Passkeys are okay, but your browser and OS want you to use them because you can’t just take a passkey to another platform, you have to create a new one, and it’s a pain in the ass.
It’s a lock-in gimmick latching on to a real useful solution.
My passkeys are tied to my phone, which I use via the browser and OS. I keep them in my password manager running on the phone. My password manager supports the open spec for securely migrating credentials between vendors.
It may be difficult to believe but they want you to use them because they’re legitimately significantly better.
Users are silly. They blame Microsoft for bad passwords. They blame Google for forgotten passwords. They blame Facebook when they click on a phishing link. They blame apple when apple “lets” someone who they gave their password to see their pictures. They blame apple when they don’t let the user in just because they forgot their password and every recovery mechanism.
Everyone involved has a significant issue with passwords because they cost them user satisfaction, credibility, or money directly. The reason cross vendor transfer has been slow is because everyone wants to be the leader, since if everyone follows your lead you get to make it work better with your stuff.
Yeh, I have passkeys in bitwarden.
I get it. Once they become ubiquitous, you click “login” your password manager prompts you to select account, and you are in.
No password that can be leaked, incorrectly stored, brute forced.
Corporations can pre-register company service passkeys for new users.
It’s like mTLS, except staged.
While true, it still means you’re locked into only being able to log in from a browser that has the password manager extension installed and logged in. Sometimes I want to log in from another machine, or another OS, or another browser, or even an incognito window that doesn’t have access to my extensions.
You can do that without an extension. There’s a bunch of different protocols that let you, for example, use your phone as the authenticator.
You can log in with your phone on a computer you’ve never used before by scanning a QR code and credentials never leave your device.
Passkeys are okay, but your browser and OS want you to use them because you can’t just take a passkey to another platform, you have to create a new one, and it’s a pain in the ass.
It’s a lock-in gimmick latching on to a real useful solution.
My passkeys are tied to my phone, which I use via the browser and OS. I keep them in my password manager running on the phone. My password manager supports the open spec for securely migrating credentials between vendors.
It may be difficult to believe but they want you to use them because they’re legitimately significantly better.
Users are silly. They blame Microsoft for bad passwords. They blame Google for forgotten passwords. They blame Facebook when they click on a phishing link. They blame apple when apple “lets” someone who they gave their password to see their pictures. They blame apple when they don’t let the user in just because they forgot their password and every recovery mechanism.
Everyone involved has a significant issue with passwords because they cost them user satisfaction, credibility, or money directly. The reason cross vendor transfer has been slow is because everyone wants to be the leader, since if everyone follows your lead you get to make it work better with your stuff.
Password managers can hold Passkeys now and they’re portable. Bitwarden stores all of mine, use them on any machine.
Yeh, I have passkeys in bitwarden.
I get it. Once they become ubiquitous, you click “login” your password manager prompts you to select account, and you are in.
No password that can be leaked, incorrectly stored, brute forced.
Corporations can pre-register company service passkeys for new users.
It’s like mTLS, except staged.
While true, it still means you’re locked into only being able to log in from a browser that has the password manager extension installed and logged in. Sometimes I want to log in from another machine, or another OS, or another browser, or even an incognito window that doesn’t have access to my extensions.
You can do that without an extension. There’s a bunch of different protocols that let you, for example, use your phone as the authenticator.
You can log in with your phone on a computer you’ve never used before by scanning a QR code and credentials never leave your device.
KeepassDX as well.
Ok that makes a lot of sense. It definitely seems like it’s more for them than it is for the user’s “convenience”
That’s false. My passkeys sync to my password manager and are available on all my devices