I mentioned Bitwarden in my comment, and my frustration specifically comes from occasions that I had Account X ready in Bitwarden, started up an app that relied on Account X, but loaded an HTML login page that had no discernable controls to use that Bitwarden passkey; expecting entirely for it to exist in my Apple keychain, which I never use.
I think it’s very easy to claim this specific app / account was not implementing passkeys well. But if that’s the case, how can I guarantee any other accounts I move over won’t fuck it up somewhere? I haven’t seen anyone get the concept of passwords wrong, and even if they don’t understand how managers work, I have control of the copy-paste function and can even type a password myself if needed.
loaded an HTML login page that had no discernable controls to use that Bitwarden passkey; expecting entirely for it to exist in my Apple keychain, which I never use
I use Bitwarden, yet not macOS/iOS.
Whenever a passkey dialog from the wrong authenticator comes up, I choose option other to redirect to a device running Bitwarden: I see macOS & iOS offer similar controls.
However, Bitwarden’s passkey dialog (section with links to configuring that) usually pops up, so that isn’t necessary.
But if that’s the case, how can I guarantee any other accounts I move over won’t fuck it up somewhere?
Save a recovery code in Bitwarden (add field type hidden named Recovery code to the login entry)?
That’s standard practice for me, though I’ve never needed them.
I haven’t seen anyone get the concept of passwords wrong
I have control of the copy-paste function and can even type a password myself if needed
I’ve seen forms disable paste.
Much can go wrong with passwords.
Passwords require sharing & transmitting a secret (a symmetric key), which either party can fail to secure.
Passkeys, however, never transmit secrets.
Instead, they transmit challenges using asymmetric cryptography.
The application can’t fail to secure a secret it never has.
Far more secure, and less to go wrong.
The password field is a more manual, error prone user interface.
With passkeys/WebAuthn, you instead supply a key that isn’t transmitted: easier than passwords when setup correctly, & nothing to do until it’s setup correctly.
Similar situation with ssh: though it can accept passwords, ssh key authentication is way nicer & more secure.
I mentioned Bitwarden in my comment, and my frustration specifically comes from occasions that I had Account X ready in Bitwarden, started up an app that relied on Account X, but loaded an HTML login page that had no discernable controls to use that Bitwarden passkey; expecting entirely for it to exist in my Apple keychain, which I never use.
I think it’s very easy to claim this specific app / account was not implementing passkeys well. But if that’s the case, how can I guarantee any other accounts I move over won’t fuck it up somewhere? I haven’t seen anyone get the concept of passwords wrong, and even if they don’t understand how managers work, I have control of the copy-paste function and can even type a password myself if needed.
I use Bitwarden, yet not macOS/iOS. Whenever a passkey dialog from the wrong authenticator comes up, I choose option other to redirect to a device running Bitwarden: I see macOS & iOS offer similar controls. However, Bitwarden’s passkey dialog (section with links to configuring that) usually pops up, so that isn’t necessary.
Save a recovery code in Bitwarden (add field type hidden named Recovery code to the login entry)? That’s standard practice for me, though I’ve never needed them.
I’ve seen forms disable paste. Much can go wrong with passwords. Passwords require sharing & transmitting a secret (a symmetric key), which either party can fail to secure. Passkeys, however, never transmit secrets. Instead, they transmit challenges using asymmetric cryptography. The application can’t fail to secure a secret it never has. Far more secure, and less to go wrong.
The password field is a more manual, error prone user interface. With passkeys/WebAuthn, you instead supply a key that isn’t transmitted: easier than passwords when setup correctly, & nothing to do until it’s setup correctly.
Similar situation with ssh: though it can accept passwords, ssh key authentication is way nicer & more secure.