FRESH

Hacker News

Home

Yep, Passkeys Still Have Problems

185 points by todsacerdoti

by dfabulich

5 subcomments

The author still has one last misconception about passkeys, namely that if you lose a passkey, you have "no recourse."
People wrongly think passkeys are like Bitcoin wallets, where losing them means there's absolutely nothing you can do, your account is simply lost forever.
Losing a passkey is exactly like losing your password, which is to say, that for 99% of services, you can reset your password/passkey really easily. There's a prominent "Reset Password" button right on the login form. It sends you an email or an SMS, you click it, and it lets you reset right then and there. You can reset your passkey in exactly the same way.
It is not that easy to reset if you lose your password to your Apple, Google, Facebook, etc. They all have a bunch of factors that they use to authenticate you if you reset your password, and they don't even document which ones they use.
So, if you care about those accounts, you've got to make sure you have backup access. They all let you generate and print "backup codes" (emergency passwords) and store them in a fireproof safe or a literal bank vault. Do that!
As everybody knows, you can't store all of your passwords in a password manager. You need something outside of the password manager to login to the manager itself. That's why 1Password/LastPass is called that; you still need one last password that you keep and manage yourself.
That's true of passkeys, too. You can login to Google with passkey, but if Google is your password manager that stores your passkey, you need something else outside of Google's password manager to login to Google. Whether it's a password, a backup code, a YubiKey, whatever, you need one more thing to login to Google, ideally more than one, so you can back it up and keep it safe.

by shantara

1 subcomments

Vendor lock-in a serious concern. Just reading through this KeePass issue again and seeing how much pressure the industry is trying to exert to prevent the users from being able to export their own private keys should be concerning. I come back to this discussion every time I see someone arguing in favor of passkey adoption.
>The unfortunate piece is that your product choices can have both positive and negative impacts on the ecosystem as a whole. I've already heard rumblings that KeepassXC is likely to be featured in a few industry presentations that highlight security challenges with passkey providers
https://github.com/keepassxreboot/keepassxc/issues/10407

by kemotep

4 subcomments

2 things about passkeys I wish would be fixed.
1. Passkey prompts asking if I want to use a phone or security key when I only have one (or neither!) registered. The UI for this gets in the way and should only ever present itself if I happen to have both kinds of devices registered.
2. Passkeys should have had the portability and flexibility that ssh keys have from the start. Making it so your grandparents can use public key cryptography and gain a significant advantage in securing their accounts in a user friendly manner should have been the priority. Seems like vendor lock-in was the goal from the start.

by alyandon

2 subcomments

I'm a bit of a curmudgeon about this.
Until service providers are no longer allowed to:
```
  1) force the type of passkey stores used (e.g. hardware vs software) when I am providing the passkey store
  2) force me to MFA (e.g. forcing touch ID, entering pin or unlock password, etc) when attempting to use a passkey
```
I'll continue to stick to plain old boring password + TOTP. I fully understand the security trade-offs like phishing resistance but password + TOTP is secure enough for me.

by secabeen

5 subcomments

The "Vendors Can Lock You Out" part is what makes passkeys entirely a non-starter for me. Especially the additional risk when someone passes away and the heirs are trying to get access to the deceased's accounts. Vendors are well known for saying "we had an agreement with Samantha, and with her death, that agreement has terminated, and no one can be given access that was not pre-designated."

by voidfunc

0 subcomment

Passkey just suck, end of story. The UX for them is so bad. I have no idea how many active pass keys I have. I just have to trust the provider knows what they're doing. Sometimes my authenticator app seems to forget my pass keys which is even more annoying.
Stop the insanity.

by jqpabc123

1 subcomments

So in other words, Passkeys are over engineered and simply too complicated for most users.
Succumbing to lock-in can smooth some (but not all) rough edges and creates it's own restrictions and risks.
TOTP for the win --- it's the simpler practical alternative.

by arjie

1 subcomments

Password + TOTP have served me well so far. To port from device to device I just need to log into my Bitwarden account. It is unclear to me what device loss would do to a passkey and the passkey never communicates that information to me. If I set up a passkey on my iPhone, the site prompts me on my Linux desktop. I understand it's fine for people who use single platforms for everything. But as far as I can tell there is no advantage over Password + TOTP. I really hope Passkeys don't become mandatory. I only use them for sites I don't care about or when I've accidentally said yes to setting one up.

by rekabis

2 subcomments

I have been working with computers since 82, on the Internet since 88, on the web since 92 and in the IT industry since 97.
I have yet to see any solid, significant evidence that passkeys are materially more secure than a random 32-character password + TOTP 2FA.
If a site or app refuses to let me create my own login and forces me to use a provider, I’m not going to be a customer under any circumstances.
If a site or app refuses to let me use a password+TOTP combination (as in, it forces passkeys), I am similarly out.
That’s not to say I don’t use passkeys. I have them on my Microsoft accounts, for one. But that is only after I have fully set up the account, and that the account plays very nice with the Microsoft Authenticator app, even going so far as to do challenge-response auth in coordination with the app, and plumping TOTP up to 8 characters.
Will I switch to passkeys elsewhere? Not for some time to come. My passwords make use of the entire two-byte UTF-8 character set, in that less than ½ of all characters typically generated can be found on a U.S. keyboard. So long as websites don’t restrict password length to moronically short values, a 32-character password with 2,048 possibilities for every character ought to be reasonably difficult to crack.
And then, of course, comes TOTP 2FA.

by Mindwipe

4 subcomments

Really great article.
I also think there's still an enormous ignorance from passkey devs that lots of people want to occasionally log into personal services from locked down corporate machines, and the flow to deal this is at best terrible but more often non-existent, and developers with typically enhanced privileges just aren't able to conceive how difficult this is.

by eddyg

4 subcomments

Passkeys are fantastic for the vast majority of the population. They solve oodles of problems. No more teaching ${FAMILY_MEMBER} about good passwords, password re-use, trying to explain how to use a password manager, etc. Instead: create passkey, done. Then it's seamless login whether they're on their computer, phone or tablet.
As a tech-savvy user fully aware of the underlying machinations involved with passkeys, I greatly prefer their simple, fast login experience over: username submit password submit TOTP submit, and especially over the much-worse "we've emailed you a code" login slog.

by 0x457

2 subcomments

Everyone pretends that you're force to only have 1 passkey. I use 3 "passkey managers": Passwords.app, Bitwarden, YubiKey hardware key. I usually add all 3 or just two (skipping YubiKey).
On Apple devices I get neat experience out of the box, on Linux (+Firefox) I forced to use Bitwarden because Mozilla is being Mozilla.
Never had any issues ever with passkeys.

by kouru225

0 subcomment

One thing I genuinely hate about modern tech is that it punishes you for planning ahead. I purposely spent time getting a password manager and implementing 2fa protocols that would both speed up my time and keep me safe. Then suddenly every company decided it was time to go passwordless or do passkeys and all my work (researching different products, setting each one up, making sure hey work on all my devices, etc etc) suddenly goes down the drain

by pabs3

0 subcomment

Hmm, does not mention that you can't use Passkeys if you don't have JavaScript enabled.

by fusslo

2 subcomments

I feel like a boomer.
I dont want to use google/apple/microsoft for any credential manager because: google is evil; apple has locked me out of my apple id (and lost things like the recordings of conversations with my father during his hospice); microsoft keeps getting worse and more annoying to use.
So ok, I need some credential manager. I used keepass previously... but how do I vet other credential managers? I dont want an online backup. I want my credentials to only be on my computers. So now I gotta learn about which apps are ok, don't have cloud synching, can export files, and be compatible with MacOS.
And I have to learn what is FIDO? Like FICO? why do I need to synch with FIDO? what is it? will it give my credential store to others?
How is this easier or more convenient than a user/pass with 2fa?
I feel like I am going to accidentally leak my credentials and have no way of knowing

by polalavik

2 subcomments

Passkeys need a marketing campaign and UX overhaul.
I’m a technical guy, but I really don’t understand what the fuck is going on when I use a passkey. All I know is one day it appeared as an option and it let me login to things. I don’t really understand where it lives, what device it’s tied to, how scanning a QR code on Google Chrome on my phone magically logs me in, etc etc.
The user was not educated on this. Hacker News is the top 1% of computer power users. You gotta understand to someone’s grandma or mom or brother who works in real estate none of this makes any sense nor will they educate themselves on what it is.

by 1970-01-01

0 subcomment

Totally agree with this. Passkeys are a solution but not the sole solution. There is absolutely a misconception for seeing them as newest and therefore the best choice.

by quantummagic

1 subcomments

It's not really passkeys that are the problem, it's trusting your passkey to a third-party. But this is still a minor part of the market today, a much bigger problem to warn people about is the "log in with your google/facebook/etc account". Where you're handing everything over to a third-party as well, because it's so easy and convenient.
Passkeys, stored in Bitwarden, give a lot of the same convenience, but without the vendor lock-in. We shouldn't be scaring people away from passkeys, when commonly used alternatives are much worse.

0 subcomment

by inerte

1 subcomments

I update a spreadsheet with all my accounts and money and their values so I know my net worth and its changes, and oh boy every month getting these numbers is such a chore.
Since it's been a few days, sometimes I am logged out of either bank/traders and also the password manager.
So it's open the bank site, click on login/password, password manager browser extension asks to login. Type password manager password. It asks for 2FA. Unlock phone with face. Find app, open app, unlock app with face. Approve password manager login. Click on bank login/password again. I am in! No, bank wants to 2FA with mobile. Unlock phone with face. Open bank mobile app, unlock with face. Get code or approve login. Back to computer, type code or click approve.
Repeat that 12 times for all the accounts, and by the end of it I have neck pain with all the "pick up phone to face unlock" motions.
I am a bit paranoid so I turn on 2FA and passkeys and whatnot, but all of this makes me want to use `123password` everywhere and never change it.

by emadda

0 subcomment

Related: I released a hosted sign in page for passkey auth today.
Take a look:
https://passkeybot.com

by commandersaki

0 subcomment

Passkey is a great avenue for hackers because they represent an optional authentication mechanism that users overloook.

by cheeseburgerz

1 subcomments

I'm tired, boss.

by stalfosknight

1 subcomments

Passkeys are a completely seamless experience on Apple platforms in my experience so far.

by everfrustrated

2 subcomments

The biggest problem I have with passkeys is being tied to a single device you still need a flow to reset/get in _without_ the passkey. As you're only as secure as your weakest link passkeys don't add any security.
That said, if you have a mac with a fingerprint scanner they sure are very convenient option.
And don't get me started on terrible vendors like Rippling that only support a single passkey! Madness.

by bakies

0 subcomment

starting to really hate these, regret ever using one

by andrewmcwatters

2 subcomments

I don't care what you other people in auth do, I work in auth too, please stop making signing into anything 5 steps.
1. First I get redirected to a special sign-in page.
2. Then I sign-in with my email only.
3. Then it finally asks me for a password, even for services that would never reasonably use SSO or have another post-email receive process.
4. Then I get redirected again to enter 2fa.
5. Then these websites ask if I want to create a passkey. No, I never want to create a passkey, and you keep asking me anyway.
6. Then, and only then, do I get to finally go back to using the service I wanted, and by then, you've lost whatever my `?originalUrl=` was, and I have to find it again.
No, don't send me a magic link. Because then I have to go do 4 more steps with Gmail or another mailbox provider and now signing in has become 10 or more steps.
No, don't tell me getting rid of passwords will help most of the population, and then force all of us to do the above, and blatantly lie to us that it's better.
Stop it. Get some help.

by jason_s

3 subcomments

Please don't use fixed-width fonts to write text. Please use fixed-width fonts to write code.