Passkey Usability
Passkeys—the much-talked-about password alternative to passwords that have been widely available for almost two years—was supposed to fix all that. When I wrote about passkeys two years ago, I was a big believer. I remain convinced that passkeys mount the steepest hurdle yet for phishers, SIM swappers, database plunderers, and other adversaries trying to hijack accounts.
[…]
The FIDO2 specification and the overlapping WebAuthn predecessor that underpin passkeys are nothing short of pure elegance. Unfortunately, as support has become ubiquitous in browsers, operating systems, password managers, and other third-party offerings, the ease and simplicity envisioned have been undone—so much so that they can’t be considered usable security, a term I define as a security measure that’s as easy, or only incrementally harder, to use as less-secure alternatives.
[…]
Rather than help users understand the dizzying number of options and choose the right one, each implementation strong-arms the user into choosing the vendor’s preferred choice.
[…]
At this point, I don’t know if it’s Google or Firefox that’s presenting me with this non-intuitive response. I just want to open LinkedIn using the passkey that’s being synced by 1Password to all my devices. Somehow, the mysterious entity responsible for this message (it’s Google in this case) has hijacked the process in an attempt to convince me to use its platform.
As someone who logs in to my corporate environment daily (sometimes more than once) using passkeys, I can certainly say that they are borderline usable in very specific contexts, but a complete mess where it regards interoperability.
The fundamental problem is that while the idea of passkeys is excellent, the implementation of it has been a mess. Every platform and site seems to have its own different way of handling the process, and what should be simple has instead become extremely confusing.
[…]
And I’m not even restricting that to non-tech-savvy users. I’ve run into multiples sites where I have set up a passkey and it doesn’t work correctly. Just last night I was trying to log into iTunes Connect on my iPhone: iOS showed I had a passkey and offered to use it, but for some reason, the site kept throwing an error. Maddening.
Shriram Krishnamurthi (via Venkatesh-Prasad Ranganath):
One of my great fears of passkeys — that I have not seen anyone talk about from a usability perspective […] is helping parents with their accounts. Right now I have access to their passwords. If they switch to passkeys, it becomes a lot harder for me to impersonate.
Yes, I’ve seen the Ars piece about passkeys, and to be honest with y’all, I’m genuinely confused by it and can use help making the feedback actionable.
I do agree that it’s a problem that websites that have adopted passkeys aren’t using them to replace passwords and one-time codes.
I acknowledge that different platforms and operating systems have different user interfaces and experiences, in general, and regarding passkeys. I’m having a hard time quantifying whether that’s even a problem.
I think the biggest thing is to (a) ensure dialogs are clear about what software is presenting them (b) where it plans to store the key and (c) letting people configure what their preference is for passkey management.
[…]
I learned recently that this is a 1password dialog*, despite having a different icon than the 1password icon. Also there’s no icon at all in the expando version.
*Or maybe it’s a firefox dialog that’s being integrated or hijacked in some way?
I vibe with this. Does anyone have any examples of where and how any vendor’s dialogs around passkeys might lead people astray?
I think it’s been a profound mistake on 1Password’s part that 1Password on desktop intentionally ignores the platform-native way to plug passkey data into web browsers and instead implements passkeys by hijacking the web API via their browser extension. (On iOS, however, they properly integrate as a data source.)
Ricky Mondello (Mastodon, tweet):
Obviously, authenticating to websites isn’t an either-or binary between passwords and magic links. Passkeys — the next-generation authentication standard defined by the FIDO Alliance and W3C, with backing from all of the major platforms, browsers, and credential managers — can be layered nicely into a magic link-based system to give users a secure and fast sign-in experience without the frustrations that come with switching apps to refresh one’s email. They’re complementary technologies, because passkeys can do this in a way that seamlessly coexists with, and is in fact supported by, email magic links for people who don’t yet have a passkey, don’t want a passkey, don’t have the device stability to use passkeys, or would prefer to sign in with a magic link this one time.
[…]
My local grocery store, one of the many Albertsons companies, has taken to preferring an email magic link over my easily-AutoFilled password, and it frustrates me every single time I try to sign in. Once you’ve experienced a world where signing in to websites and apps is so seamless it requires next to no thought, while still being secure, you never want to go back.
But I also kind of love magic links, because they acknowledge — no, radically accept — some fundamental truths. […] almost all online accounts can eventually be signed into by proving possession of an email address; this is usually phrased as “forgot password?”
[…]
On iOS and Android, in notable contrast to magic links, passkeys are directly usable across web browser apps and system web view experiences.
Color me skeptical about passkeys (sorry Ricky!). I love the idea of them. I even use them myself (where possible, which isn’t a lot). But I’ve yet to find a non-techie that’s even heard of them. But more importantly, with passwords, password managers, one-time login links via email, SMS 2FA (yuck), email 2FA, hardware 2FA (for security nerds), I can’t help but wonder if the ol’ XKCD won’t end up applying here too?
[…]
I HOPE I’M DEAD WRONG AND PASSKEYS TAKE OVER THE (auth) WORLD!
Previously:
- Passkeys Credential Exchange
- Apple Passwords App in Sequoia and iOS 18
- The Dark Age of Authentication
- Passkeys: A Loss of User Control?
2 Comments RSS · Twitter · Mastodon
If the only way Passkeys can succeed is by forcing people to use them, by banning traditional passwords, then Passkeys is a technology that does not deserve to exist.
I don't want Passkeys, Magic Links, 2FA or any of this careering sloptech by evangelical technologists so desperate to "change the world" and "put a dent in the universe" that they won't stop and ask if they have a social licence to change the world from under us.
I want a usename field, and a password field, and how I choose to store the credentials at my end, is up to me. I don't want someone asking if I'm on a device I haven't used before, or in a place I haven't been before.
If the credential can't be easily written on a piece of paper, and stored offline in a safe, I have no interest in it.
