by lkurtz on 12/5/23, 6:51 PM with 9 comments
by jiayo on 12/5/23, 8:00 PM
Neither Google nor 1password had any way to distinguish which key was which. There's no export functionality (yes, I understand this is by design). There's no (user facing) key IDs. So, my choices were: accept that I have two passkeys, and never know which is which; risk deleting one or the other, or abandon the whole notion and go back to hardware 2FA.
This doesn't even get into the mess of: * browser based passkeys: what if I switch computers or phones? Now I have the "yubikey problem (have 3 so you can safely lose 1)" for every single device I own. * hardware security tokens (Yubikey): in the case of Google, they aren't accepted as a "sign-in" passkey, only a "verification" passkey. However, a browser passkey is accepted. Do I need hardware 2FA? Do I need a password? I have no idea.
Let's be clear. There are absolutely solutions to all of the above. I am certain I made bad assumptions or mistakes here. But I also have been using computers with a bent towards security for my entire life. If I can't get this right, how is the average user being pushed to go "passwordless" on eBay going to deal with this mess in 3 years?
If you're a company considering implementing this, I'd be taking a very hard look at the ongoing support costs dealing with confused and panicked users locked out of their accounts.
by crossroadsguy on 12/6/23, 1:28 AM
For an end user - beyond the technical bells and whistles — it’s kind of same as Signin with Apple ID, isn’t it? Or Signin will Google. Right?
Besides this is going to create huge lock-ins and dependencies I am afraid. And that part of it looks bleak — all the mega corps are pushing and none of them are known for “openness”. They want to get as many as of us in their yards and then things will start to get less open very soon.
I mean if I have a passkey on Apple and I am with a device that’s not Apple I am not really sure how that’ll work and I may not be able to access my account, or do it easily.