> With Apple's keychain, and I suspect other companies' solutions, passkeys are connected to your account
And from this account you may be locked out for various reasons anytime, as it happened to countless persons previously, violating exotic or even understandable rules, or just been in the crossfire of some galactic corporate incompetence (some f'd up), but this way you'd be locking yourself out of everything especially if you were that user in the vacuum, exposing yourself to the mercy of a single organization with changing managemenet and incentives as the wind turns in a city's dense downtown.
>exposing yourself to the mercy of a single organization
The nice thing about passkey is that unlike password, you can have multiple per account.
So you can register a passkey from 1password to website A, and also register a passkey from Apple keychain to website A, and also register a passkey from Google account to website A, and also register a passkey from yubikey to website A, so even if you are locked out from one of your accounts, you still have several other ways to log into your account at website A.
And _if_ your, say, Apple keychain is compromised, you can just revoke the passkeys from your Apple keychain from all the websites (yes it's tedious, but it's doable).
A door can be kicked in, a safe can be drilled, a password can be reset. But these keys (whether a phone or a Yubikey) to your digital life are irreplaceable if they're all lost. We've never been in this situation before.
The problem with any solution relying on a couple of physical devices as the sole access to your digital life is that the management and protection of those objects becomes one of the most important things in your life. These keys are supposed to give perfect security so by design making "software" copies brings that security to the level of passwords. But losing them kills your digital life.
You have two keys in the house and you have a fire or severe natural disaster? There's no reset for them and you just piled a tragedy on top of another. You want to restore them from a backup? You probably need the keys to begin with. People need one on them at all times, one at home, one or two in some other safe far away location but to still trust that they won't be misused there.
That's all people hear when they look into passkeys. "One more key" is not enough for most people, tech savvy or not.
Even if it's possible technically, I don't think it's very practical, as UX is very heavily directed towards a single passkey provider. I can imagine doing this for one or two most important websites, but not for each of dozens (hundreds?) websites users have registeration on.
It's not actually all that bad. I went through today and added passkeys for all the sites I use that support them, and for most it went like this.
1. I login to the site using my password, supplied by my password manager (1Password).
2. I go to the site's security settings and find their passkey settings. I invoke their "add a passkey" function.
3. If I'm on my Mac, using Chrome, Firefox, or Safari, I get a dialog showing me the site and the user name and asking if I want to save a passkey in my 1Password.
There is a security key icon on the dialog that I can click if I want to save the passkey elsewhere. That replaces the 1Password dialog with one offering to save a passkey in my iCloud keychain for use on all my Apple devices.
That dialog has an "other options" link which brings up another dialog that adds options to use an external security key or to save a passkey on an iPhone, iPad, or Android device with a camera. The latter option will show a QR code that can be scanned on that other device.
I save the passkey in either 1Password or my iCloud keychain.
If I'm on my iPad using Safari it is similar, except the first dialog shows both 1Password and iCloud as storage destinations, with radio buttons to pick between them.
4. Repeat step #3 once, storing a passkey in whichever of 1Password and iCloud keychain that I didn't pick the first time through.
Some sites let you give the passkeys names to make them easier to remember so there might be typing a name in there somewhere.
All in all, it is only a few seconds to add a passkey after pressing the "add a passkey" button on a site, so adding two is no big deal.
I currently have over 700 credentials in 1Password. Consider me not interested for anything that takes any decent amount of time.
I really like the idea of passkeys but I think most people forgot that security and convenience are not working well together, and passkeys attempt to solve this problem.
Passwords have their own issues but they are so easy to transport to multiple stores, meaning loosing access is going to be hard(er).
And as long as there's going to be a single-point-of-failure (being it Apple, Google, 1Password or whoever stores your passkeys) without any _easy_ way to retrieve your passkeys again I'm advising against it.
With passwords, I don't care loosing access to my iCloud/1Password/whatever. A somewhat recent list of all passwords are stored in a safe place, printed out on paper. AFAIK this isn't easily doable with passkeys.
You can still benefit from adding passkeys to some sites. It will often be a little faster and/or fewer clicks than using a password, especially at sites where you have to enter a TOTP code.
For example at Github signing in with a passkey from the sign in page is two clicks. Click on "Sign in with a passkey", a dialog pops up from the browser showing the passkey it will use by default, and I click "Sign in".
With a password it is a click to have 1Password fill my email and password, a click to submit (which could be eliminated if I had autosubmit enabled in 1Password), and then it asks for a TOTP code. After the code is entered it is a click to complete the sign in.
Github's TOTP entry form is well coded, so if 1Password has the TOTP key it will automatically fill it. If you don't keep TOTP keys in 1Password you'll have to open your authenticator app and copy the code.
Considering that it only takes a few seconds to add a passkey for Github to 1Password, you'll make up the time that takes after just a few logins.
I'm not sure what UX you are talking about, the majority of the websites supporting u2f/passkey have UX to manage your u2f keys/passkeys. (the only exception I can think of is early Twitter when it first implemented u2f, and at that point it only allow you to add a single u2f key, but even Twitter fixed that later and supports multiple keys now).
And (this is probably not emphasized enough) you really should never only use a single u2f key/passkey for a website, that's the recipe to get you locked out when you can't find your u2f key/get locked out of the provider of your passkey. I have at least 2 yubikeys on my keychain all the time (one for usb-a and one for usb-c), plus one for each of my computers, and passkeys from 1password, google, etc.. And whenever I add u2f keys/passkeys to a website I add all/most of them.
...and you just described why this is not ready for prime time. Managing a number of physical devices tied to completely opaque secrets stored by unclear providers in places you never see, with hidden agendas promoting their locked-in solution over all others and complicating everything out of one ecosystem.
Most standard users will either mess up royally or run away scared. Damn, I've been on this field for 30 years, I've been using 4 OSs, 5 different browsers and devices from every ecosystem, and I still find this whole thing too much of a hassle.
And yes, I do have a backup passkey. Even though I had to convince my skip-level that it made sense. I just find it all too complex to adopt it broadly.
if I am reading right, any time you set up passkeys on a web site, you add half-a-dozen passkeys from various services? Yeah, this sounds totally impractical to me.
Have you considered stopping using passkeys and using strong passwords stored in password manager instead? You will have approximately same level of security:
- Either way, if one site is compromised other sites are not affected (because password managers have site-per-password)
- Either way, you will be phishing-protected (because password managers autofill based on host name, and you are smart enough not to override it)
- Either way, it'll be game over if you get a malware on your computer (because it will steal your passkey out of 1password)
... but your UX for new website would be dramatically simpler.
It's not much of a hassle. I'll add at least two when I want to start using a passkeys for a site. So maybe add a passkeys to the phone and to my keychain device. Then, next time I use the service on my laptop, I'll sign in with either my phone or keyring (whatever happens to be closer) and make one there. Then next time I want to use the service on my desktop I'll sign in with whatever I've got nearby and add my desktop and the token in my desk drawer. And maybe my password manager also has a passkeys, added somewhere in there.
It's not like every time I sign up for a new site I have to drop everything right at that instant and go add a passkey to every single device I own.
> And _if_ your, say, Apple keychain is compromised, you can just revoke the passkeys from your Apple keychain from all the websites (yes it's tedious, but it's doable).
Without a standard automatable way of doing this, it doesn't happen in practice, even assuming people implement it competently enough to allow multiple passcodes (TOTP codes, for example, are often only one per account, which is similarly annoying for maintaining a revocable backup)
> The nice thing about passkey is that unlike password, you can have multiple per account.
I would charitably estimate that of the sites currently supporting Passkey, the ones that support multiple passkeys are in the single digit percentage. So, practically, you can't.
As someone who actually uses them in a lot of places, the number of sites I know that only allows a single passkey is one: PayPal. What other sites do you know only allow a single one?
PayPal allows multiple passkeys. I just added passkeys there today and had no trouble making two.
I have a vague recollection of running into some trouble when I tried to add passkeys to an account in their sandbox (sandbox.paypal.com) but don't remember what it was. I realized I don't need any of my sandbox accounts any more and deleted them all from my password manager rather than try to solve the problems. :-)
PayPal's handling of multiple passkeys is kind of annoying. I didn't see any way to change the default labels it gives them, which appear to be simply the OS and browser names. So both of my passkeys are labeled "macOS Chrome".
Clicking on them tells when they were created but the resolution is only to the day.
If somehow my private key for one of the them leaked and I wanted to delete the public key I wouldn't know which to delete.
Some sites label the passkeys "1Password" and something like "Apple iCloud" which works a lot better.
I too first experimented with passkeys about a year ago, and then largely ignored them until this discussion prompted me to have another go.
A year ago I found them almost unusable. I had trouble getting browsers to recognize a passkey was available for a site, and I had trouble getting browsers on my Mac to use passkeys from the Apple keychain on my Mac. They would often put up a QR code for me to scan on my phone to use the passkey from the phone--and that was also not very reliable.
Now I'm hitting almost no problems.
There are still some settings annoyance with some sites. At PayPal for instance it asks for my TOTP code even when logging in with a passkey. There is no option to turn off TOTP for passkeys but leave it on for passwords.
At one point, a streamer on Youtube asked his audience something like "Spam F's in chat [to signal that you like this thing I just did]"
Hundreds of users got banned by Youtube for spamming.
But they didn't get banned from "Youtube". They got banned from "Google". They lost access to their Gmail, and to their Android login, and every other Google service, meaning they lost their phone text verification system for every other login, and quite possibly their password manager.
Hundreds of identities were stolen and set on fire by an overly aggressive approach to spam management.
I try to remember this failure mode in planning (or being unable to plan) the security of my online presence.
Then I incorporate Elon Musk's recent behavior and recognize that while the profit motive _generally_ constrains the behavior of these firms, it's by no means assured.
For basic social welfare, either this identity stuff needs to be heavily regulated or all of these big companies need to be broken up.
Just remember if you ever give up your domain, whoever purchases it will now have your email as root-of-trust to EVERY site you ever created an account with.
Also, it can be pricey. If you have a .com/.org it is cheap, but I have a .io and the price keeps doubling every few years.
Also, it can be risky: and there is a very real risk that .io will be (rightly) reclaimed by the country that owns it and either seize the domains are really jack up the prices even more.
Yeah I would suggest against using a ccTLD unless you have a strong connection to that country. Don't buy .io or .ai because they're trendy. Buy .com or .net or .dev or something else generic, or buy .co.uk if you live in the UK etc.
Even without malice or incompetence you will have false positives and false negatives. Then when you attempt to correct the mistake you will have false positives and false negatives again.
Should a false positive from the YouTube anti-spam algorithm accidentally temp-ban someone from commenting on YouTube for a week, or should it permanently and irrevocably destroy their online presence, possibly preventing them from logging into anything online: email, banking, government services, paying their mortgage? Because the whole problem is that we're in the universe where the latter happens.
I see now how it sounds that way but I'm not making excuses. It was to describe the puzzle without all the emotional luggage. You need a system that gets it wrong, corrects it self then gets the correction wrong with infinite recursion.
Instant judgement shooting from the hip without dialog or appeal is the dumbest way of doing things. Google isn't even trying.
I’ve heard this story quite a few times but it’s always hearsay without anything concrete enough to even begin to verify. Given that one account of mine got perma-banned on YouTube (for violating the “impersonation rule” with a bunch of screen recordings set to private…) and it didn’t affect the rest of the account, I have to assume the story is fake.
This legitimately terrifies me because it feels like a realistic eventual outcome — whether it’s via a careless automated system with no recourse or simply enshittification of an existing product due to leadership change.
I’m so entrenched in various platform ecosystems I’m not even sure how to claw my way out of it.
I solve this by creating two passkeys for each account, for iOS and Chrome. This covers all the devices I might use to log in and there’s no single point of failure.
This feels like the biggest misstep that may impede the success of passkeys to me. It's not that surprising, though, since it's pretty rare to find genuine support for multiple authentication factors of the same type already. You can usually only register one number for SMS, and/or one TOTP authenticator, etc. It seems like a lot of sites never really understood (or cared about) the benefits of MFA to the user and so can't be bothered to really understand passkeys either.
I keep hearing this but then the only example I'm given is PayPal and that AWS used to be this way. What big sites do you experience only allow a single passkey?
Besides passkeys, some websites have alternative backup authentication, though, such as backup codes. However you do it, there should be an independent way to log in.
Paypal, as far as I can tell, doesn't even (intentionally) support passkeys. They refer to all WebAuthN credentials as "security keys" and remind me to "plug it in and touch it now" etc.
I'm honestly already glad that they didn't make their annoying browser fingerprinting rigorous enough to also block authentications and aren't requiring attestation.
I get that this this is a way to do it in practical terms, but isn't that just like having to have two passwords for each site (outside the fact that passkeys are a bit more secure than passwords)? I thought one of the main points of passkeys was to reduce admin.
The problem that passkeys solve is not that of their user. It is that of the website that authenticates its users. With mere passwords, there is no way they can be sure that the user follows the required password hygiene. With passkeys, there is no way a user could set up something insecure.
Regular users would not set up double passkeys, and would suffer vendor lock. They would be better off with password manager instead.
Savvy users know how to follow password hygiene, and have no need to have it enforced on them. So they don't need passkeys either, they would be better of with good password manager.
Exactly what I am saying. Users don't need passkeys. Auditors and other guys from the checkbox compliance department on the opposite side do, for "security posture".
> I solve this by creating two passkeys for each account, for iOS and Chrome. This covers all the devices I might use to log in and there’s no single point of failure.
This just seems to mean that, instead of being the whim of one corporation from being locked out of all your accounts, you're the whim of two corporations away. That's better, but I'd hardly call it solved.
congrats. your problem is solved in the two or three places that actually allows or even implements any logic from N passkeys. on most places that will just give you a new account or wipe the first key.
And from this account you may be locked out for various reasons anytime, as it happened to countless persons previously, violating exotic or even understandable rules, or just been in the crossfire of some galactic corporate incompetence (some f'd up), but this way you'd be locking yourself out of everything especially if you were that user in the vacuum, exposing yourself to the mercy of a single organization with changing managemenet and incentives as the wind turns in a city's dense downtown.