Google, Apple and Microsoft: A password-free future is in the making (FIDO/Passkeys)

WayneG · May 9, 2023, 12:54pm

Interesting articles, thanks for posting them.

IMO password managers will definitely have a business use case. So it will be interesting to see how quickly the “big tech companies” will implement the export/import of passkeys. The temptation to use them as another way to lock in users must be overwhelming.

Re: criminals “recovering” your ID. This has been and always will be a major vulnerability. If anyone can help me if I forget my password then my data is not as secure as possible.

I would normally expect financial institutions to welcome passkeys with open arms but I suspect they may be among the last to adopt them. Any institution that uses SMS for 2FA values customer service more than security.

Christian · May 9, 2023, 2:15pm

Absolutely! Especially in teams where there is a need to share passkeys securely! I should have written “for personal use” instead of “regular user”.

cornchip · May 9, 2023, 2:48pm

The third party managers are the ones who are going to do a good job providing a useful mix of attestation services you control. E.g., 1Password will help you manage (mostly look at) your super-locked-down key that your bank (hopefully optionally) requires, and at the same time, make it easy to use and move your portable keys for typical logins.

rob · June 6, 2023, 4:59pm

1Password released (beta) passkey support today

Christian · October 15, 2024, 8:53am

One year later. Passkeys are there, the big password managers do support them, Apple is supporting them. But it still is geeky and not trivial to use them.

My issues:

It is confusing that passkeys are being used in different manners, depending on how a service implements them. Some services do use passkeys as a password replacement and a quick way to log in (which is what I expected), some are using passkeys as a second factor (I do not get that approach at all). I see passkeys as a password replacement, but I think that as of today, they need to be seen as an option, no more, no less. For sure, deleting a password when a passkey is being set up by a user is not the way to go. There was a nice discussion on ATP a few days ago (well worth listening to). John Siracusa basically nailed it and explained what his issues are with passkeys as of today:

"It’s like, oh, so you support passkeys? I don’t know what you’re going to want from me. If I enable this passkey, are you going to remove my password and my password won’t work anymore? (…) But passkeys, there are still some technical limitations. The export-import flow for passkeys is supposedly coming soon, but it’s not available yet. (…) Every website that uses passkeys can pick a different policy, and you really never know what it’s going to be. Can you just log in with the passkey by itself? Can you keep the password in the passkey? (…) My stance is anytime there is a passkey, I would like to use it instead of a password, but I’m not even always given that option. So I think we are in a transition period, and it’s fine for you to dip your toe in. (…) I’m optimistic about technology, but it is still young.”
(Source: John Siracusa on Accidental Tech Podcast: Boot to Toot, October 10th, 2024 - Apple Podcasts URL because of the transcription feature to read the actual text; Relay.fm ATP URL)

FIDO Alliance Publishes New Specifications to Promote User Choice and Enhanced UX for Passkeys - FIDO Alliance - Just in from yesterday! Finally. “The FIDO Alliance has published a working draft of a new set of specifications for secure credential exchange that, when standardized and implemented by credential providers, will enable users to securely move passkeys and all other credentials across providers.”

Passkeys need to be simple, secure, easy to use and you have to be able to take them with you in case you decide switching apps or platforms.

Still early days, but I still think that we are moving in a good direction on this one.

webwalrus · October 15, 2024, 9:31am

And meanwhile, on the other side of the spectrum, I still have some sites offering to text/email me login links instead of just having me use my password. Security is getting better and worse simultaneously.

WayneG · October 15, 2024, 1:55pm

That sums it up. What I’m usually seeing is Enter username, Do you want to login with your passkey, Enter OTP.

In other words using a passkey, right now, adds a step to the login sequence. It’s going to take some time before they can remove the training wheels.

Christian · October 15, 2024, 2:08pm

It depends. Sometimes, it does work flawlessly and automatically with no extra step, if the service does not bother to ask which method I want to use. Just request the passkey and log me in.

If it is being done like that, it is a good experience. If for some reason this fails, just present me with the option to try again and offer using different methods like the “old” password way. If the service starts with asking which method I want to use, it already has failed my usability exam. The same is true, if it uses the passkey only to ask for a second factor afterwards (for regular logins). Or when it asks for the password only to request the passkey as the second factor after that.

If you know that I have a passkey: leave me alone, take it and log me in. No questions asked.

webwalrus · October 15, 2024, 2:43pm

It seems like some of the companies implementing them are thinking of passkeys as a single authentication factor in a 2FA setup. But passkeys are two factors (“something you have” and either “something you are” or “something you know”).

Vincent_Ardern · October 15, 2024, 7:55pm

I suspect that’s simply down to ease of implementation. “We support passkeys” without having to redesign the login flow

webwalrus · October 16, 2024, 12:00am

As somebody who writes code for websites, I don’t disagree. But the whole point is to simplify - not add complexity because it fits the previous model. New technology requires new implementations.