| ▲ | DougN7 9 days ago |
| It sounds good, unless granny needs to visit Google or Microsoft to get a new password after losing her phone. Then what?? |
|
| ▲ | patrakov 9 days ago | parent | next [-] |
| The scary part is not about losing her phone. It's about having to keep the old, no-longer-secure Android phone alive just for passkeys after getting a shiny (and secure) new iPhone. |
| |
| ▲ | charcircuit 9 days ago | parent [-] | | You can add the new phone as an additional passkey. I don't see how this would be scary. | | |
| ▲ | j1elo 9 days ago | parent | next [-] | | I have 531 logins for varied websites and services. Would you enjoy having to change 531 passkey devices? Me neither. But default login flows in all these sites prompt you to use your current device as passkey by default, so people who don't know better (i.e. a general "everybody") are being gently pushed to do so. | | |
| ▲ | charcircuit 9 days ago | parent [-] | | No, which is why there is the cross platform standard CXF which allows for cross platform sharing of passkeys. Apple has announced that support for this is shipping later this year with iOS 26. Google hasn't announced when they are shipping it yet. | | |
| ▲ | elteto 9 days ago | parent | next [-] | | So until then you have to do what parent said? Change each one individually when you switch devices? Thanks but no. | | |
| ▲ | ewoodrich 9 days ago | parent [-] | | I keep all my Passkeys in Bitwarden, it works fine across different devices and I use all major platforms regularly (iOS, Android, Windows, MacOS, ChromeOS). As a backup I've also added some extra duplicate Passkeys in the Chrome and iCloud password manager for the most important accounts in case I lose access to Bitwarden somehow. |
| |
| ▲ | yunwal 9 days ago | parent | prev | next [-] | | Would’ve been nice if the basic UX would have been figured out before passkeys were shoved down everyone’s throats | | |
| ▲ | reginald78 9 days ago | parent [-] | | It just wasn't an important consideration, unlike the attestation anti-feature. |
| |
| ▲ | 9 days ago | parent | prev [-] | | [deleted] |
|
| |
| ▲ | kbolino 9 days ago | parent | prev [-] | | AFAIK, there is no requirement for websites to support multiple passkeys nor, if they do, to support them in a sensible way. Some sites do this well, most don't. |
|
|
|
| ▲ | hgomersall 9 days ago | parent | prev | next [-] |
| The problem here is really with Google and Microsoft than anything else. It's not like this problem doesn't occur already for other reasons. |
|
| ▲ | 9 days ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | drozycki 9 days ago | parent | prev [-] |
| She follows same reset flow as before. Passkeys are identical in this respect to the passwords of yore. |
| |
| ▲ | cuu508 9 days ago | parent | next [-] | | If granny forgets her password, she looks it up on the last page of her notebook where it is written down. Granny cannot write down her passkey. To avoid getting locked out you could add 2-3 passkeys from different providers to each account. And/or use a passkey provider that allows backups, and back up your keys. But I doubt many people will have the discipline to do either of that. | |
| ▲ | politelemon 9 days ago | parent | prev | next [-] | | Then that's worse, it's now two authentication flows to remember. It's only made the situation more complicated. | |
| ▲ | raphinou 9 days ago | parent | prev | next [-] | | Honest question: isn't that introducing some weaknesses, allowing the attacker to either reactivate password auth or add it's own passkey eh by tricking the user in accepting that change after receiving a mail with a link to accept that change?
That would make the passkey unbreakable, but leave other easier to exploit weaknesses. | | | |
| ▲ | jonplackett 9 days ago | parent | prev | next [-] | | The problem with passkeys is they’re very unfamiliar and it’s easier therefore for less experienced users to get confused or tricked. | |
| ▲ | rcxdude 9 days ago | parent | prev [-] | | Passkeys are more like 2FA, and many services disable password resets without 2FA if it's enabled. | | |
| ▲ | account42 9 days ago | parent [-] | | Do you have any examples of such services? How do they handle the lost phone case? Tell people to go pound stand? |
|
|
