Posted by todsacerdoti 7 days ago
I also think there's still an enormous ignorance from passkey devs that lots of people want to occasionally log into personal services from locked down corporate machines, and the flow to deal this is at best terrible but more often non-existent, and developers with typically enhanced privileges just aren't able to conceive how difficult this is.
1. Start to login to the site.
2. When it gets to the point that you would choose to use a passkey if you were logging in at home, there should be some option that lets you say you want to use a passkey on another device. You can use that to tell it you want to use a passkey that is on your phone.
3. It gives you a QR code to scan with the phone, and then you complete the login using the passkey manager on the phone.
On the other hand, I thought I had fully researched how passkeys work and literally never came across it.
So it kind of just continues to support my concern that passkeys are just too complicated to understand. If I'm at another device I need to log into, I would have just assumed I couldn't.
There needs to be a simple mental model for users. I'm not saying passkeys can't underlie that, but I think the UX still just hasn't been fully figured out yet.
If there is no passkey on the local device, a QR code will appear which you can scan with your phone or tablet, and use the passkey for the account from that device. It just kind of happens, typically without the user having to do anything special.
I will say though, corporate devices can be a bit of a wildcard as they are usually configured and locked down for a specific purpose. But the cross-device flow is generally not blocked by organizations.
What I'm saying is, I thought I had the right mental model of how passkeys work, after researching them, and that mental model told me you wouldn't be able to log in on a different device without going through a whole procedure to set up a new passkey, which you wouldn't want to do for something temporary.
The mental complexity is just too much for me to trust that if I adopt them, they'll work when I need them. The fact that I got this thing wrong means there's probably other things I'm still getting wrong.
I understand passwords and password managers and even 2FA. I feel like I can plan how to use them right so it all works and I don't need to worry about not being able to access my accounts. I just don't have that confidence with passkeys.
This is usually a bad idea, and is sometimes expressly forbidden.
But. more generally, there must be a flow for accessing your account when the passkey is not available, and possibly cannot be recovered.
Logged into Passkeys.io on my phone, and created a passkey.
Then tried to log in to it on my Windows desktop, using the "With my phone" option. First time around it failed to connect to my phone. Future times it connected, but told me that the phone had no appropriate passkeys on it. At which point I gave up.
Edit: I then tried on GitHub, and it worked perfectly! Okay, that's pretty awesome.
Corporate installs disable all USB functionality, and remove the ability to sync profiles? Something like that?
As a tech-savvy user fully aware of the underlying machinations involved with passkeys, I greatly prefer their simple, fast login experience over: username submit password submit TOTP submit, and especially over the much-worse "we've emailed you a code" login slog.
Passwords on a piece of paper for better or worse do not have that problem.
And even if they're not, if they have a computer or tablet, the passkey will still be available there assuming they share an account.
You can also recover your iCloud Keychain via a designated/trusted Recovery Contact (e.g. spouse, who presumably hasn't destroyed their phone at the exact same time), or via iCloud Keychain escrow.
https://support.apple.com/guide/iphone/passwords-devices-iph...
I experienced Google's recently and it was very robust.
Even before passkeys, the average user would have major problems if Apple and Google didn't have good account recovery processes.
which is why at the very least your email provider gives you a recovery kit to print out (the equivalent of the notebook) and if you can get back into that account you'll likely be able to get into whatever else you signed up for.
There's no difference here between passkeys and any other central storage be it a password manager or a physical notebook. If you lose that access, well you're screwed. But it always beats having hotdog123 as your password for 70 different sites.
It's much more difficult to make comparable backups of passkeys due to all the "anti phishing" / vendor lock-in rules most platforms have.
This is without 2fa enabled on my Google account.
I'm also pretty sure I don't have any accounts that can ONLY be accessed via passkey.
Maybe because your kid was playing with your phone and kept entering the wrong passcode and now you’re locked out for several hours?
Or because Apple detests anyone else touching your phone and you’re traveling internationally and your screen cracked and you took it to a local repair shop which in the process of replacing the screen triggered something Apple didn’t like and you’re locked out for a decade.
For phishing protection, passkey as a single factor is better than memorized password + TOTP/SMS two factor.
Bitwarden is my personal choice.
Passwords I can see myself and make the informed decision to use temporarily somewhere else.
https://news.ycombinator.com/item?id=46252114 https://news.ycombinator.com/item?id=42350245
They closed my PayPal account for TOS violation after donating to The OpenBSD Foundation. I wouldn't trust them as far as I could throw them.
I can't speak for other platforms; I stopped helping ${EXTENDED_FAMILY} with non-Apple questions because the crap I had to diagnose, debug and deal with for Windows and Android was worse than ${DAY_JOB}.
All sync seamlessly and support the major (and often minor) browsers.
On Apple devices I get neat experience out of the box, on Linux (+Firefox) I forced to use Bitwarden because Mozilla is being Mozilla.
Never had any issues ever with passkeys.
I dont want to use google/apple/microsoft for any credential manager because: google is evil; apple has locked me out of my apple id (and lost things like the recordings of conversations with my father during his hospice); microsoft keeps getting worse and more annoying to use.
So ok, I need some credential manager. I used keepass previously... but how do I vet other credential managers? I dont want an online backup. I want my credentials to only be on my computers. So now I gotta learn about which apps are ok, don't have cloud synching, can export files, and be compatible with MacOS.
And I have to learn what is FIDO? Like FICO? why do I need to synch with FIDO? what is it? will it give my credential store to others?
How is this easier or more convenient than a user/pass with 2fa?
I feel like I am going to accidentally leak my credentials and have no way of knowing
If an "online" password manager uses end-to-end encryption, then the credentials really are only on your computers. The only thing "in the cloud" is encrypted blobs of data being moved around for the purpose of device sync and backup.
This insistence on using local non-syncing password managers is a masochistic exercise in making life difficult for yourself with no security benefit.
Let me rephrase: for the majority of users, the usability and resilience benefits of synced credentials are enormous, and the security costs are marginal at best. But this rests on a number of assumptions. YMMV.
FIDO is a standards body which produces specifications used by these systems.
I’m a technical guy, but I really don’t understand what the fuck is going on when I use a passkey. All I know is one day it appeared as an option and it let me login to things. I don’t really understand where it lives, what device it’s tied to, how scanning a QR code on Google Chrome on my phone magically logs me in, etc etc.
The user was not educated on this. Hacker News is the top 1% of computer power users. You gotta understand to someone’s grandma or mom or brother who works in real estate none of this makes any sense nor will they educate themselves on what it is.
I've only experienced using passkeys with 1password and it's smooth as butter. Assuming 1p is unlocked, To login: press login with passkey on website -> press sign in on 1p extension pop-up -> done To create account: click create passkey on the website -> click save on 1p extension pop-up -> done
Tbh i think it's more important to get people to use password managers than passkeys.
> Add a passkey? "amazon.com" supports passkeys, a stronger alternative to passwords that cannot be leaked or stolen. A passkey for "xxxxx@xxxxx.com" will be saved in "Passwords". Touch ID to Save Passkey Cancel
I don't have the slightest idea what "Passwords" is as the destination. My iCloud keychain? My Google account? My 1Password?
On the other hand, you can understand why that is not remotely clear from the message. It's a generic term in quotes. If it said it would be saved "in the Passwords application (and synced to iCloud)", then I'd actually understand it.
So Apple is either being intentionally obtuse or incompetently confusing here, and I don't know which is worse. And it's UX crap like this which is why I still won't use passkeys, because I don't know where anything is going.
If I’m using a passkey to login to my Gmail via chrome browser but used my phone what just happened - did it save in chrome? My Google account? My iPhone?
Passkeys, stored in Bitwarden, give a lot of the same convenience, but without the vendor lock-in. We shouldn't be scaring people away from passkeys, when commonly used alternatives are much worse.
You can't back up your passkeys and wind up with something you put in a safe on a USB key or something and vendors have been aggressively trying to make that harder.