Passkeys were hot last year, don’t seem to be catching on, here’s one view of why that is. Dark and sobering but convincing: https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/

@timbray I'll admit that I have a half dozen articles open in my browser tabs from the last 12 months, and I still don't grok what supposed to do/expect as end user through my cycle of new devices, new services, credential changes, etc....

@timbray You probably know how critical I've been of #Google's (and various other) passkey deployments.

@timbray nobody could have foreseen it!

https://flameeyes.blog/2021/11/16/passwordless-doesnt-mean-troubleless/?mtm_campaign=social&mtm_kwd=mastodon

@flameeyes oh my, should probably suggest William to tone down all those en-words.

@vbabka I guess once again "enshittification" is used for "anything I don't like" just like people use "fascist" for "anyone who disagrees with me."

In both cases, it's a loudness war that removes the range required to have a constructive discussion.

@MikeBeas @sil @objc So if I'm using 1password and syncing between my laptop & phone, the same passkey can be used on both?

[Definitely getting the feeling that 1Password is the leader at making these things usable. Having said, that, I have yet to convince any nontechnical person to use any password manager aside from the ones in the browsers.]

@flameeyes @timbray Nice article.

I guess password logins and password managers are the IPv4 of authentication?

@aerique given the way I talk about it, it sounds right https://flameeyes.blog/tag/ipv6/?mtm_campaign=social&mtm_kwd=mastodon

Password Managers are pretty much the NAT, except less hacky, but similarly solving most of the problems without a full overhaul.

@timbray @sil @objc Yes, it works like anything else you sync via a password manager. Several password managers support them.

For non-technical users, storing them in the system keychain is fine. They’re end-to-end encrypted and synced via iCloud or the Google password manager, same as regular passwords. You can scan a QR code on other devices that aren’t able to sync them (Windows or whatever) and login from your phone. It’s a pretty painless process.

@MikeBeas

> It’s a pretty painless process.

Um, the testimony in these threads and the original article suggest that is a minority viewpoint. There have been a couple people pipe up saying “just works for me” but many more saying “pool of pain”.

@sil @objc

@timbray this has been my experience with them as well. Most of the time passkeys just *do not work* for me.

And I’m a tech nerd deep into the open source computing space, have helped develop cross-desktop standards, and help translate between the nerdiest engineers I’ve met and various levels of less-technical folks. If I can’t get it to work reliably, I don’t think there is hope for most people. 😅

@timbray I’ve been locked out of my PlayStation account, my Google passkey just never works (on my Google Pixel phone, no less), my phone thinks I have passkeys for accounts I have never used a passkey with… it’s a mess.

I want it to work. But holy crap the experience has been terrible. I think they were rolled out way too aggressively before pretty fundamental user experience concerns were addressed—let alone the abysmal (non-existent) user education.

@objc @matt @MikeBeas @sil

1/2 Remember, I started by linking to an article criticizing passkeys, and then again noting my shock at the much-hotter-than-usual response I got. Mike is correct that the furore in my comments is not proof of anything. It would be incorrect to say “anecdotal evidence is not evidence”. It is indeed evidence; many major discoveries start by someone saying “that’s weird.” It is weird.

@objc @matt @MikeBeas @sil 2/2 Maybe there’s something about my followers that makes them predisposed to hate passkeys? Maybe passkeys are a great idea that have suffered from bad UI implementations? Maybe passkeys have a design flaw that gets in the way of good UI? All those are plausible explanations for the observed evidence.

@objc @matt @MikeBeas @sil 3/2 (Oh, and there’s the criticisms in the original article, about the problems being due to misbehavior by platform owners. Another plausible explanation.)