Passkeys are just passwords that require a password manager

The design of passkeys is pretty solidly based around the idea that users are the weakest link the system and need to be protected from themselves. Given how criminally insecure passwords and push/code based MFA are in the face of user incompetence I have a hard time believing that WebAuthn is some grand plot by Big Tech to lock people into their walled gardens.

I think people on HN overestimate the security literacy of the average computer user in a personal/corporate setting. If a sophisticated attacker wanted to target an organiztion with passwords/push auth, it'd be trivial to get some subset of members to copy-paste passwords from managers and accept prompts. I think far more likely than lock-in is that FIDO members genuinely want to make their customers more secure, something that passkeys very much do accomplish for the average user.

That being said, I'm not rushing to enable passkeys on every site. If you already use a good password that enforces origin binding (the key strength of WebAuthn) and you extend that security perimeter through good OpSec (i.e., being careful when copy-pasting passwords), you're not getting much benefit.

Passkeys are the easiest way to lose access to your account.

Passkeys seem like alpha software that somehow got shipped by mistake. Wake me up in 5 years when/if they are actually safely usable (not just securely usable). Until then I advise my family members to stay away from them and I think everyone else should too.

I don’t get the sentiment of the article.

The whole point about passkeys is to replicate the exact UX of passwords (registration, reset…) but offer protection against phishing, by using public key crypto.

If you want a different UX, use a hardware security key. But these failed to reach consumer adoption.

And of course the FIDO2 standard didn’t specify (yet) a way to move passkeys around, so each implementation chose their own way to do vendor lock in. But this will be fixed in a few iterations.

The article already defeats itself in the title: password managers are a must-have. One needs to choose a good password manager, but that's already true.

The fact that you can't actually see the passkey is absurd. I understand it's a "feature" prevent phishing — victims have a lot less to share — but it constrains more sophisticated storage and use of passwords.

My understanding of Passkeys used to be that they were hardware-bound, so stored in the system’s TPM, Secure Enclave, whatever. Somewhere they can’t be retrieved. As soon as I realised that wasn’t the case I lost all interest in Passkeys.

Why would I bother when it’s basically just a password? Some services I’ve seen dangerously accept it as a form of 2FA, when it’s anything but.

  To present a passkey, you have to use a password manager. This provides some anti-phishing protection.

The lock-in issue is more complex:

- I write a VS Code extension for plain text passkey storage for simplicity. Do you allow servers to reject this? What should they reject? To oversimplify, the corporate folks argue for more control, the open source folks for less.

- There is an exchange protocol in the works for data migration: https://fidoalliance.org/specifications-credential-exchange-...

A passkey manager is morally required to do an extra factor of authentication (e.g. fingerprint, Face ID, hardware keys, etc.) when you login, but the site/app has no way of knowing/proving whether that happened; they just get the password.

Thought sites can request hardware attested passkeys? In this case usb keyfob, or passkeys instanced from a secure enclave, etc.?

It's telling that the "exchange protocol" was only begun to be developed after the main spec was written, and apparently as a response to pushback from the community. I can't imagine designing something like that and not having this be a core part of the feature set from day one. It's not even necessarily about switching vendors. When you first learn about passkeys, something as basic as what you need to do when you get a new computer is unclear. "The passwords are yours, we're just giving them a bodyguard" should have been the message from day one, but it wasn't of course, because that wasn't what was actually being pitched.

I want to point out a subtle part of this critique: I don't necessarily think that vendor lock-in or anything like that was an intentional goal (I make no claim either way there), but rather what is worrying to me is that the experiences of the designers of this technology seem to be so different from ours that this feature wasn't an obvious v1 need, and as such makes me worried that the "solution" will also not be representative of what we actually need (perhaps it will be overly complicated and focus on the large vendors and not on being able to extract them easily yourself for example). This all sort of makes sense though, given that it seems to have had significant influence from humongous corporations like Apple and Google, where the idea of moving away sincerely confuses them.

All of the "FIDO Alliance"[1] copy has a distinct tone of them seeing their job as chaperoning users like kids who don't know any better and are in constant danger of hurting themselves on the playground. Even the end user benefits read like business benefits on that site, with such gems as "Higher sign-in success rates". That made the list for convincing users? It's as if they've grown exasperated in trying to "teach" people about phishing, it feels like the obfuscation is a feature of passkeys, a long awaited release from the burden of learning about passwords. Which, to be clear, would possibly be great, if it handled the things people care about. But this obfuscation goes beyond the "implementation" and into the "usage". It goes from "it's simple to use" to "don't worry your pretty little head over that". I've found the whole thing rather bizarre, especially since many people on the browser side seem either oblivious to pushback, or annoyed. There is a unique "just trust us" feel to the this feature.

A brief note: This isn't all that unexpected for completely non-nefarious reasons. I've spoken before about a common pattern I've witnessed where "platform owners" (where "owner" can be anything from a "company" to a "developer") usually start off empathizing with the user, but the longer they work on the platform, the more contempt they develop for the user and the more empathy they develop for "the platform". I've seen it everywhere from language and compiler developers (where the more senior they are, the more the features they suggest tend to make the "compiler's life" easier, such as complex features that enable performance boosts, instead of trying to figure out how to make the code people write go faster; to web engine developers, who over time suggest lower and lower level features (such as WebGPU or WASM) vs. "going big" on high level semantic features, etc.). This makes sense if you've ever worked in these environments, the nature of bug fixing and reporting is such that you get an incredibly lopsided biased view of the usage of the platform: you see all the worst usage of it. Day after day, it can demoralize and lead you to think that what users need is in fact to have less say in what goes on, your trust in their ability to learn or improve degrades, and with it "ergonomics" as a first priority.

1. https://fidoalliance.org/passkeys/

> Passkeys make it harder to switch password managers, because you can’t copy and paste them

Does it not depend on the manager? Doesn't keepass manager allow open access to your passkey so you could also copy and paste it?

> To present a passkey, you have to use a password manager.

This is what makes passkeys nonstarters for me.