zeagle19 hours ago
My spouse accidentally set up a passkey with amazon. She really had no idea what she did or agreed to when I asked her about it. I think there are some dark patterns here.
SlightlyLeftPad17 hours ago
Am I the only person who hates passkeys? I got locked out of my gmail account because the browser couldn’t figure out whether i used icloud keychain or another app and resulted in my actual passkey not being read as valid.
Some sites also remove the ability to enter a password and 2FA when you have a passkey configured. Your only option is to do an account recovery.
These same sites, try to get you to accidentally turn on passkeys at every turn. The user experience is almost always worse, particularly if you already use a password manager.
out-of-ideas16 hours ago
i'll die happy using user+pass+totp if i can get away with it
namaria5 hours ago
The unspoken truth of 'cybersecurity' (even the name is part of this pattern) is that bolt on complexity will always reduce safety. Computer security is not that hard. What is hard is selling complexity as a vector for vendor lock in and then bolting on security on top of that. Every new feature, every new line of code will introduce potential vulnerabilities. Every extra bit of complexity will make the systems more vulnerable overall. And the pattern is also followed by the 'cybersecurity' providers. The more complex they make the song and dance, the more dependent their costumers become long term.
Normal Accidents opened up my eyes to this grift. I highly recommend the book.
al_borland20 hours ago
I’m curious how many of those 175M know they are using passkeys, and how things go over the next several years as they upgrade to new devices. I have a feeling a lot of trust is being placed in systems the users don’t even know exist.
As far as being able to login 6x faster, is this a big deal? I can’t remember the last time I had to login to Amazon. It feels like it’s been years.
Schiendelman19 hours ago
I think almost any device that uses passkeys today has continuity to device upgrades. Perhaps if someone changes ecosystem they'll have to create a new passkey, but they'll do that with a OTP via email, likely.
nytesky19 hours ago
On iPhones, aren’t the passkeys stored in iCloud Keychain and managed with the nifty passwords app (I’m happy to have a real interface finally). I assume similar cloud storage for android phones?
al_borland19 hours ago
I’m thinking if someone decides to change browsers, or changes ecosystems. Say they have all their passkeys in Apple Passwords, then they move to Android. Or they have everything in Chrome, then move away from Android and don’t bother downloading chrome and logging into their existing account. If the user doesn’t understand what this stuff is, why would they think to account for it during a migration?
I have a friend who just last year was talking about getting a new phone number with his new phone. My first thought was, “won’t that break all your 2FA and lock you out of your bank and a bunch of other stuff?” He had no idea and didn’t think he had any of it, but most of that was stuff I didn’t opt into, but simply exists now. I’m not sure how he couldn’t have any of it. He ended up not doing it, but I think someone could very easily screw themselves.
acdha19 hours ago
Most services I’ve seen do not make passkeys an all or nothing proposition so they’d likely still be able to use a password reset + SMS challenge, but I think the concern is real about switching between platforms. They’ve promised portability but implementations are still AWOL.
out-of-ideas16 hours ago
i'm also curious if the 6x faster is from the lack of having to click on pictures of traffic lights, bicycles, ect
bravetraveler17 hours ago
I've been tricked into these when I meant just normal 2FA. The worst implementations make it act as a third factor
bdjsiqoocwk17 hours ago
What's a pass key? How's it different from a password?
hyder_m2911 hours ago
Woodi12 hours ago
Second, ^this :>