{"id":48165,"date":"2025-06-20T16:40:05","date_gmt":"2025-06-20T20:40:05","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=48165"},"modified":"2025-06-20T17:45:01","modified_gmt":"2025-06-20T21:45:01","slug":"forcing-passkeys","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2025\/06\/20\/forcing-passkeys\/","title":{"rendered":"Forcing Passkeys"},"content":{"rendered":"

Jeff Johnson<\/a>:<\/p>\n

The new setting is enabled by default; I’ve seen this on multiple computers.<\/p>

Automatically create a passkey to sign in faster\n
<\/br>Allow sites and apps to upgrade existing accounts to use passkeys<\/blockquote>

This new setting is not actually included on the What’s New in Chrome page (chrome:\/\/whats-new\/<\/code>), which doesn’t even mention passkeys.<\/p>

It is mentioned by the New in Chrome 136<\/a> post on the Chrome for developers blog:<\/p>

You can now upgrade existing password credentials to a passkey.<\/blockquote>

“You” here apparently refers to web developers, not to users, who aren’t given a choice[…]<\/p><\/blockquote>\n\n

Brandon Vigliarolo<\/a>:<\/p>\n

Microsoft has decided to push its consumer customers to dump passwords in favor of passkeys.<\/p>

The software giant announced<\/a> the move Thursday, May 1, traditionally known as “World Password Day,” with a declaration it had joined forces with the Fast Identity Online (FIDO) Alliance to re-name the pseudo-holiday “World Passkey<\/a> Day.”<\/p>

Redmond’s not just playing with words as the Windows giant has also decided that all new Microsoft accounts will use passkeys by default.<\/p>

[…]<\/p>

As we noted late last year, Microsoft isn’t giving its customers an option to continue using passwords, saying that opting out of passkey invitations wasn’t possible<\/a>.<\/p><\/blockquote>\n\n

Troy Hunt<\/a>:<\/p>\n

\n

This is a good point to reflect on the paradox that securing your digital life presents: as we seek stronger forms of authentication, we create different risks. Losing all your forms of non-phishable 2FA, for example, creates the risk of losing access to your account. But we also have mitigating controls: your digital passkey is managed totally independently of your physical one so the chances of losing both are extremely low. Plus, best practice is usually to have two<\/em> U2F keys and enrol them both (I always take one with me when I travel, and leave another one at home). New levels of security, new risks, new mitigations.<\/p>\n<\/blockquote>\n\n

Most people are not going to do this, so it seems like the end game is that either users will lose control of their logins or that passkeys will become mainly a convenience for quickly logging in, with passwords, SMS, and e-mail as a less secure fallback.<\/p>\n\n

Isaiah Inuwa<\/a> (via Ricky Mondello<\/a>):<\/p>\n

\n

With the announcements from big companies at World Password Day about passkeys, I thought I should share what I've been working on for passkey support on Linux.<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n