There’s been a lot of pain in the attempt to portray it as “Just click the passkey button, and that’s it! Your login is secured for life!”
No - Buddy. It is secured for this one specific device that I have biometric authentication for. What about my computer? What about my other computer that isn’t on the same operating system? I have a password manager that stores these things, why didn’t you save to that when I registered? Why is it trying to take this shit from my Apple Keychain when it’s in Bitwarden?
And, the next ultra-big step: How would a non-techie figure this shit out?
When it is saved to a cross-platform password manager, it is secured on all devices that password manager runs on including your computer on other operating systems.
You can also choose other in the OS prompt & redirect to a device with your passkey or use a hardware security key (I don’t).
If your preferred password manager isn’t the primary one on all your devices, then fix that or use the other option mentioned before.
How would a non-techie figure this shit out?
The same way they figure out passwords & multifactor.
Their pain isn’t ours for those who’ve figured this out & have a smooth experience.
I mentioned Bitwarden in my comment, and my frustration specifically comes from occasions that I had Account X ready in Bitwarden, started up an app that relied on Account X, but loaded an HTML login page that had no discernable controls to use that Bitwarden passkey; expecting entirely for it to exist in my Apple keychain, which I never use.
I think it’s very easy to claim this specific app / account was not implementing passkeys well. But if that’s the case, how can I guarantee any other accounts I move over won’t fuck it up somewhere? I haven’t seen anyone get the concept of passwords wrong, and even if they don’t understand how managers work, I have control of the copy-paste function and can even type a password myself if needed.
loaded an HTML login page that had no discernable controls to use that Bitwarden passkey; expecting entirely for it to exist in my Apple keychain, which I never use
I use Bitwarden, yet not macOS/iOS.
Whenever a passkey dialog from the wrong authenticator comes up, I choose option other to redirect to a device running Bitwarden: I see macOS & iOS offer similar controls.
However, Bitwarden’s passkey dialog (section with links to configuring that) usually pops up, so that isn’t necessary.
But if that’s the case, how can I guarantee any other accounts I move over won’t fuck it up somewhere?
Save a recovery code in Bitwarden (add field type hidden named Recovery code to the login entry)?
That’s standard practice for me, though I’ve never needed them.
I haven’t seen anyone get the concept of passwords wrong
I have control of the copy-paste function and can even type a password myself if needed
I’ve seen forms disable paste.
Much can go wrong with passwords.
Passwords require sharing & transmitting a secret (a symmetric key), which either party can fail to secure.
Passkeys, however, never transmit secrets.
Instead, they transmit challenges using asymmetric cryptography.
The application can’t fail to secure a secret it never has.
Far more secure, and less to go wrong.
The password field is a more manual, error prone user interface.
With passkeys/WebAuthn, you instead supply a key that isn’t transmitted: easier than passwords when setup correctly, & nothing to do until it’s setup correctly.
Similar situation with ssh: though it can accept passwords, ssh key authentication is way nicer & more secure.
I use both Bitwarden and Apple’s native Passwords.app and just save a passkey for each app. Usually you can name the passkey on the website/in the app as well.
This is also the system I use when saving 2FA TOTP codes as well so I guess I’m used to it, but it makes good sense to me to have reduncancy in my password apps. Also I lock up *the apps themselves* with passkeys in the respective app for ease of use.
:mastozany:
This was roughly the state of affairs before but the state of things have relented where software password managers are now allowed to serve the purpose.
So if a hardened security guy wants to only use his dedicated hardware token with registering backups, that’s possible.
If a layman wants to use Google password manager to just take care of it, that’s fine too.
Also much in between, using a phone instead of a yubikey like, using an offline password manager, etc.
No - Buddy. It is secured for this one specific device that I have biometric authentication for. What about my computer? What about my other computer that isn’t on the same operating system?
OnlyKey seems to be a better choice than Yubikey, from what I can see. The only reason I haven’t switched is that I have a few accounts that I share with my partner, and I want to be sure that I can have two different keys work for the same account.
I just looked over their site and other than a physical pin, it looked basically the same to me. Can you tell me what seems to be better? Only issue I’ve ever had with Yubikey was NFC use to log into Bitwarden, but I think it was user error.
There’s been a lot of pain in the attempt to portray it as “Just click the passkey button, and that’s it! Your login is secured for life!”
No - Buddy. It is secured for this one specific device that I have biometric authentication for. What about my computer? What about my other computer that isn’t on the same operating system? I have a password manager that stores these things, why didn’t you save to that when I registered? Why is it trying to take this shit from my Apple Keychain when it’s in Bitwarden?
And, the next ultra-big step: How would a non-techie figure this shit out?
They don’t have a computer, another computer with a different OS, or bitwarden.
They wouldn’t, because the people calling the shots in the tech world create UX with a focus on it sucking for everyone
For some people it is that easy.
When it is saved to a cross-platform password manager, it is secured on all devices that password manager runs on including your computer on other operating systems. You can also choose other in the OS prompt & redirect to a device with your passkey or use a hardware security key (I don’t). If your preferred password manager isn’t the primary one on all your devices, then fix that or use the other option mentioned before.
The same way they figure out passwords & multifactor. Their pain isn’t ours for those who’ve figured this out & have a smooth experience.
I mentioned Bitwarden in my comment, and my frustration specifically comes from occasions that I had Account X ready in Bitwarden, started up an app that relied on Account X, but loaded an HTML login page that had no discernable controls to use that Bitwarden passkey; expecting entirely for it to exist in my Apple keychain, which I never use.
I think it’s very easy to claim this specific app / account was not implementing passkeys well. But if that’s the case, how can I guarantee any other accounts I move over won’t fuck it up somewhere? I haven’t seen anyone get the concept of passwords wrong, and even if they don’t understand how managers work, I have control of the copy-paste function and can even type a password myself if needed.
I use Bitwarden, yet not macOS/iOS. Whenever a passkey dialog from the wrong authenticator comes up, I choose option other to redirect to a device running Bitwarden: I see macOS & iOS offer similar controls. However, Bitwarden’s passkey dialog (section with links to configuring that) usually pops up, so that isn’t necessary.
Save a recovery code in Bitwarden (add field type hidden named Recovery code to the login entry)? That’s standard practice for me, though I’ve never needed them.
I’ve seen forms disable paste. Much can go wrong with passwords. Passwords require sharing & transmitting a secret (a symmetric key), which either party can fail to secure. Passkeys, however, never transmit secrets. Instead, they transmit challenges using asymmetric cryptography. The application can’t fail to secure a secret it never has. Far more secure, and less to go wrong.
The password field is a more manual, error prone user interface. With passkeys/WebAuthn, you instead supply a key that isn’t transmitted: easier than passwords when setup correctly, & nothing to do until it’s setup correctly.
Similar situation with ssh: though it can accept passwords, ssh key authentication is way nicer & more secure.
I use both Bitwarden and Apple’s native Passwords.app and just save a passkey for each app. Usually you can name the passkey on the website/in the app as well.
This is also the system I use when saving 2FA TOTP codes as well so I guess I’m used to it, but it makes good sense to me to have reduncancy in my password apps. Also I lock up *the apps themselves* with passkeys in the respective app for ease of use.
:mastozany:
This was roughly the state of affairs before but the state of things have relented where software password managers are now allowed to serve the purpose.
So if a hardened security guy wants to only use his dedicated hardware token with registering backups, that’s possible.
If a layman wants to use Google password manager to just take care of it, that’s fine too.
Also much in between, using a phone instead of a yubikey like, using an offline password manager, etc.
Then use a Yubikey.
I tried a yubikey but most websites want you to use the pin for that which requires windows hello, and if you reset windows you lose that.
OnlyKey seems to be a better choice than Yubikey, from what I can see. The only reason I haven’t switched is that I have a few accounts that I share with my partner, and I want to be sure that I can have two different keys work for the same account.
I just looked over their site and other than a physical pin, it looked basically the same to me. Can you tell me what seems to be better? Only issue I’ve ever had with Yubikey was NFC use to log into Bitwarden, but I think it was user error.
I have my passkeys saved in 1password. (With a yubikey as backup for important things).