The Dark Age of Authentication

Sriram Karra and Christiaan Brand (via Hacker News):

We’ve received really positive feedback from our users, so today we’re making passkeys even more accessible by offering them as the default option across personal Google Accounts.

This means the next time you sign in to your account, you’ll start seeing prompts to create and use passkeys, simplifying your future sign-ins. It also means you’ll see the “Skip password when possible” option toggled on in your Google Account settings.

A lot of sites are doing this now, and they keep prompting me even after I opt out. Passkey pop-ups are the new GDPR cookie pop-ups.

In the meantime, we’ll continue encouraging the industry to make the pivot to passkeys — making passwords a rarity, and eventually obsolete.

dilippkumar:

The biggest mistake that the passkeys movement did is try to make it sound more marketable at the cost of oversimplification.

First up, these aren’t really “no password” mechanisms. They’re closer to ssh certificates. You need to authenticate through some other mechanism and then agree to do the equivalent of creating and installing ssh certificates on your device.

The ssh certificates get synchronized across your devices securely by your cloud provider. But they can never serve as the primary authentication mechanism - that will still have to be a traditional authentication mechanism.

J. Carlos Roldán (via Hacker News):

It’s no secret that authenticating into services is an unresolved topic. With time, we have managed to make them more secure, but that was at the expense of user experience. The new generation of mail codes and authenticator apps has moved us from the ease of one-click browser autocomplete to complex ordeals involving multiple steps and sometimes multiple devices.

Last month, I was logging into Notion after it automatically logged me out, and I couldn’t help but think “It feels like I’m logging in here every second week; maybe I’m doing something wrong.”

[…]

Notion is not alone in this; many other services enforce similarly short sessions and uncomfortable methods. This has me pondering the evolution of our authentication methods, from their ancient beginnings to modern complexities.

William Brown (via Hacker News):

At around 11pm last night my partner went to change our lounge room lights with our home light control system. When she tried to login, her account couldn’t be accessed. Her Apple Keychain had deleted the Passkey she was using on that site.

This is just the icing on a long trail of enshittification that has undermined Webauthn. I’m over it at this point, and I think it’s time to pour one out for Passkeys.

[…]

The more egregious offender is Android, which won’t even activate your security key if the website sends the set of options that are needed for Passkeys. This means the IDP gets to choose what device you enroll without your input. […] A sobering pair of reads are the Github Passkey Beta and Github Passkey threads. There are instances of users whose security keys are not able to be enrolled as the resident key slots are filled. Multiple users describe that Android can not create Passkeys due to platform bugs. Some devices need firmware resets to create Passkeys. Keys can be saved on the client but not the server leading to duplicate account presence and credentials that don’t work, or worse lead users to delete the real credentials.

The helplessness of users on these threads is obvious - and these are technical early adopters.

[…]

Apple Keychain has personally wiped out all my Passkeys on three separate occasions. There are external reports we have recieved of other users who’s Keychain Passkeys have been wiped just like mine.

Saagar Jha:

The biggest issue with passkeys is that I just can’t trust the companies offering them. They are locked into the platform for reasons that are ostensibly security but often indistinguishable from platform lock-in. If you make a passkey on an Apple device as far as I can tell it will never leave [your Apple devices and iCloud] and there is no way to change this. Of course this means you can never be phished for your credentials but if Apple decides to delete your key or you want to leave your iPhone behind, what are you supposed to do?

We’re coming up on two years since Apple introduced passkeys. This should have been addressed on day one. 1Password can’t import/export, either.

Matt Birchler:

Taking Apple’s passkey implementation as an example, it usually works well if you’re using 100% Safari and Apple devices signed into your iCloud account, but as soon as you step a single toe out of the perfect use case, it turns into a nightmare of authentication. As soon as a website throws up the QR code that I need to scan with my phone I want to scream.

[…]

At this point, sometimes it works, sometimes it doesn’t and you need to try again. I’m not saying where the blame lies in these situations where it fails, just that it does way more often than I’ve ever experienced with usernames and passwords.

[…]

I use 1Password and I have about 20 passkeys saved there. I’ve considered switching to Proton Pass, but there is no way to migrate passkeys from one service to another, so I’d lose my authentication to 20 sites if I did that. And this isn’t a 1Password thing, there’s no service that allows for importing or exporting passkeys as far as I know.

Miguel Arroz:

I think passkeys are a good idea, but I see two major problems with the implementations:

1. Lack of control. I can’t export them, I can’t even find them anywhere on the OS. Supposedly they show up on the Passwords pane of System Settings (ironic since they’re supposed to replace passwords), but I can’t find some of the passkeys there I know I have.

   This needs to support exporting and a much better UI to help people inspect, organize and delete their passkeys.

   Overall, this feels like the modern trend of “simplifying” things by hiding them. This really makes everything more complicated. A good UI simplifies how people do things, they don’t hide and prevent people from doing those things.

2. All sites I’ve seen so far that work with passkeys also require a password. This means I still have to keep a password manager, the passwords and I’m still exposed to every security concern regarding passwords.

   […]

   Something is not right when I only feel safe using a thing if I keep around something else said thing is supposed to replace.

   Someone on a thread said passkey marketing material only presents the optimistic case. What happens when everything goes right. The pessimist case (you lost all the devices, you got locked out of iCloud, etc) is never addressed. I do feel that. Many of the “what ifs” I think about aren’t addressed anywhere.

Previously:

• Apple Updates Silently Enable iCloud Keychain
• New Apple ID Sign-In Options
• Family Passwords and Passkey Providers
• Passkeys: A Loss of User Control?
• Passkeys

Update (2024-05-24): Paulo Andrade:

Secrets does allow importing/exporting of passkeys. But no other app is able to import them 🤷‍♂️. I’m not entirely sure why other apps/keychain are skipping this feature. Seems too important not to have.

I get that they’re working on a more secure way to do this for passkeys, but Safari already lets you export unencrypted passwords and authenticator info, and I think that’s better than having no export at all.

Radu Ursache:

i really like passkeys. sure, i use 1password but i have no plans to leave them so the “platform lock-in” is not an issue. however considering most websites now have the username, password and 2fa fields on different pages, simply tapping 1 button to login again it’s amazing. it’s also as easy on mobile apps where password managers can’t fill every time.

sure, for the simple people it might be annoying but all tech is annoying at first for them so 🤷🏻‍♂️

If anything, I think passkeys make more sense for the “simple people.” The happy path where everything works is nice. And if you were already using Safari and putting all your password eggs in the iCloud Keychain basket, anyway, it should be no less reliable with passkeys. The main passkeys issues seem to be around less simple workflows and failure modes. So, contra William Brown, I’m not writing passkeys off for the mainstream.

Andrew Escobar:

I’m a passkey optimist, but appreciate the passkey skepticism @mjtsai has curated.

ednl:

It just never worked for me with Github despite an all-Apple setup. “You have a passkey for this website. Do you want to login using your passkey?” Yes, please. Always failed.

Melvin Gundlach:

GitHub has been extremely stable in that regard for me. I don’t even need to enter my username or email. Love it!

[…]

Funnily enough, today the PassKey login on GitHub stopped working in Desktop Safari (mobile still works) 🙈

See also: Jesse Squires.

Update (2024-05-28): See also: Mac Power Users Talk.

Update (2024-05-29): Jeff Johnson:

Ugh, how do I stop Safari from offering a passkey option?!?

I don’t have a passkey saved, and I don’t even have iCloud Keychain enabled, which is required for passkeys.

This is adding extra fucking steps to my login process. And of course App Store Connect demands that you login all the fucking time!

Update (2024-05-30): Nick Lockwood:

The AppleID login page is one of the least iCloud Keychain-compatible sites I’ve used. It never at any point offers to save your password and the two-step login breaks the autofill flow.

1Password Android Apple Password Manager Datacide iCloud Keychain iOS iOS 17 iTunes Connect Mac macOS 14 Sonoma Passkeys Passwords Secrets Two-Factor Authentication (2FA) Web