Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
goku12 6 hours ago

Passkeys are an antipattern in UX design. You want to make it simple for the users? Great! But stop treating them as too stupid to decide anything on their own. Stop locking them out of the decision loop and doing things behind their back. This is practically the corporate design philosophy of the past two decades. You can see this a lot in smartphone design.

I keep asking what advantages passkeys offer over TLS self-signed client certificates. I haven't got any answers so far. Perhaps increase the security by encrypting the private key with a password or an external token. This is safe, like SSH and unlike regular passwords, because no secrets are sent to the server. TLS certs and (encrypted) keys are more tangible and easier to manage.

Perhaps passkeys do offer some advantages over TLS certs. But can't those be added to TLS, rather than rollout an entirely new system? The infuriating part is that this facility exists in browsers. They just let it rot to an extend that it's practically unusable. Meanwhile, Gemini browsers are using it quite successfully (for those who use Gemini).

cyberax 6 hours ago | parent [-]

Passkeys ARE self-signed certs. You can store their private key on a hardware token, but you don't have to.

Their only difference is the automated provisioning.

goku12 4 hours ago | parent [-]

> Passkeys ARE self-signed certs.

So they took something that works well and created a bad UX around it, while ignoring the working, yet languishing UI/UX that was already around?

lxgr 3 hours ago | parent | next [-]

You can't be seriously claiming that self-signed PEM certificates were working well. I've been using them for years in various contexts, and they're an absolute nightmare.

Despite all their faults, for the average user, Passkeys are still miles ahead of GnuPG card, PIV, PKCS#15 etc.

goku12 an hour ago | parent [-]

Please check how the client certificate interface of Lagrange, the Gemini browser, works. It's nowhere as complicated as you make it out to be. No passkey interfaces I've seen is as clear as this one. It automatically provisions the certificate (optional. You can share certs among services if you prefer) and associates it with the correct service. So no complicated stuff. It prompts you at the correct time for permission in the clearest way possible. It's like an integrated password manager where your credentials are just files - sort of. That's all that a regular user needs to know about them. It can be exported, imported, backed up, synced, and what not.

Gemini strives to finish an entire request in a single transaction. So TLS certs are really the only option for authentication. That's how I learned the elegance of TLS client authentication workflow and started asking why this is so neglected in web browsers.

lxgr 44 minutes ago | parent [-]

TLS based authentication is even worse. It’s the wrong layer in today’s Internet, given Cloudflare, load balancers etc.

Not everybody trusts whatever first hop terminates TLS to also do authentication, and it completely falls flat at non-repudiation for transaction approval.

lxgr 3 hours ago | parent | prev | next [-]

You can't be seriously claiming that self-signed PEM certificates were working well. I've been using them for years in various contexts, and they're an absolute nightmare.

Despite all their faults, for the average user, Passkeys are still leagues ahead of GnuPG card, PIV, PKCS#15 etc.

cyberax 4 hours ago | parent | prev [-]

Self-signed certificates are in the 'barely working' state. They operate on a wrong protocol level, and they can't be provisioned by the website itself.

If you try to describe how you _want_ the TLS client certificate UI to work, you'll end up with passkeys.

goku12 4 hours ago | parent | next [-]

Okay. So they took a solution that was in a barely-working state due to their deliberate neglect, and still managed to give a bad new UX when they got the opportunity to rework it?

0x0 2 hours ago | parent | prev [-]

> "they can't be provisioned by the website itself."

It's funny, we used to have a html tag that would exactly that: <keygen />