[klabb3]

Agreed it’s partially an education problem. But it has no more inherent UX complexity than passwords, at least not on the happy paths. People are already used to having say boarding passes in their “wallet” apps, so device-specific isn’t that hard to grok. In modern countries, you also have strong authentication systems for banking and government errands etc, which are used by millions of regular people every day without issue, despite spooky public keys lurking underneath.

I worry much more about the account recovery UX and issues. If you lose your phone, how to replace it? Is that replacement path a prime target for attackers? I’d argue key distribution (issuing, rotating, revoking, multi-device) is where almost all the subtle pitfalls are.

[XorNot]

But the happy path is irrelevant. If everything worked all the time, then it would work - the question of whether something is good is how it does when that's not the case.

Passkeys have a lot of questions in that regard. A password is simple: "keep this secret and only give it to the person it's for". You can read it, you can write it down, the rules of how it is distributed are obvious if not secure.

Passkeys on the other hand are already not being explained: "keep this secret. Then, your device will magically use it somewhere else. But actually we keep it in the secure element, Also sometimes you can't move it to other devices. Also sometimes the part we send won't work if we send it to the wrong person, or if it's intercepted..."

Of these, the part I really worry about is the synchronization one: everything about passkeys is being structured for corporate lock in. Because the ability to manage them like passwords is not front and center, it's being treated as an after thought. "We'll handle synchronization eventually or "oh, well it'll be on your other iCloud-connected devices..."

If I want to take an offline backup? If I want to write something down or print something out to cram that passkey onto another device, can I? Or is there an additional factor there which is empowering the service to decide if I'm allowed to do that?

[klabb3]

> But the happy path is irrelevant.

Too strong of a statement imo. The password happy path is still a lot of friction every time you sign in, which is why everyone except banks sets their refresh cookie expiry to months or years. Not great, cookies don’t even live in the secure element. But if you torture people with typing passwords every day they won’t come back unless they have to.

> A password is simple: "keep this secret and only give it to the person it's for".

You’re missing the recovery path. That’s not obvious at all - usually a password reset through a side channel like email. In those cases, the email is your de-facto identity, and the password is like a refresh token that is stored in your brain.

Now, I’m not saying this is better with passkeys, just that there is more to password auth than meets the eye.

> Of these, the part I really worry about is the synchronization one: everything about passkeys is being structured for corporate lock in.

Me too. I think it depends a lot on the interop story. In the best future, we get something like a password manager standard, which interops with browsers and apps. Current password managers are well positioned to use passwordless auth. As a user, I could then use say Bitwarden on all my devices, and use passwordless as it comes available to more services.

But a lot of questions are still unresolved: what if I need to sign in from a public computer? Will account recovery still use email as last resort?