[NikolaNovak]

>>So, how do you reset your password when you forget it? Well, it depends.

But I don't! I can write a password in any amount of low and high tech ways! I have them printed on paper in safe deposit box (my wife is bad with passwords, so this is safety if I should perish:), I have them in a password manager on USB sticks at home in a safe, I have them copied on my NAS and laptop and so on.

Whereas passkeys, it seems from everywhere I read to be far more fragile, far more locked in to specific perishable hardware device and a specific vendor ecosystem, and very limited or no ways to handle passkeys in a low tech way or as a file/artifact to be backed up. Basically they assume I live on and with my phone.

To put it bluntly:

Passwords are something I can use if I show up naked at a stranger's house. They can be with me in and through an emergency (physical emergencies exist! Computer geeks forget about those!). Or more commonly, I can use them to check my email or comms if I forget my phone at a friend's house.

Passkeys are... strictly worse?

[stavros]

You can do this with Passkeys. You can write your Passkey down on a post-it, or memorize it and cross the border with it, or anything you want.

This thread has urged me to write a post clarifying some of the misconceptions I always see:

https://www.stavros.io/posts/clearing-up-some-passkeys-misco...

[derbOac]

That was helpful but there's a difference between "possible" and "feasible in practice for the vast majority of users". Eg, you can theoretically develop your own passkey device as you say, but that doesn't mean most people can.

I'm not sure I really prefer passkeys less than passwords but I do think some of the "misconceptions" aren't really misconceptions, but realistic concerns about what happens in practice. It might be better to be up front about these than dismissive, because that's where the problems in practice develop.

[stavros]

But you don't need most people to develop their own Passkey device any more than you need most people to make a phone.

A company will make it, vote with your wallet and buy the one that suits you.

I'm looking forward to BitWarden supporting Passkeys, for example, as that's my preferred way of using them.

[zamadatix]

If I have an iPhone, Mac, Windows PC, and Android Tablet I want to know and talk about what I can do with Passkeys, not what could theoretically be done. After all, I'm not looking at Passkeys for an academic exercise. I'm actually looking to see how feasible it is for me to use Passkeys to replace my passwords today.

If that means "install BitWarden on all of your devices. The devices will work with it and you can backup/export your key locally" that's fantastic, I'd love to see a guide on how to get that going on all of my devices. However, if that means "according to the standards, something like a BitWarden could do what you want it to do, if they built it, allowed export, and the devices all allowed integration. Alternatively, you replace your devices with ones that do." then I really don't care what the theory says could be done, Passkeys cannot actually replace my use of passwords at the moment.

[stavros]

That's up to you, but "that isn't possible yet with this two-month-old technology" is very different from "that isn't possible".

[zamadatix]

Well, that's my point. People are referring to what is possible today but your "misconceptions" are responses to what could be possible in the future.

[perryizgr8]

> You can do this with Passkeys.

Maybe in theory. In practice, I couldn't even look at the passkey Google has created on my android phone. So you absolutely cannot write it down.

[stavros]

If you don't like Google's implementation, you should use another one. It doesn't make much sense to say "I can't do X with my thing, therefore I can't do it with anything".

The fact remains that, if you want a Passkey you can write down, you can do that.

[perryizgr8]

> If you don't like Google's implementation, you should use another one.

Once more, maybe this is possible in theory. In reality, I can't find any way to use apple's passkey implementation on my android phone.

[stavros]

Can you point me to a site? I've had no issue using Google's Passkeys without actually using a Passkey.

[masfuerte]

That's really helpful. Do you know of an open source passkey client?

[stavros]

Someone has linked a few implementations in the thread here:

https://news.ycombinator.com/item?id=36238001

[brookst]

Thank you. It is disheartening that so many HN readers would rather imagine how passkeys work, and freak out at their own imaginings, than just learn the real thing.

[NikolaNovak]

Somewhat fair criticism, but also somewhat unfair. A lot of us are trying to read up and understand, and so we post questions in forums like these with knowledgeable folks, in hopes to enhance our understanding and reduce our concern.

One counter point though is that... if there is a new lifesaving technology, and even the somewhat IT literate / somewhat geeky / folks who WANT to understand it, are struggling... it may not be as simple and easy and safe. If I ask "how do I backup my passwords", I'll have 10 million folks answer "use a password manager, backup the file". When I ask similar questions with passkeys, the breadth,inconsistency and complexity of answers is as insightful as it is worrisome.

[brookst]

No complaints with questions, but many of the questions are in the form of assertions that are incorrect.

"Does that mean that passkeys can't be shared between users or devices?" is a 100% reasonable question.

"Passkeys are a step backward because they can't be shared between users or devices" is not really a question, it's an opinion based on imagination.

And passwords are just as complex. How do you securely share a login with another user?

Yes, there's complexity, but it's complexity born of a change in paradigm. The actual new thing is either equally simple or simpler than traditional passwords, once you factor in scenarios like backup, transfer, multi-device sync, sharing, etc. It's just different.

[stavros]

Yep, that's what frustrates me as well, especially for a technology that will be a massive gift to both security and usability.

[barbazoo]

Have a look around this thread. Lots of smart people having difficulties figuring out how this works. This is a bad sign. It shouldn't be this hard to figure out the basics.

[brookst]

> It shouldn't be this hard to figure out the basics

Why not? There are lots of great things in the world that are easy and a joy to use, but fairly challenging to learn the technical details of. The electricity grid, airplanes, microwave ovens, you name it. Tons of straightforward user experiences that take some work to understand.

[stavros]

I don't see people having trouble grasping the technical specifics, I see a lot of people having knee-jerk reactions and reacting to their own assumptions of how Passkeys work.

[eep_social]

Because you are a) not explaining as well as you seem to believe and b) reacting with hostility and snobbery when you are called out on that fact.