• @[email protected]
    link
    fedilink
    English
    91
    edit-2
    1 month ago

    The problem with passkeys is that they’re essentially a halfway house to a password manager, but tied to a specific platform in ways that aren’t obvious to a user at all, and liable to easily leave them unable to access of their accounts.

    Agreed, in its current state I wouldn‘t teach someone less technically inclined to solely rely on passkeys saved by the default platform if you plan on using different devices, it just leads to trouble.

    If you’re going to teach someone how to deal with all of this, and all the potential pitfalls that might lock them out of your service, you almost might as well teach them how to use a cross-platform password manager

    Using a password manager is still the solution. Pick one where your passkeys can be safed and most of the authors problems are solved.

    The only thing that remains is how to log in if you are not on a device you own (and don’t have the password manager). The author mentions it: the QR code approach for cross device sign in. I don’t think it’s cumbersome, i think it’s actually a great and foolproof way to sign in. I have yet to find a website which implements it though (Edit: Might be my specific setup‘s fault).

    • @[email protected]
      link
      fedilink
      English
      291 month ago

      people will pick the corporate options that are shoved on their faces, not the sensible open source user-respecting ones.

      vendor lockin will happen if we adopt passkeys as they are right now.

      • @[email protected]
        link
        fedilink
        English
        161 month ago

        Bitwarden just announced a consortium with Apple, Google, 1Password, etc to create a secure import/export format for credentials; spurred by the need for passkeys to be portable between password managers (but also works for passwords/other credential types)

        • @[email protected]
          link
          fedilink
          English
          8
          edit-2
          1 month ago

          I’m definitely holding off on passkeys until that project is finished. I also don’t want vendor lock in and while that seems like the solution, it seems like they just started working on it.

          • Encrypt-Keeper
            link
            English
            1
            edit-2
            1 month ago

            The interoperability already exists in the protocol webauthn, part of FIDO2 which has been around for almost a decade. Interoperability is not remotely an issue with passkeys. Imported/export is/was and also already has a solution in the works.

            • @[email protected]
              link
              fedilink
              English
              21 month ago

              So I can use the same passkey from say, bitwarden and windows hello? Why do you even need import export then?

              • Encrypt-Keeper
                link
                English
                21 month ago

                Yes you can use a passkey set up on any given service to authenticate to a service that supports passkeys. You’d need import/export to move a given passkey from bitwarden to Windows.

    • exuOP
      link
      fedilink
      English
      151 month ago

      QR codes are good 50% of the time; when you’re trying to log in on a pc.
      The reverse case is extremely annoying

      • @[email protected]
        link
        fedilink
        English
        91 month ago

        Could you elaborate? I am assuming that everbody would have the password manager on their mobile phone with them, which is used to scan the qr code. I think that’s a reasonable assumption.

        I agree that if you wanted the pc to act as the authenticator (device that has the passkey) it wouldn’t work with qr codes. But is that a usecase that happens at all for average people? Does anyone login to a mobile device that you don’t own, and you only have your pc nearby and not your own mobile phone?

        • exuOP
          link
          fedilink
          English
          61 month ago

          I’m thinking of phone recovery, where you’re trying to get all your stuff back on a new device.
          With a password manager, simply logging in will get you there and until passkeys can be synced automatically just like passwords this will need to be handled somehow.

          • @[email protected]
            link
            fedilink
            English
            12
            edit-2
            1 month ago

            I hope I am not misunderstanding you. What you are worried about is passkeys in the password manager not syncing to new devices? They are though, with password managers that support passkeys like Bitwarden, ProtonPass, 1Password etc…

            Currently using it on Bitwarden, if I log in to a new device, the passkeys are there.

            • exuOP
              link
              fedilink
              English
              31 month ago

              You understood correctly. Seems like I missed some news on the syncing front.

    • @subtext
      link
      English
      21 month ago

      It could be your browser / system that is struggling to show it. When I use my work computer and Microsoft edge, I don’t think I’ve ever had a situation where the QR code didn’t work. When I use flatpak’d Firefox on my Linux laptop, I experience more trouble, probably because of the sandboxing.