Forcing Passkeys
The new setting is enabled by default; I’ve seen this on multiple computers.
Automatically create a passkey to sign in faster
Allow sites and apps to upgrade existing accounts to use passkeysThis new setting is not actually included on the What’s New in Chrome page (
chrome://whats-new/), which doesn’t even mention passkeys.It is mentioned by the New in Chrome 136 post on the Chrome for developers blog:
You can now upgrade existing password credentials to a passkey.“You” here apparently refers to web developers, not to users, who aren’t given a choice[…]
Microsoft has decided to push its consumer customers to dump passwords in favor of passkeys.
The software giant announced the move Thursday, May 1, traditionally known as “World Password Day,” with a declaration it had joined forces with the Fast Identity Online (FIDO) Alliance to re-name the pseudo-holiday “World Passkey Day.”
Redmond’s not just playing with words as the Windows giant has also decided that all new Microsoft accounts will use passkeys by default.
[…]
As we noted late last year, Microsoft isn’t giving its customers an option to continue using passwords, saying that opting out of passkey invitations wasn’t possible.
This is a good point to reflect on the paradox that securing your digital life presents: as we seek stronger forms of authentication, we create different risks. Losing all your forms of non-phishable 2FA, for example, creates the risk of losing access to your account. But we also have mitigating controls: your digital passkey is managed totally independently of your physical one so the chances of losing both are extremely low. Plus, best practice is usually to have two U2F keys and enrol them both (I always take one with me when I travel, and leave another one at home). New levels of security, new risks, new mitigations.
Most people are not going to do this, so it seems like the end game is that either users will lose control of their logins or that passkeys will become mainly a convenience for quickly logging in, with passwords, SMS, and e-mail as a less secure fallback.
Isaiah Inuwa (via Ricky Mondello):
With the announcements from big companies at World Password Day about passkeys, I thought I should share what I've been working on for passkey support on Linux.
Previously:
9 Comments RSS · Twitter · Mastodon
One of the more ridiculous and yet unreported aspects of the passkey transition is that Safari extensions for password managers are unlikely to work in Private Browsing Mode. 1Password, for example, does not: it requires re-authentication every time Safari launches, making it essentially useless and insecure, because dozens of authenticated sessions remain endlessly open on the account.
This means that users who frequently use Private Browsing mode will either need to use Apple’s own Passwords app or to switch to browsers like Chrome, Brave, or Firefox in which extensions can stay authenticated even in Incognito mode — and which do not honour Apple’s own Lockdown Mode protections.
This is too small an edge case to matter, either to 1Password or to Apple, and yet I am willing to bet that many users are caught in just that gap between supported features. The transition to passkeys is forcing web users into one officially sanctioned way to use the web, with a handful of approved browsers running a handful of approved extensions in a handful of approved “scenarios.”
Power-users were up in arms when Google withdrew Manifest v2, but there are countless ways in which the developers of web browsers are forcing users back into the mainstream, under the guise of empowerment and security. This is a shameless power-grab happening, like all such things, in complete silence.
> One of the more ridiculous and yet unreported aspects of the passkey transition is that Safari extensions for password managers are unlikely to work in Private Browsing Mode. 1Password, for example, does not: it requires re-authentication every time Safari launches
I've never had this as an issue. I have "Allow in private browsing" turned on in the Extensions tab in Safari Settings.
I spend 90% of my screen time behind a Mac mini with a Logitech keyboard, so no direct way of biometric authentication. Passkeys are a giant pain in the ass because I have to grab my phone to authenticate; several big extra steps. Plus, most passkey attempts fail at first because there is no direct authentication. Only then comes the "try a nearby device" suggestion. With passwords it is one click or Enter, at most two with the now integrated 2FA. I effing hate passkeys.
I’d submit post to the 1Password forum if you haven’t already (or upvote an existing post). I had an issue registering a passkey in the last month or so and they implemented a bug fix pretty quickly. Apple feedback on the other hand…
> Safari extensions for password managers are unlikely to work in Private Browsing Mode
I use private browsing almost exclusively, and I haven't had this experience. Passkeys stored in 1Password work fine for me on GitHub, Fastmail, Google, etc.
Passkeys don't solve the lost device problem. At least the Social Security site gave me a list of recovery keys that I can use if I get locked out. I have a copy of them in my safe deposit box which has a real recovery protocol. I'm still waiting for the computer security people to catch up with the centuries old government and financial sectors.
@Ben If you can use a password manager to make random unique passwords, and you use auto-fill to avoid phishing, I think passkeys offer mostly disadvantages, aside from login speed (the extra step for 2FA). The best points I’ve seen in their favor are that, (1) many people have trouble doing this, (2) it’s still possible to be phished, and (3) if the site stores your password insecurely and is hacked and doesn’t use 2FA (or it’s compromised somehow) someone could access your account.
