I'm a tech, but I absolutely can't get my grandmother to use. My partner does use one, but forces it to use her standard password just in case she loses access to the password manage.

So phone 2fa also sucks, but it's actually pretty effective against dragnet style attacks - if someone wants to hack specifically you, your still fucked, but at least it covers the "I'm trying 100000 accounts I bought off the dark web" case pretty well

Account takeovers are very, very common for most social media, and particularly using them to auto-scam people connected to them is depressingly common today. This is considered the fault of the tech companies for the people affected, and it's honestly not an unreasonable confusion - they're the ones who are supposed to understand it. Hence forcing things like 2fa, despite the regular accusations of it being for marketing.

I have a hardware yubikey for work, and it's honestly great - for me. But if my mom needs that token to log into her bank... What happens when she loses it, as she will?

I do fine it ofd that so many consider their threat model to be a traffic stop and not scammers taking their money, but I also get it- after all, that's the one that no one blames you for, and the one that You're not too smart for. The world is littered with the empty bank accounts of the too smart who were tired one day.
posted by jaymzjulian at 3:33 PM on April 27 [4 favorites]

The new hot trend in web tech is for websites/apps to force you to authenticate by sending you an email or text message, with no password option at all. I hate it so much.
posted by tovarisch at 6:29 PM on April 27 [7 favorites]

Your favorite authentication method sucks.
posted by Greg_Ace at 8:25 PM on April 27 [3 favorites]

Passwords are great, really. I know there's a bunch of security issues (which can be mitigated to varying degrees) but there is also just so much versatility that nothing else can match. Nothing else lets someone get into my accounts on my behalf with just a phone call or in person conversation through glass (like in the event of an arrest). Nothing else lets me carry my credentials entirely in my head, but still be able to communicate them to a third party if I need to (e.g. in a will). Nothing else lets me choose where to fall on the ease of use vs secure spectrum on so fine-grained a level (email and bank accounts get unique, strong passwords, forums where I make a half dozen posts can share an easy-to-remember password that is much less secure, because I just don't care if someone gets into the account where I posted in a bass guitar forum about pickups twice). They're entirely device agnostic. They work on borrowed hardware in incognito tabs without fuss. I can choose how much I want to silo a particular account easily, because there are no shared credentials or centralised login system, unless I go out of my way to choose that. It doesn't rely on me having access to my phone, or my email, or a weird hardware dongle, or anything at all other than my own brain (and if I haven't got access to that, I've got bigger problems to deal with). There is no single point of failure (unless I decide to use a password manager for everything, or only ever reuse the same one password and username/email). I can have shared accounts/credentials in a way where the system (both the system I'm logging into, and the credential system itself, since they are one and the same) cannot know anything about which particular person is logging in to the account, or whether an account is accessible by one, two, ten, or a hundred people.

No potential replacement I know of can do even half of these things. Passwords will not go away, because you just don't need every account to be maximum security, and the flexibility is worth a lot more to most of us than a lot of cryptography nerds realise or are willing to accept.
posted by Dysk at 3:04 PM on April 28 [2 favorites]

Why Passkey Implementation is 100x Harder Than You Think – Misconceptions, Pitfalls and Unknown Unknowns

“Ah yes passkeys, pretty cool technology and great that there’s already wide support, plus an open standard that they are built on. I’ll just grab one of the libraries for my framework and that should do the job. I don’t think I need any help or service. I’m a decent coder and have added auth packages dozens of times in the past.”

This is a typical conversation I had over the past 24 months with many developers. And I have to admit, that this was also my initial thought when I encountered passkeys for the first time in May 2022: It shouldn’t be too hard. It shouldn’t be too complicated. Hey, in the end, it’s just another way of doing (passwordless) authentication. And here I am in mid-2024, still discovering new cases you need to take care of in real-life applications. That’s the reality - which fascinates me.

With this blog post, I want to share with you the learnings on my way when working on a passkey-first auth solution with Corbado. All the hard truths, the unknown unknowns (factors that were not anticipated prior to my experience, essentially things we did not know we did not know), and the misconceptions should be uncovered, so that you know what to consider when implementing your own passkey-based authentication.

Whether you're at the initial stages of adoption, considering enhancing your existing systems with passkeys or starting a passkey-first authentication project, this guide will help you avoid common pitfalls.

posted by Rhaomi at 7:29 PM on May 2

You are not currently logged in. Log in or create a new account to post comments.