Hacker News new | ask | show | jobs
by fleddr 1341 days ago
I'm noticing very little discussion about the user aspect, and I say that with non-savvy users in mind. I run a mid-sized web app/community where I've been supporting such users for a long time.

Right now, I offer a classic login, and a few social providers. You'd think this is straightforward to support, but about 70% of support requests consists of the endless ways in which users can mess this up.

"Can't get in"

Try recover password. Email didn't come. Because they entered the wrong email. Correct email this time. No wait, think I signed up with a social account, not sure which one, have many. Login worked. Wait now it doesn't again (saved browser password did not update).

This is just the tip of the iceberg. This new solution, whatever merit it has, is going to be additive. It won't replace anything, it's yet another way to log in, if at all, as it depends on websites implementing it and about 90% of the web is basically not maintained.

So it's only adding complexity/confusion specifically to these users, which I consider to be the vast majority. In turn leading to more support headaches.
1 comments
acdha 1341 days ago
The flip side is that it’s incredibly easy to use, faster, and means you don’t have to worry about forgotten passwords or phishing. It’s like an order of magnitude faster than less secure MFA options, too.
link
fleddr 1340 days ago
Well, no, it isn't. Clearly you don't do old people tech support.

Passkey? What's that? New word thus meaning unclear.

Doesn't seem to ask for an actual pass-anything, so more confusion.

No email identifier or thing to remember. How can I know log on at my other device?

With a QR code? What on earth is that?

link
acdha 1340 days ago
> Well, no, it isn't. Clearly you don't do old people tech support.

Actually, I do — in fact the largest system I work on supports predominantly older people with disabilities. I would strongly suggest that you consider whether your assessment of the relative difficulty levels is skewed familiarity with the existing problems with password systems.

> No email identifier or thing to remember. How can I know log on at my other device? > With a QR code? What on earth is that?

You still use your email address. This replaces passwords, not SSO, and QR codes are only used in some cases for some implementations where you might have restrictions on things like network connectivity. Try the demo here:

https://www.passkeys.io

Here's the signup process:

1. Enter your email address 2. Select the option to use a token 3. Approve your device's prompt (on iOS, this is a system dialog which explains that it's stored on all of your devices using iCloud Keychain and the site owner doesn't get any of your PII)

Note what's not there: picking a secure password, setting up MFA, remembering that password, and entering it reliably every time. You also can't get phished, which seems like something a lot of people would like.

We're familiar with the friction around passwords but consider how many hours a day humanity spends creating passwords, resetting them, dealing with typos, etc. If you support older people or especially those with disabilities, that process is a lot harder. For example, entering a password over a screen reader which meets most site's complexity requirements is terrible. Most non-WebAuthn forms of MFA are pretty painful that way, too, because it requires someone to switch apps, copy/paste or remember a code, switch back, etc. before it times out.

This won't be perfect on day one, I'm sure, but it's already easier and faster to use and that's only going to continue because now the system can be improved by the browser vendor rather than needing every site to agree on improvements.

link