I don’t think they need to be ‘ready’ in any particular sense before you start using them as you always have a login/password/2FA combination to fall back to, so I’m currently viewing passkeys as an added convenience and have them activated wherever they are available. Only one major company has been brave enough to launch an entirely passwordless login so far, and that’s Microsoft.
In fact, if you’re in the Apple ecosystem entirely, they’re pretty advanced now as iCloud keychain syncs them and then detects them and fills them in just fine, and the experience is pretty seamless (I’m not going to say the system is as good as it will ever be but currently Apple is at the forefront with syncing and passkeys support). Authorising with a nearby iPhone when passkeys are not available in the browser also works well.
I haven’t found a service yet where they work consistently. Half the time despite setting them up I just get the username/password prompt instead of the passkey prompt.
Google, for example, works well on all iOS devices, at least for me; when prompted, I select a passkey login. Amazon also works well for me but still requires an additional 2FA code. I just looked at my list, and I have passkeys active for around 25 services.
David Heinemeier Hansson is making a case against passkeys, saying they’re worse than passwords+password manager+2FA and have problems that aren’t likely to be solved (John Gruber’s reaction here):
On 5 May 22 “Apple, Google and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium”
Since that time I have accumulated six passkeys, four this year. Two of those sites don’t always prompt for a passkey. Google uses their gmail.app for 2FA even though I have a passkey for each of my accounts.
And another company that I use does the same with their app.
I don’t know if there is a problem with passkeys but there doesn’t seem to be a lot of support for them outside of the tech community
I have no special expertise, but personally I think they’ll probably solve the remaining problems with passkeys, the biggest of which imo are the vendor lock-in and the risk of getting locked out of one or more your accounts. (While latter is also a risk with passwords, it’s clearer how to avoid it, at least to me)
But until they manage to refine passkeys to the point that they’re just as practical and portable in the day to day world for actual users as passwords in a good password manager are now, I don’t see any immediate benefit in rushing ahead with migrating, and multiple downsides.
Good point, and passkeys will be the most beneficial to the people who are least equipped or inclined to mitigate the risks of choosing, using, managing, and protecting their passwords.
I think they’re probably going to be better for us, too, but I’m not sure the benefits outweigh the disadvantages yet, at least for me.
I agree. It’s not worth the time to switch over when I’m already secure and can access passwords even if my device is lost/stolen.
Also, why is the messaging around passkeys so confusing? If they can’t convince someone interested in tech to move to passkeys, how are they hoping to convince everyday folks? I tried to find answers to questions I had and finally gave up.
Further, DHH is completely missing the benefit that it kills off whole classes of attack. You can’t be fooled into putting your password into the wrong website. It also takes out man in the middle attacks.
I’ve enabled passkeys for quite a few service providers & find them incredibly convenient, but I currently have a few personal rules for using them.
Passkeys must be for the full login workflow. I have no interest in passkeys for MFA.
The passkeys must not be the only login method, being able to fall back to username/password is non-negotiable in these early days.
The service provider must allow me to create more than 1 passkey. If I can add a passkey to Bitwarden, Proton Pass (still testing this), and Apple passwords (where I keep a subset of login credentials) then I’m good to go. This eliminates the vendor lock in issue.
Those are quite impressive numbers. The integration into operating systems and password managers is getting better and the lock-in of passkeys into one manager or operating system will be a thing of the past in the foreseeable future.
My two cents: passkeys are there to stay. They will be a success. They need time, but the big players are all fully committed.
Agreed! About the “need time” yes it’s also kind of a mess. Perhaps because it’s a novelty and these days I don’t have much time to get deep into what the flow is or should be, but the feeling that “when they work it’s like magic” is very real, because when they don’t I feel frustrated. I only enabled passkeys for Paypal and I cannot count the times I’ve had to open a browser other than Safari to finish an online purchase because Safari entered a loop asking for authentication one way after another. If two giants like Paypal and Apple cannot make it right… well, the technology is still rough.
But DHH is wrong here --in spite of his brilliantness. Using a password manager and MFA seems only simple because we have gotten used to it and passkeys are the right step.
I currently have 6 passkeys enabled. One of them is Paypal and I agree: they are a perfect example for a bad experience - I have no idea what they are trying to accomplish over there. Two of them are Amazon accounts. The experience with Amazon is not good either: they ask for my email (no option to use the passkey on the first screen), the next screen asks if I want to use my passkey and a third screen asks for a 2FA code (because I have enabled 2FA). I do understand why this is happening at Amazon. Most of their customers will login with their email because they do not have a passkey, so it is easy to use the common denominator: the email address. Then they realize that there is a passkey connected to this account. All good. But requesting the second factor does not make sense for a passkey. Amazon apparently just uses the passkey instead of the password, the login routine is not really respecting the intended behavior for passkeys as fas as I am concerned.
Two weeks ago I have been in Nürnberg aka Nuremberg for a short vacation. After my check-in in the hotel, the experience was very nice: when I entered the door after coming back from the city I was greeted with a smile. They did not know me by name, but after the second day it was apparent that they knew my face and identified me as one of their guests. The ideal passkey experience for me is that I “enter” a service, the service does recognize me automatically after being presented with the passkey and I am in, no further questions asked. A few days ago, Deutsche Telekom offered me to enable a passkey. I did so. And I had this exact experience afterwards. I showed up at their website, I requested to login, the passkey was checked and that’s it. That is how it should be.
And I am confident that this is how it will be when everybody has passkeys because eventually they just will be inside of your device’s OS passkey solution or a dedicated “password” manager of a third party, easily interchangeable and easily movable between passkey storage options. I think the big players will eventually turn the switch for passkeys being the default and other options being something that can be used if you choose to opt out of using passkeys. Will this happen soon? I do not think so. But I can imagine it to be possible within 5 years.
As of today, some power users that use password managers and have 2FA enabled do not see the potential of passkeys because they have learned the hard way how to use passwords securely.
The rest of the world is failing to use passwords securely though. Phishing is creating huge problems and service providers struggle to cope with the users’ incapacity to use passwords reliably and to implement 2FA - with all those known bad consequences of data theft, fraud and what not.
Are passkeys ready as of today? Yes and no. Yes, because they work seamlessly if implemented correctly. It is a very nice experience. No, because many services are using them in different ways and because migrating passkeys between managers or ecosystems still has to be implemented. This will happen and it already is happening. Passwords do not work for normal people and phishing is a thing. Passkeys have the potential to bring the real world experience of just showing up at the reception desk in the hotel lobby to the internet: Good morning, “Mr. Christian”! We will get to this point eventually.
Syncing passkeys across apps and platforms is an issue, but that one will be fixed and improved. It’s also easy to forget that 2FA solutions are not exactly migration-friendly either if you want to change apps, as some will not let you export the seeds—all of this still years after 2FA became a widespread security practice.
What DHH largely misses in his article is that most people still don’t use anything more advanced than a simple username/password combination. Years and years of telling people not to use the same password across multiple sites, and years of warning them not to click on suspicious links, yet phishing-related cybercrime is at its highest ever.
2FA is available, but try getting the less tech-literate people on board – there’s a learning curve, and it’s not quite simple. (It’s also susceptible to phishing, unlike passkeys.) It’s much easier for them to opt in when a message prompts them if they want to use Face ID to log in to a website (a passkey) than to set up a 2FA app. My mother can use this; I’ll never get her to use a 2FA app. This will take a while; it’s too early to bury the technology and say it has not lived up to its promise.
There are sites where passkeys have been implemented perfectly. Gmail is one example: I click on the login field, select to log in with a passkey from Bitwarden, and that’s it. Others will eventually follow.
I’m wary of enabling passkeys in Google because currently although I have a password + MFA code set up it insists on using Youtube on my phone (of all of Google’s apps) as a default second factor method and I cannot make it default to the regular 2FA authentication I have setup in Strongbox and iCloud keychain, I have to select the “Try another method” which is very inconvenient.
