My point is that "cannot say" is pure hyperbole. Your freedom to say whatever you want is not impinged, and my equivalent freedom to shun you based on what you say is similarly unimpinged.
Usually when people complain about what you "can't say", what they actually mean is they can't say whatever they like and still have people still employ / socialise / be nice to them.
Expressing opinions that others find disagreeable is not a protected class.
If you want to shun me for not loudly enough pronouncing how great some sort of special privileges for certain ostensibly oppressed classes is, or for not jumping enthusiastically enough though hoops referencing people with exactly the most woke-community prescribed terminology, then chances are I don't particularly to associate with you either. That's fine.
If you start telling lies about me online and try to incite a mob to threaten or harm me and the people who do opt to socialize with me (despite or maybe even because of my opinions), or organize mobs for PR damage to pressure my boss into taking away my livelihood, that is something quite beyond exercising your right to choose your associations.
Of course that would still not literally make me unable to pronounce my woke-taboo opinion, but it should nonetheless be obvious that trying to wreck my life is a disproportionate response merely to me not toeing the line you took it upon yourself to draw. What you "can't say" is almost always graded rather than absolute, but active hostility destroying months or years of a person's life is well into the territory that constitutes a real hindrance for freely expressing an opinion.
> If you start telling lies about me online and try to incite a mob to threaten or harm me and the people who do opt to socialize with me (despite or maybe even because of my opinions),
Both of these things are already well-litigated limits on speech. I.e. - it's already illegal.
> or organize mobs for PR damage to pressure my boss into taking away my livelihood, that is something quite beyond exercising your right to choose your associations.
Either your views are so taboo that most of society doesn't want anything to do with you if you express them, or they're mainstream enough that only some people don't want to associate with you. If it's the former, then yes, you might struggle to find a sympathetic employer and that warrants some introspection. If it's the latter, then you're hardly at risk of having your livelihood taken away.
The alternative is that I should be forced to employ someone who fundamentally disagrees with my right to exist (and perhaps owns lots of guns).
Paypal, as far as I can tell, doesn't even (intentionally) support passkeys. They refer to all WebAuthN credentials as "security keys" and remind me to "plug it in and touch it now" etc.
I'm honestly already glad that they didn't make their annoying browser fingerprinting rigorous enough to also block authentications and aren't requiring attestation.
Lots of criticism in the article, some of it valid, none of it constructive.
Sure, there's UX problems as we're still trying to figure out what good looks like here. But in the absence of specific, concrete suggestions about how we improve usability for unphishable credentials, it seems that passkeys are a pretty good go. Perfect? No. Better than passwords? Undoubtedly.
I don't think it's the responsibility of the author to make any constructive input to the passkey problem. The point of the article is to show the valid shortcomings of this technology that a bunch of companies are attempting to force on users.
My workaround to allow passkeys to be reasonably usable is to use my password manager, just like the author of this article. This makes passkeys essentially the same as passwords.
At no point am I tying account access to a device, or series of devices, as this is ridiculous and unusable.
Passkeys as encouraged by the big companies are all about vendor lock-in than security.
> I don't think it's the responsibility of the author to make any constructive input to the passkey problem.
Oh, it's not their responsibility, sure. But moaning about the UX without considering the trade-offs and decisions that got us to this point isn't very useful. Passkeys are badly implemented on some sites. So let's fix that.
> This makes passkeys essentially the same as passwords.
Passkeys in a password manager are fundamentally different to passwords. Try copying the passkey private key into your clipboard from your password manager.
> Passkeys as encouraged by the big companies are all about vendor lock-in than security.
The fact they prevent phishing is just a useful side-effect? This is veering into conspiracy theory territory.
It's not just some sites, the article goes into more detail than this, for example the biggest sticking point to me mentioned in the article is vendor and device lock-in. This is a recipe for getting locked out of your accounts and is far from a conspiracy theory. The only answer to this is create multiple passkeys on multiple devices/services OR use a password manager.
This is hardly the frictionless experience promised by passkeys. And it's perfectly valid to point this out. I don't care about the decisions and trade offs that got us to this point and not should I have to. If you want me to use a shitshow you designed the onus is on you to fix it, not me as the person you're attempting to force it onto.
> Passkeys are badly implemented on some sites. So let's fix that.
It's not the obligation of the Ars writer to fix that. It is their obligation to give the system a solid try and report honestly about what did and did not work.
> Try copying the passkey private key into your clipboard from your password manager.
Yeah, something that's roughly equivalent to that is coming. Used to be that you were not permitted to export key material. Now you can. This will erode further as real-world use continues.
Oh, wait. It looks like secured-only-by-a-password access to passkey private key material is already possible, today:
"Q: Are stored passkeys included in Bitwarden imports and exports?"
"A: Passkeys are included in .json exports from Bitwarden. The ability to transfer your passkeys to or from another passkey provider is planned for a future release."
They want to share them across devices, sometimes even devices made by different vendors. They want to hand a passkey to a family member or friend. They want to not be concerned they will lose the passkey if the device they are on is lost. They want to understand what the passkey is actually doing for them when they log in, rather than it sometimes being both the username and password, sometimes just replacing the password, and sometimes becoming a sort of weird second factor thing. They want to know how they can change their passkey. The rollout of passkeys leaves a lot to be desired.
I don't disagree with you about the UX. It could be better. It could be worse. What's your proposal on what a better UX might look like (along with getting everyone to adopt it)?
> They want to share them across devices
I do this today on Bitwarden, Apple users do this today with Keychain. Who's the "they" here?
> sometimes even devices made by different vendors.
> they want to hand a passkey to a family member or friend
..... Why? What's the use case here?
Tying a credential to a single identity (and therefore, human) is another explicit design goal of webauthn. I seem to remember the original proposal was that locking a private key to a device in an unextractable, un-copyable way was an explicit benefit - if it can't be exported, then it can't be stolen/copied without the device also being stolen. This was softened with the purpose of allowing syncing amongst devices that already have a good story on sharing sensitive data, but this mechanism does not exist generically. There is no standard way, right now, that my iPad and Pixel device can share a private, sensitive piece of information without the help of a 3rd-party syncing provider. Without that, cross-platform credential sharing can't exist out of the box by default.
My wife and I share passwords fairly regularly. Usually in a context where one of us is busy and wants the other to log into something they set up (e.g. to pay a bill), so the entire point is to not spend a few minutes going through an enrollment flow or whatever to give the other access (otherwise they'd just do the task). We may also not be in the same location when things like that come up.
Tying a credential to a single human is exactly not something desirable for a subset of users. Some married couples essentially act as a single person in most contexts (e.g. sharing an email address and/or phone number), which kind of makes sense; legally (in many states) the point of getting married is that everything becomes shared. The goal is to reduce friction around who owns/has access to what.
The real world obviously has different constraints, but works basically in this way. e.g. if I go to drop off/pick up a prescription for my wife, I just tell them her name, not mine. We use credit cards with the other's name all the time. etc.
> What's your proposal on what a better UX might look like (along with getting everyone to adopt it)?
> My wife and I share passwords fairly regularly. Usually in a context where one of us is busy and wants the other to log into something they set up (e.g. to pay a bill), so the entire point is to not spend a few minutes going through an enrollment flow or whatever to give the other access (otherwise they'd just do the task). We may also not be in the same location when things like that come up.
Mine too! We simply register multiple passkeys under the same "account" for a service and we can both log in as the same identity. Have I missed something? Why is this hard?
> Passwords, obviously.
Passkeys are trying to solve the phishing problem. I guess pretending that the problem doesn't exist is also some type of solution, but I don't think it's a very good one.
1. We don't set up accounts together. One just does it, and generally password sharing comes later at some inconvenient time (which is why they're asking the other person to deal with it). Until you can easily copy/send a passkey through an IM, they are less usable than passwords in important ways.
2. Passkeys don't even work on our desktop computer (Linux/Firefox), making them completely unusable.
I'm not pretending phishing doesn't exist, but for us, it creates problems while not solving any problem we have. I'm not really worried about phishing. Autofill and bookmarks already basically mitigate that for us. It's not like I'm going to click on a reddit link that takes me to "fidelity" and think "oh good idea I should check our brokerage".
> Passkeys are trying to solve the phishing problem.
They won't.
AIUI, their solution for this was to refuse to export the key material from its container. Now, they're allowing (or maybe "allowing") trusted third parties to copy that key material to back it up. I predict that within another couple of years, there will be a standard way for anyone to get that key material, which (from what I gather) makes their phishing-protection scheme no better than what password managers have been offering for a long time now.
EDIT: It looks like at least one major password manager will just export your passkey private keys wholesale. I guess this exciting future is here now. Details here: <https://news.ycombinator.com/item?id=42555371>
Tech support for relatives. Accessing accounts from different machines. Joint access for family members and friends. Emergency access when a phone or dongle breaks down or gets lost.
Tightly device-tied authentication mechanisms are fundamentally out of touch with the real world.
> > they want to hand a passkey to a family member or friend
> ..... Why? What's the use case here?
This is the problem, if you can't even imagine this case. Someone in their 70s who isn't great with computers would likely be very happy to share their password with a tech-savvy child who can do some things for them. Passwords make this really easy, and you can even register a second MFA that goes to the child's phone/TOTP.
You don't even need to be in your 70s or not tech-savvy. Password-sharing happens frequently between spouses, children/parents, friends and probably a lot of other cases.
> What's your proposal on what a better UX might look like (along with getting everyone to adopt it)?
The current passkey implementation is: Your google/apple/microsoft cloud account lets you log into websites without a password, using a 'keyring' of 'passkeys'
But we already had countless websites with a "log in with google" button, for users who want to authenticate using their cloud account, and skip entering a password.
So they could have just kept that... exactly how it was?
The analogy is similar to swiping your credit card versus using Apple Pay. With “login using Google/Apple”, you are submitting the username and password which could potentially be harvested by malware or a key logger. With passkey/Apple Pay, you are submitting a one time token that has no value in the Dark Web.
I had a tele-medicine visit scheduled regarding my son. When I logged in, it said I wasn't authorized. My wife had no problem. So she gave me her password. We both logged in as her. Everything was fine. I'm sure this was some record-keeping issue, but if we had been using passkeys, I just would not have been able to participate.
I mean I like them in theory but they should just be passwords you can't easily copy from your password manager. You can export them, which I'm sure someone will trick people into doing, but that's somewhat different from being tricked into pasting ul0vek1tt3ns into legitimateapple-support.info.
As for sharing passkeys: never grabbed a friend's Netflix account? Had to log into your kid's college application page to confirm your income? Sign up for an appointment for your elderly parents? This is a thing people actually need to do, and value more than avoiding being phished. Believe me. It's not worth abandoning for "ok there is a possibility someone can be phished if the key material isn't protected by a hardware key and three layers of DRM".
And why do they do it? What are they trying to achieve?
I'd guess that they most likely want multiple people to be able to access a single account. Passwords are forced to be shared because a password is typically implemented as a single credential - there's one valid password for that account.
This is .... not true for passkeys. If you want two people to access the same account, they both add passkeys to that account.
Sharing passwords happen because of a property of passwords. It's not some fundamental requirement that people have. What people want is shared access.
How do you bootstrap the system? Presumably your spouse/partner/friend and you use different computers? With 1password I can just share passkeys in the UI.
I just wanted a standard data exchange interface between my browser and my preferred password manager, so that my password manager didn't have to try to emulate a human being typing or pasting a password.
That way the password would only "live" in the password manager and wouldn't need to even be easily visible to me. I almost never care what the password actually is.
But it would still be a password so compatible with most sites as-is, and easily backed up and restored on new devices.
“Huh, wonder why that didn’t autofill this time.” Person copy/pastes password from manager into phishing site.
Browser extensions do not prevent copy/pasting, or typing in, passwords. In contrast, there is no way to copy/paste or type in a passkey if the phishing site fails the key check.
Now you might say that YOU have the discipline to never do this. And it might be true. But that’s not the same as saying autofill passwords are not phishable.
What stops the user pasting their password out of their password manager into a random evil site? Auto-fill isn't infallible.
This isn't a controversial topic, the data is pretty unambiguous. If you give humans a secret they can put in their clipboard and train them to enter it into text boxes, some fraction of them will send their credentials to the wrong people.
The same thing that stops the user from going through an account recovery flow to enroll an attacker's key. Such flows are of course more necessary in a world where you can easily lose/damage the only place where your keys are stored.
We're not aiming for "perfect", we're just trying to make some progress on the phishing problem.
The irony here is that many of the complaints in this thread seem to be complaining about how imperfect passkeys are. No-one disagrees that they're imperfect!
Yes, and passkeys generally help. But your concern upthread was that any mechanism that lets users share or export passkeys (or other authentication material, such as passwords) allows a user to be phished. Basically, the very fact that this is somehow accessible means a user can be tricked into disclosing it. This is correct, but my point is that perfection in that area necessarily means that a lot of things that are useful (some of which have been shared in sibling threads) are now impossible. So we should not actually aim for perfection on phishing, but just to make improvements where possible.
This. In other words, password managers have all the benefits and none of the drawbacks of passkeys. And passkeys require a password manager anyway, so why are we trying to switch?
It's both. Most of those vendors have ways to backup those keys securely to same vendor backup product. But they won't let you export them via a wrap or whatever.
It functions both as a security feature and a vendor lock in.
It's absolutely vendor lock-in, first and foremost. It happens to align with security.
I did a project 10 years ago to sign firmware for embedded devices w/ a planned 25 year product life. I spoke with two different HSM vendors. Both said the Customer would be able to backup and transfer keys from one HSM to another. Both also said that was applicable within their products only. There was no mechanism to switch to another HSM vendor (and neither offered a contingency to get the keys out if the vendor ceased business operations).
> In April 2023, IANA became aware of the decision by the manufacturer of the Keyper PLUS
HSM – the equipment used to store private key materials for the Root Zone KSK – to cease its
production of the device. Furthermore, the manufacturer will offer no successor product.
That's ridiculous.
There should be a standards-based protocol to transfer key material between HSMs. It should be tied to physical access using physical tokens. Make the protocol baroque and difficult. Heck, even make it a requirement the source HSM has to to be physically destroyed to complete the process (to prevent "cloning" attacks).
For USB authentication keys this level of cloak-and-dagger LARPing is stupid. There should be a method to export and encrypted copy of the contents of my USB token and, worst case, import it into another token manufactured by the same provider. ("But cloning!" Fine-- tie it to registering the token with the manufacturer along with real-world identity verification. Make it a premium service with an associated cost, if that's what it takes.)
Passkey is just a fancy brand/marketing name for a specific mode of webauthn (resident).
Saying that "WebAuthn was much more public, but passkey was not." shows that you don't really have a clear and accurate mental model of what passkeys are. Maybe TFA might help?
I think Apple deliberately don't add any attestation data in their implementation, precisely to stop services detecting (and filtering) on the fact that it's an apple-made authenticator.
I'm not sure if that's the only reason: Notably, they used to support attestation back when they didn't synchronize passkeys via iCloud Keychain, as did Google for Android.
They basically had two choices once they did introduce synchronization: Keep attestations around, but specifically mark synchronized credentials as "not strongly device-bound" (and risk existing relying parties not looking for that flag and drawing incorrect conclusions from receiving such an attestation statement), or get rid of it entirely.
I suspect that they opted for the latter mostly because it would require a lot of work with the FIDO and WebAuthN working groups to introduce that mechanism, not out of a selfless desire to avoid a future "big tech lock-in" (where everybody allows exactly Apple and Google passkeys, but nothing else), but I could definitely see the latter consideration also playing a role.
Agree, but people often miss that there's two different use cases here, with different requirements.
"2 days from now" could either mean "after 2*86400 seconds have ticked" or it could mean "when the wall clock looks like it does now, after 2 sunset events". These are not the same thing.
The intent of the thing demanding a future event matters. So you can have the right software abstractions all you like and people will still use the wrong thing.
The problem is that programmers are human, and humans don't reason in monotonic counters :)
One might also recall the late Gregory Bateson's reiteration that "number and quantity are not the same thing - you can have 5 oranges but you can never have 5 gallons of water" [0]
Seconds are numbers; calendrical units are quantities.
[0] Bateson was, in some ways, anticipating the divide between the digital and analog worlds.
> "2 days from now" could either mean "after 2*86400 seconds have ticked" or it could mean "when the wall clock looks like it does now, after 2 sunset events". These are not the same thing.
Which is why you need some means to specify which one you want from the library that converts from the monotonic counter to calendar dates.
Anyone who tries to address the distinction by molesting the monotonic counter is doing it wrong.
> I don't give a fuck if other people can't manage secure passwords.
Sure you do. When your local tax office / hospital / large data holder of your personal data has an administrative interface that only uses passwords, then the administrator gets fished and your identity stolen, suddenly you care a great deal.
That seems like a separate problem, since no authentication mechanism can somehow force a competence floor onto your local government office. Even if passkeys become the industry standard (or even required by law) your local government office will always rise to the challenge to lose your data, leak your data, sell your data, etc.
Phishing isn't a competence issue. This is well studied. In practice, even security practitioners trained to be vigilant against phishing attacks fall to targeted ("spear") phishing attacks of suitable sophistication; that's the impetus behind phishing-proof authenticators like U2F and WebAuthn.
I work in the security space and fell victim to an internal campaign as they sent a very enticing looking email at a point where I was on leave and my grandfather just passed.
You simply cannot know what mindset youll be in when you get phished :)
Edit: To clarify i was itching to work because it helps distract me from the reality that someone so dear to me was gone forever. I didnt want to cancel leave though because my output would have been absolutely turdy
Problem is that passkeys aren't resilient enough to loss of the authenticator device, which means a fallback flow is always made available, that is vulnerable to phishing/MITM/social engineering.
This is even more pronounced thanks to the efforts to roll out passkeys to the masses. Most of them don't understand what they're getting into and are most likely gonna get themselves locked out quite quickly, which may mean recovery flows need to actually become more relaxed than they currently are.
I'm not interested in litigating the broader question of Passkey-only login setups, only in spelling out why the field cares so much about phishing-resistant authenticators, which password managers and random passwords do not provide.
Can confirm, I know all about cryptography and security and the things, and I still got phished for a bunch of cryptocurrency. The only thing that saved me is that it was in a hardware wallet, so it was physically impossible to steal. Otherwise I was ready to happily paste my private key into the (official-looking) form and domain.
Ah you got me, though I don't think it changes that much.
Even with an online 'form' (presumably a phishing page) I don't understand why anyone would ever upload private keys for their wallets.
In the case of exchanges, users typically don't get access to the private key for the wallets anyway, so pretending to be an exchange to phish for something the victim can't even provide wouldn't make sense.
In the case of a local wallet, the whole purpose is personal ownership of the coins—which obviously becomes moot when sending the private key to some random person—so I don't see why a user would upload them in this circumstance either.
Though yes, the situation is certainly more understandable than GP posting private keys to an online 'forum' ;)
There's overwhelming empirical and anecdata evidence people make mistakes and fall for phishing. If that doesn't change your mind that much, it's not obvious what reasonably could.
Keys can be symmetric or asymmetric depending on the algorithm.
From the standpoint of a non-technical user, they're not any different in nature; a password and a private key are both just strings that give full access to your account. One is easier to remember (password), one is harder to remember (key). The one that is harder to remember usually ends up in a Google doc, iCloud, or saved as a text file.
Most implementations throw about 20 "recovery codes" at you and at the absolute fucking worst possible moment while the user is trying to do something urgent, they say "save these in a secure place right now".
It's not 1, but 20 passwords that ALL give access to your account. Where do you think those codes go?
They are not only phishable, but they usually end up in a Google doc, screenshotted and pasted to Notion, or some other insecure place.
Freedom of association is a thing.