| > I really don't care what the contingent of passkey haters on here say. I think what a lot of passkey advocates misunderstand is that this isn't a debate about what passkeys should look like once everyone has adopted them. It's a discussion about whether passkeys will ever get adopted. Ordinary users are not going to use passkeys until these problems are solved. You're envisioning a world where everyone says, "there are tradeoffs, but we all made the switch and the security is better so tough luck." The reality is that fixing the tradeoffs are a precondition for passkeys to be a replacement for passwords. The same industry that was incapable of teaching people how to use real 2FA tokens is not going to be able to teach them how to clone passkeys across devices. The discussion around passkey problems is not a discussion about how many people will grumble when passkeys eventually break into the mainstream. It is a discussion about whether passkeys are ever going to break into the mainstream at all. ---- Note that passkeys themselves are a response to this reality: it used to be that everyone talked about how cloud synchronization within an ecosystem was just too insecure and critics were going to have to get over the fact that it wasn't supported. This was a common debate on HN. That changed, because it became obvious that passkeys were not going to happen without cloud sync and that roaming passkeys were a requirement, even if they made the standard slightly less secure. Now the same people are out saying that portability and better standardization among services is not the FIDO Alliance's problem to solve and people are just going to have to get over it. And I don't think y'all understand how standards get adopted. Ordinary users are not going to get over it, they're going to refuse to use the standard. The first time they use passkeys and run into Amazon telling them that they can't log in from Firefox, they're going to walk away from passkeys forever. |