Passkeys - Ready or Not?

Has anyone tried to use Passkeys? I’m considering using them in conjunction with 1Password. I’ve seen: Michael Tsai - Blog - The Dark Age of Authentication and it leaves me wondering is Passkeys a hot mess as Micheal implies?

I have signed up for Google’s and Apple’s passkeys and try to use them whenever I have the option. I use iOS, Android, macOS, and Windows daily, which might be an issue? I am kind of confused by passkeys (granted I have never put the effort into learning how the work either). When I am presented with an option to use them, they seem to work well, but I don’t understand the requirements or how it works really. I still use 1Password for regular passwords just as much as ever. I still have to authenticate Apple stuff by going to a different Apple device. Google often tells me to log on to another device’s Gmail or YouTube app. I don’t understand when I can use them and when I can’t. I don’t know if because I use different OS that it might cause them not to work or if sometimes I just need to use passwords for some other reason.

My opinion is that it doesn’t hurt to sign up, they work, but life has not changed at all in how I log into services. I barely notice them in daily life.

When they work it’s magic. But alas, many times it feels random. Apple in particular likes to pop up a stupid QR code on my Mac that I need to scan with my phone, which is worse than using a password (with 1Password autofill)

I waited for Bitwarden to support passkey sync between mobile & desktop so I could try them as an additional alternative login method.

In my testing this forum and github allow passkeys to be used as a single logon method. I was also able to create a second passkey for the MPU forum in my icloud keychain and can choose either of my two passkeys to use at login.

Other sites seem to only allow passkeys to be used as a second factor.

For now I’m only planning to use passkeys on sites where I can still have a username/password fallback since it’s still early days. YMMV.

For reference, this is a helpful directory for checking where they are available (as there are some regional differences; for example, they weren’t available for PayPal outside the US until recently).

I gave up with them. Too confusing and inconsistent.

I didn’t know that the MPU forum supports this now (I’m using a passkey as 2FA factor here, but will change that now).

Thank you for pointing this out.

(I try to use passkeys wherever possible; not many places yet )

I’ve had to delete and redo my Best Buy Passkey. I had to disable Passkey for my children’s Roblox account because the authentication experience actually got worse. I had to delete the Passkey for my PlayStation account for the same reason .

I can tell that pass keys are not doing well because some vendors like ubiquiti are still hounding me to turn on 2 FA rather than jump into the muck that is Passkey.

That being said, the promise of Passkey, still makes me hopeful that the industry will figure this out once they get beyond their AI craze

Most sites primarily use it in place of a 2FA code. But, it’s been straightforward for me to create and use on almost every website.

I am not happy about the issue of not being able to export passkeys in case of changing password managers.

As far as I am aware no app does offer the export of passkeys. And I don’t like that very much.

I am using passkeys on some websites, but not very many.

I’ve tried passkeys on two sites. One has a problem with their implementation, IMO. Not surprising because the site has always been a pain. Passkeys work well on the second site but they still require me to use 2FA, and I’m not turning that off as long as my username/password is still an option.

So I’m not currently using Passkeys. When banks and financial institutions, etc. start using PassKeys I’ll give them another try.

I’d like to share a few observations, but I need to acknowledge and call out my bias first: I work for 1Password, so my perspective is coloured by the fact that I’m more directly involved in this industry-wide effort than most. That said, I’m not posting on the company’s behalf here, just sharing an individual perspective.

The thing about passkeys is that they’re an evolving standard (and btw it’s not a proper noun—it’s “passkeys”, just like “passwords”). We’re comparing them to a system that’s been established for decades, so naturally there’s a lot more polish on that side.

On this forum in particular, it’s also worth noting that we’re mostly comparing them to the “best case scenario” version of passwords, which is to say passwords via a password manager. That means you’re already used to autofill, biometric unlocking, and handling of 2FA codes. That’s already pretty darn streamlined, and it’s certainly quite secure. But it’s the most secure and convenient version of an old-school approach. That doesn’t make it bad or worthless, but it’s worth remembering that it leaves room for improvement and that, when it comes to the safety of the data that runs our lives online, improvements are worth pursuing.

We’re in a period where everyone is coming together to agree on a set way to implement, use, share, and export passkeys. The trouble is that “everyone” in this case is platform vendors, major third party interests, and websites. Getting them all to agree on things is challenging, for obvious reasons. The FIDO Alliance is doing its best, but it’s still a time consuming process.

For example, there’s a lot of discussion about not being able to export passkeys—that’s largely true, and it’s valid. But the reason isn’t that no one has thought about it, or that password managers haven’t gotten around to implementing export, or that everyone is trying to lock you into their ecosystem. The issue is that we’re all trying to agree on a method of making them exportable that doesn’t put the data at risk.

The whole point of passkeys is to improve on the security of passwords, so if the export method falls back to plain text or something similarly vulnerable, we haven’t succeeded. Some vendors might be willing to implement export along those lines, but in doing so they’d be making a choice in favour of convenience over security. And even if they do, without a shared approach, it doesn’t matter if you can export passkeys from one credential manager because you wouldn’t be able to import them anywhere else. There’s some good discussion around this topic in a recent Reddit AMA.

All of this to say that, while it might be tempting to look at the current state of things and conclude that passkeys are a failed experiment, I’d encourage a longer view of the situation. We’re in the midst of a major transition period, and until the remaining corners of the passkey standards solidify, it’s going to be bumpy.

When my friends ask if they should start using passkeys, I tell them they should try them out to get used to how they work. I also warn them not to expect to be able to use them everywhere for everything yet. It took decades for seatbelts to make their way into all our cars even though it was clear from the early days that they would save lives. Change is hard! And slow. And, sometimes, worth it.

Marius - wow, thanks. This is amazing insight. For those of us trying to get used to passkeys do you have 4-5 sites that you think have done it well? I want to dip my toes in and don’t know where to start.

@RunningBoris your confusion mirrors my own, hence the thread.

@fuchsr I love magic when it happens

@liminal Thanks for the specific suggestions on sites

@dario A directory cool

@Clarke_Ching I get the confusion, I also know that these are coming and will matter soon enough. (Pssstt - aren’t you and I the ultimate early adopters of everything?)

@hmurchison Another reason not to use BestBuy.

@dustinknopoff Interesting I didn’t know sites were using it to replace 2FA. Seems odd.

@WayneG Thanks - as the early adopter of my family, I figure it’s my job to figure this whole thing out.

So, in other words, they are not ready yet. While it was nice to actually see an explanation of why, in the end, the why doesn’t really matter. If they are not usable in the real world, then they’re not worth wasting my time on.

Apparently while resetting my Amazon password, I switched to a passkey and it broke all sorts of stuff. The Parcel app stopped working with my Amazon account, I couldn’t log into my personal account from my work machine (which does not sync with my personal keychain), and I couldn’t even log in from a personal device when I didn’t have with me whichever device I originaly set the passkey up with.

That’s really surprising! I haven’t seen any website only offer passkey login even behind a setting to toggle that on. I’d be curious how you managed that (if only to make sure I don’t press it )

Interesting I didn’t know sites were using it to replace 2FA. Seems odd.

It’s quite similar in the sense that it’s user/pass as the primary authentication and the secondary authentication is effectively “is this a device you’ve already logged in from and/or has access to a cloud manager storing the private key.” That’s not too different from “do you have access to a previously registered device which will generate a random code”

It’s also I think a way of dipping one’s toes into passkeys but mostly in a “wait and see where the industry goes” manner

Like others have mentioned, Discourse (the engine powering this forum) has a straightforward passkey sign-in option, so that’s an easy and low-stakes one to try.

Beyond that I definitely recommend cruising through passkeys.directory (linked above) and giving it a shot with any of the sites you have an account with. At this point, most websites only allow passkeys in addition to traditional password authentication, so there’s not a lot of harm in trying them out. If they’ve implemented them strangely, or you don’t like the experience, you can just not use the passkey, or even delete it (both on the site and in your credential manager) and continue using your password to sign in as before.

Whether you have a good experience or not, it’s worth letting the website vendor and/or passkey credential manager know about it so we can continue to smooth out the rough edges.

Thanks. I’m a big fan of filling out support requests and bug reports. Some vendors (including 1Password) put real effort into support.

I’m not expecting, passkeys to work perfectly for now. This is dip the toes time. I can afford MPU - but not Amazon, Google Apps or Github.

I’m quite sure I was one of the first people to use the phrase “early adopter” …

So we’re both contemporaries of Everett M. Rogers. I will admit, I wasn’t quite reading when his book Diffusions of Innovations was published in 1962.