Usually, at least for me, when Google wants you to use one of their apps for 2FA, any of their apps will work and display the prompt when you open the app (Gmail, Google app, YouTube app).
Except when they don’t! Probably because I’m using two different Google accounts for personal and my work. As I dont find this mechanism to be exactly reliable, I would love to set up regular MFA code as the default mechanism but I haven’t found a way to achieve this. Given this, that’s why I don’t want to confuse myself or Google even more with passkeys.
Every time I see a statement like this, I immediately append the word, “yet.” One thing I have learned over time is that people who are trying to get your credentials have a massive payoff for being able to do so. I believe that the passkeys standard has the best of intentions. But it would not shock me to discover in four or five years that it is possible for people to nefariously gain access to them.
This is actually a rather large thing in my business. Customers have accounts, and they need people like me to be able to get in and do things on their behalf. For example, a domain registration account. If they need to shuffle their DNS around, how many customers want to attempt that on their own? They call their web hosting company, or their IT person, and get them to do it. This involves sharing a password, because many of websites do not have multi user access.The more we lock things down to individual devices, the harder that stuff is.
I don’t doubt that, but passkeys are off to a slow start. passkeys.directory has 185 websites listed and there are roughly 200,000,000 active websites on the internet.
3 Likes
This is a somewhat unfair calculation. Among those 185 are Amazon, Microsoft, Apple, Google, TikTok, Snapchat, WhatsApp, Uber and other major services. Technically, at least 40+% of the web uses WordPress, and passkeys can easily be added to it. Hosted WP and WordPress.com already support passkeys, self-hosted passkeys support is currently available via plugins. Not every website needs to support passkeys; many don’t have any logins except for their admin logins, so the 200M number is pointless here as a comparison.
1 Like
There are around 1.1 billion websites on the internet, the 200 million active ones was the best number I could find.
I agree, every website does not need to support passkeys. Just the ones that each of us use. I currently have 113 logins in 1PW, 6 have passkeys, and 2 of those don’t ask for a passkey if you use their app.
The internet is slow to change. The standards for HTTPS were basically complete in 2007 but most websites didn’t even start to them until 2012. The majority of the internet didn’t switch to HTTPS until Google Chrome started marking their websites as not secure around 2017. The BBC and several other major news sites didn’t drop plain HTTP until 2018.
I believe in the power of procrastination. I could be wrong.