| ▲ | smallerfish 9 days ago |
| > Passkeys is the way to go. Password manager support for passkeys is getting really good. I set up a passkey for github at some point, and apparently saved it in Chrome. When I try to "use passkey for auth" with github, I get a popup from Chrome asking me to enter my google password manager's pin. I don't know what that pin is. I have no way of resetting that pin - there's nothing about the pin in my google profile, password manager page, security settings, etc. |
|
| ▲ | uyzstvqs 9 days ago | parent | next [-] |
| Passkeys are the pinnacle of bad UX. It just works, until the user tries to switch devices, accounts or platforms. The slogan of passkeys should be something like "I don't have a password, it usually just works, but now I changed X and it doesn't work anymore". Even worse is hardware-based 2FA built into smartphones (also FIDO), as you lose your phone in a lake and now you can't access anything anymore. The way to go is an encrypted password manager + strong unique random passwords + TOTP 2FA. It's human-readable. Yes, that makes it susceptible to phishing, but it also provides very critical UX that makes it universal and simple. |
| |
| ▲ | johncolanduoni 9 days ago | parent | next [-] | | Apple’s works fine, including when I’m logging on to my windows machine. Opening the camera app is a little annoying, but I don’t have to do it frequently. 1Password works well too and it runs on everything. There’s open source options, but I can’t attest to their UX. | | |
| ▲ | oidar 9 days ago | parent | next [-] | | Apple's works fine until you don't have access to your apple devices. | |
| ▲ | smallerfish 9 days ago | parent | prev | next [-] | | That's fine, but Chrome has 67% market share, and the majority of people will pick the default option for passkeys if prompted. For passkeys to replace passwords it's got to be seamless and easily recoverable without compromising security. | | |
| ▲ | yunwal 9 days ago | parent | next [-] | | > the majority of people will pick the default option for passkeys if prompted Especially since Google doesn’t allow you to change your personal default which is what convinced me to go and switch all my accounts off of Google SSO | | |
| ▲ | johncolanduoni 8 days ago | parent [-] | | I’m not sure what you mean; I have multiple passkeys on different platforms for my Google account (and a few similarly important ones). |
| |
| ▲ | johncolanduoni 8 days ago | parent | prev | next [-] | | So we need to make a new open standard, and then somehow prevent Google from implementing it? Too badly they implemented TOTP too. I’m not sure what you’re proposing here. | | |
| ▲ | smallerfish 8 days ago | parent [-] | | Did you see a proposal? I'm merely pointing out that there's disasterously poor UX lurking in the #1 platform that users may encounter passkeys in. It's not ready to send out to normies without more work on it. |
| |
| ▲ | airstrike 9 days ago | parent | prev [-] | | Yes, it really is a shame that Google Chrome has dominated the market since the very first browser was created. | | |
| |
| ▲ | odo1242 9 days ago | parent | prev [-] | | Bitwarden is really good for passkeys, better than apple's password manager imo |
| |
| ▲ | PartiallyTyped 9 days ago | parent | prev [-] | | I use protonpass and it’s great, carried across all my devices and browsers. |
|
|
| ▲ | PaulKeeble 9 days ago | parent | prev | next [-] |
| I really dislike how passkeys have generally been used. Once KeepassXC got proper support of them and in the browser plugin its been a bit more sensible. KeepassXC means I can transfer them between devices and its protected the same way my passwords are so no additional pins and logins I don't want, it solves a lot of the issues I have around them. Now its just a long random password. I wouldn't have minded if we moved to a scheme like SSH logins with public and private keys I own either, that I can store securely but load as I please and again would work well with a local password manager. |
| |
| ▲ | jp191919 9 days ago | parent | next [-] | | KeepassXC's passkey integration has been excellent for me. No vendor lock-in is important to me. | |
| ▲ | arccy 9 days ago | parent | prev [-] | | passkeys are public / private keys. it's just a new pair for every log in. |
|
|
| ▲ | Hnrobert42 9 days ago | parent | prev | next [-] |
| That is unfortunate, but that sounds more like a chrome problem than a passkey problem. You would have the same issue if chrome saved your password. |
| |
| ▲ | kmac_ 9 days ago | parent [-] | | Passkey is a great example of how five kitchen chefs can't make scrambled eggs. Horrible user experience, terrible marketing, no mental model like "your phone is THE key," no tangible or even symbolic presentation of the key. | | |
| ▲ | acdha 9 days ago | parent [-] | | That’s a lot of anger without a substantial argument. For Apple users, for example, the user experience is very smooth and the mental model is “I use iCloud to store my passcode just like I use iCloud to store my passwords”. If you use 1Password, you’re changing iCloud for 1Password instead. | | |
| ▲ | emushack 9 days ago | parent [-] | | "You lost me the moment you mentioned iCloud". At least that's the way the majority of people I know react to this line of thinking. The "cloud" is still mysterious and complicated to a good number of people. Passwords are easy to understand. | | |
| ▲ | acdha 9 days ago | parent | next [-] | | Most Apple users are used to using their account for everything - that’s how they buy apps, use things like music or photos, etc. and, of course, passwords. Switching to passkeys doesn’t change that much other than being a bit faster. | |
| ▲ | otterley 9 days ago | parent | prev | next [-] | | Most people use the cloud without even knowing it. If you instead say it’s seamlessly replicated among all your devices, that is a good enough explanation and conveys the benefits to customers. | |
| ▲ | emushack 8 days ago | parent | prev [-] | | Yeah that's right! If you simply say that this syncs to all my devices, it papers over, or abstracts if you will, the complexity of: secure enclaves/TPMs, symmetric sync keys wrapping asymmetrically encrypted passkeys, resident keys that support backup, keys that do NOT support backup, how biometrics are used, etc. etc. With a password, I can write it down on a piece of paper and put it in my safe. One of these systems is not like the other. |
|
|
|
|
|
| ▲ | dathinab 9 days ago | parent | prev | next [-] |
| the "the app tries to trick me into using the service of the company behind it so that they can consolidate the market" problem it's not quite new, as a dump example depending where in android contacts you click on a address it might always force open google maps (2/3 cases) or (1/3 cases) propelry goes through the intend system and gives users a choice stuff like that has been constantly getting worse with google products, but it's not like Microsoft or apple are foreign to it |
|
| ▲ | spixy 9 days ago | parent | prev [-] |
| Google password manager's pin? On my Windows laptop that is Windows Hello PIN, not sure about other OSs. And it can be disabled. |
