The Dark Age of Authentication
Sriram Karra and Christiaan Brand (via Hacker News):
We’ve received really positive feedback from our users, so today we’re making passkeys even more accessible by offering them as the default option across personal Google Accounts.
This means the next time you sign in to your account, you’ll start seeing prompts to create and use passkeys, simplifying your future sign-ins. It also means you’ll see the “Skip password when possible” option toggled on in your Google Account settings.
A lot of sites are doing this now, and they keep prompting me even after I opt out. Passkey pop-ups are the new GDPR cookie pop-ups.
In the meantime, we’ll continue encouraging the industry to make the pivot to passkeys — making passwords a rarity, and eventually obsolete.
The biggest mistake that the passkeys movement did is try to make it sound more marketable at the cost of oversimplification.
First up, these aren’t really “no password” mechanisms. They’re closer to ssh certificates. You need to authenticate through some other mechanism and then agree to do the equivalent of creating and installing ssh certificates on your device.
The ssh certificates get synchronized across your devices securely by your cloud provider. But they can never serve as the primary authentication mechanism - that will still have to be a traditional authentication mechanism.
J. Carlos Roldán (via Hacker News):
It’s no secret that authenticating into services is an unresolved topic. With time, we have managed to make them more secure, but that was at the expense of user experience. The new generation of mail codes and authenticator apps has moved us from the ease of one-click browser autocomplete to complex ordeals involving multiple steps and sometimes multiple devices.
Last month, I was logging into Notion after it automatically logged me out, and I couldn’t help but think “It feels like I’m logging in here every second week; maybe I’m doing something wrong.”
[…]
Notion is not alone in this; many other services enforce similarly short sessions and uncomfortable methods. This has me pondering the evolution of our authentication methods, from their ancient beginnings to modern complexities.
William Brown (via Hacker News):
At around 11pm last night my partner went to change our lounge room lights with our home light control system. When she tried to login, her account couldn’t be accessed. Her Apple Keychain had deleted the Passkey she was using on that site.
This is just the icing on a long trail of enshittification that has undermined Webauthn. I’m over it at this point, and I think it’s time to pour one out for Passkeys.
[…]
The more egregious offender is Android, which won’t even activate your security key if the website sends the set of options that are needed for Passkeys. This means the IDP gets to choose what device you enroll without your input. […] A sobering pair of reads are the Github Passkey Beta and Github Passkey threads. There are instances of users whose security keys are not able to be enrolled as the resident key slots are filled. Multiple users describe that Android can not create Passkeys due to platform bugs. Some devices need firmware resets to create Passkeys. Keys can be saved on the client but not the server leading to duplicate account presence and credentials that don’t work, or worse lead users to delete the real credentials.
The helplessness of users on these threads is obvious - and these are technical early adopters.
[…]
Apple Keychain has personally wiped out all my Passkeys on three separate occasions. There are external reports we have recieved of other users who’s Keychain Passkeys have been wiped just like mine.
The biggest issue with passkeys is that I just can’t trust the companies offering them. They are locked into the platform for reasons that are ostensibly security but often indistinguishable from platform lock-in. If you make a passkey on an Apple device as far as I can tell it will never leave [your Apple devices and iCloud] and there is no way to change this. Of course this means you can never be phished for your credentials but if Apple decides to delete your key or you want to leave your iPhone behind, what are you supposed to do?
We’re coming up on two years since Apple introduced passkeys. This should have been addressed on day one. 1Password can’t import/export, either.
Taking Apple’s passkey implementation as an example, it usually works well if you’re using 100% Safari and Apple devices signed into your iCloud account, but as soon as you step a single toe out of the perfect use case, it turns into a nightmare of authentication. As soon as a website throws up the QR code that I need to scan with my phone I want to scream.
[…]
At this point, sometimes it works, sometimes it doesn’t and you need to try again. I’m not saying where the blame lies in these situations where it fails, just that it does way more often than I’ve ever experienced with usernames and passwords.
[…]
I use 1Password and I have about 20 passkeys saved there. I’ve considered switching to Proton Pass, but there is no way to migrate passkeys from one service to another, so I’d lose my authentication to 20 sites if I did that. And this isn’t a 1Password thing, there’s no service that allows for importing or exporting passkeys as far as I know.
I think passkeys are a good idea, but I see two major problems with the implementations:
Lack of control. I can’t export them, I can’t even find them anywhere on the OS. Supposedly they show up on the Passwords pane of System Settings (ironic since they’re supposed to replace passwords), but I can’t find some of the passkeys there I know I have.
This needs to support exporting and a much better UI to help people inspect, organize and delete their passkeys.
Overall, this feels like the modern trend of “simplifying” things by hiding them. This really makes everything more complicated. A good UI simplifies how people do things, they don’t hide and prevent people from doing those things.
All sites I’ve seen so far that work with passkeys also require a password. This means I still have to keep a password manager, the passwords and I’m still exposed to every security concern regarding passwords.
[…]
Something is not right when I only feel safe using a thing if I keep around something else said thing is supposed to replace.
Someone on a thread said passkey marketing material only presents the optimistic case. What happens when everything goes right. The pessimist case (you lost all the devices, you got locked out of iCloud, etc) is never addressed. I do feel that. Many of the “what ifs” I think about aren’t addressed anywhere.
Previously:
- Apple Updates Silently Enable iCloud Keychain
- New Apple ID Sign-In Options
- Family Passwords and Passkey Providers
- Passkeys: A Loss of User Control?
- Passkeys
Update (2024-05-24): Paulo Andrade:
Secrets does allow importing/exporting of passkeys. But no other app is able to import them 🤷♂️. I’m not entirely sure why other apps/keychain are skipping this feature. Seems too important not to have.
I get that they’re working on a more secure way to do this for passkeys, but Safari already lets you export unencrypted passwords and authenticator info, and I think that’s better than having no export at all.
i really like passkeys. sure, i use 1password but i have no plans to leave them so the “platform lock-in” is not an issue. however considering most websites now have the username, password and 2fa fields on different pages, simply tapping 1 button to login again it’s amazing. it’s also as easy on mobile apps where password managers can’t fill every time.
sure, for the simple people it might be annoying but all tech is annoying at first for them so 🤷🏻♂️
If anything, I think passkeys make more sense for the “simple people.” The happy path where everything works is nice. And if you were already using Safari and putting all your password eggs in the iCloud Keychain basket, anyway, it should be no less reliable with passkeys. The main passkeys issues seem to be around less simple workflows and failure modes. So, contra William Brown, I’m not writing passkeys off for the mainstream.
I’m a passkey optimist, but appreciate the passkey skepticism @mjtsai has curated.
ednl:
It just never worked for me with Github despite an all-Apple setup. “You have a passkey for this website. Do you want to login using your passkey?” Yes, please. Always failed.
GitHub has been extremely stable in that regard for me. I don’t even need to enter my username or email. Love it!
[…]
Funnily enough, today the PassKey login on GitHub stopped working in Desktop Safari (mobile still works) 🙈
See also: Jesse Squires.
Update (2024-05-28): See also: Mac Power Users Talk.
Update (2024-05-29): Jeff Johnson:
Ugh, how do I stop Safari from offering a passkey option?!?
I don’t have a passkey saved, and I don’t even have iCloud Keychain enabled, which is required for passkeys.
This is adding extra fucking steps to my login process. And of course App Store Connect demands that you login all the fucking time!
Update (2024-05-30): Nick Lockwood:
The AppleID login page is one of the least iCloud Keychain-compatible sites I’ve used. It never at any point offers to save your password and the two-step login breaks the autofill flow.
20 Comments RSS · Twitter · Mastodon
The level of ignorance and the lack of thought in this post is amazing. These people do not understand what Passkeys are meant for, how they work, what problems they solve and what are the tradeoffs. It is clear that passwords areobselete for the level of security we need today. Passkeys address that problem with some tradeoffs. The lack of ability export Passkeys is a feature, not a bug.
@Chris Wow, that’s really convincing. Thank you for enlightening us. If not being able to export is a feature, why are they working on adding it?
I'm torn on using Passkeys. I use 1Password for everything and I have strong secure random unique passowrds for every single service I use.
So what does Passkeys give me in added security? Can't be phished but 1Password already has _some_ protection for that. What else? But I lose export.
Seems like for a user like me, the advantage is marginal when compared to password + authenticator code both in security and convenience. But maybe I'm missing something and I really want to understand it better.
The only thing I must say is that I HATE services that insist on sending a code via SMS or email, or the "passwordless" services that email you a one time link.
THOSE NEED TO DIE
It's good to see some pushback against passkeys. I looked into using them, but they seem to have all the downsides of passwords with none of the upsides. They also introduce a lot of serious failure modes and probably a new set of attack surfaces.
I have one service (payfit.com) that insists on using passkeys, which worked fine until macOS insisted I turned on iCloud Keychain to be able to store the passkey (I don't want that, because then Safari insists on storing my passwords instead of 1Password). I tried to switch to 1Password for the passkey, but that failed in mysterious ways (also after having to go through a not so obvious step of deleting the existing one on payfit, which of course they don't call passkey but call "biometric authentication"!!). The fallback authentication is to click through 2-3 screens with various options, pick the right options to finally get a code sent to my email. And this has to be done every time I connect. Very bad experience, not looking forward to its expansion into other services.
KeePassXC has support for exporting and importing passkeys. It's pretty scandalous that Apple, Google, and the rest, are using them as lock-in
https://keepassxc.org/docs/KeePassXC_UserGuide#_advanced_usage_2
To add to the Thomas' comment, I'm using Secrets.app that has recently added passkeys support. I've tried it out and it also can export passkeys - I see the passkey data in the export. I've not tried re-importing it back, but I assume that works, too.
Yes, export is possible. I use strongbox, which is a great ios/ mac client that stores passwords in the keepass format, and yeah… you have passwords AND passkeys saved in an encrypted file in an open source format that you can store and manage as you see fit.
As I understand it, passkeys as they currently exist are basically digital-only Yubikeys — i.e. those things that change an authentication code/one-time-passcode every minute aka ‘authenticators’. Each Yubikey/password manager has a unique private key in there. Being able to export that private key would be a pretty big security risk.
Yubikeys (and passkeys in password managers) aren’t supposed to be able to be duplicated — they’re supposed to be (and are) unique hardware devices, or, in the case of Apple's Passkeys, tied to a physical characteristic of a person such as their fingerprint or face.
Exporting the passkey (i.e. the private key) would rather defeat the whole idea of an authenticated device/person. If we want to use a new password manager, we’re supposed to create a new passkey with that password manager… just like setting up a new Yubikey… that’s the secure way of doing things.
Can a passcode be cloned/the keys exported? Maybe? but I that wouldn’t be part of the spec, yeah? So I’d be surprised if Apple, Google, etc. would do that. That’d be basically equivalent to clone a physical Yubikey and handing it off to a stranger.
But since most people have never used a Yubikey, people don’t realize what they’re getting or why things are annoying. Yubikeys are a pain in the butt to use but they’re pretty secure and they don’t require an internet connection or SMS or email, but you have to create it and carry it around in your pocket. And you can lose it.
Passkeys are similar security but a way better experience than Yubikeys. That’s the comparison we should be making.
But since most people don’t realize how much better they are compared to Yubikeys, all we notice is how annoying they are compared to passwords (which are convenient but also more insecure).
(I’d argue that passkeys are almost as convenient as passwords now, depending on the site and their sign-in screens)
@Bryan It’s not in the spec yet. I guess they are working on a more complex solution than exporting an encrypted file. Apple is already syncing them between devices that don’t necessarily have any biometrics. I agree that Yubikey is a better comparison, but that is not how Apple and others have been selling passkeys. They keep saying that they are a replacement for passwords and easier to use, neither of which I think is really true today.
I might use Passkeys in the future as an additional, phishing resistant, login method for some accounts. For now, though, I'm waiting for the ecosystem to mature more. Backups and the portability of keys between password managers is one big concern of mine. In the meantime I will use my Yubikey as a convenient second factor for some services and avoid Passkeys provided by platform authenticator like iCloud.
I thought one of the advantages of passkeys is that the service provider no longer stores valuable password information that’s a target for hackers. But from what I’ve observed so far, passkeys seem to be implemented as an additive alternative to passwords, not a replacement.
Some of the discussion is suggesting passwords will always be required. I don’t understand why? Doesn’t this negate one of the main selling points of passkeys?
@Nigel I don’t understand the end game here, either. There needs to be a solution for when the user loses the passkeys. If the fallback isn’t the password, what is it? It seems to me that if it’s anything else it would be slower and more annoying, and possibly less secure, to recover.
My issue with passkeys: how am I supposed to authenticate to a site on a new computer unless I have a password? The computer I signed up to the site on is not connected in any way with the new computer (home vs work computer), so there is no syncing of stuff between them. So I need some other authentication route, which brings us right back to "password"...
I'm still not seeing how this replaces the need for a password manager. As another poster said, Keepass variants seem to be the best. Strongbox supports everything I've ever thought to look for, including exporting two factor codes. Haven't checked on passkeys but there's no need to export them anyway since they're already portable if they're in the password vault.
@Bart
> “Strongbox supports everything I've ever thought to look for”
Unfortunately, Strongbox was never audited by an independent 3rd party… unlike other popular / secure Password Managers.
I agree it’s a nice app though.
There are two big reasons I've been hopeful about passkeys/webauthn:
1) The default flow for users who reuse passwords and don't want to learn a password manager is much more secure.
2) Servers don't have to hold onto (hopefully hashed and salted) passwords, which should hopefully reduce the incidence of identify theft, especially for users who fit #1's demographic.
That said, I've yet to adopt any passkeys, and these stories of weird behavior give me pause. I wonder if things would've played out differently if passkeys had debuted first on third-party password managers instead of platforms.
> The AppleID login page is one of the least iCloud Keychain-compatible sites I’ve used. It never at any point offers to save your password and the two-step login breaks the autofill flow.
I've always thought that that was intentional: to protect access to wipe everything on your computer, from your computer. Understandable in a way, but not good especially for people who know what they are doing.
That two-step input form doesn't prohibit Google logins being autofilled correctly, by the way.
I've also had issues where the passkey servers or whatever were blocked by AdGuard, so the passkeys would never work. Took me a while to figure that out.