[klabb3]

> The problem they solve is that almost nobody uses a password manager.

Numbers pulled from Google seem to suggest 1/3 or so, which probably varies a lot across the world. But that’s not too bad given it’s never really been shoved down users' throats. They’ve been pushed pretty hard in PC magazines and media. They’re not entirely obscure.

> For people using password manager implementations, passkeys also add a layer of protection by being practically unphishable.

True, but it’s still some protection: auto-fill won’t work on a different domain so phishing is harder. However, note that many legit sites, even payment gateways etc, use multiple strange-looking domains sometimes. This is beyond irresponsible imo, and the clear fault of the service provider.

> If passkeys are implemented well, using hardware encrypted storage, you also never risk a copy of your passwords falling into the wrong hands[…]

This is only theoretically true. Regular people aren’t able to provision and secure multiple auth devices in case of house fire, theft, or loss. What happens in practice is an account recovery flow, usually through email, sms or support, which is prone to all kinds of non-crypto attacks, including phishing.

Per-device passkeys alone are possibly an improvement in convenience but not as a last-resort identity, in practice. From a security POV it’s very similar to pw managers, and so far I like them more because of they’re vendor agnostic. Ideally we’d have pw managers simply manage key material instead of a random pw, when supported by the provider. I already use GitHub this way, with Bitwarden.

[WorldMaker]

> True, but it’s still some protection: auto-fill won’t work on a different domain so phishing is harder. However, note that many legit sites, even payment gateways etc, use multiple strange-looking domains sometimes. This is beyond irresponsible imo, and the clear fault of the service provider.

Which is why the Passkeys spec clearly spells out this responsibility to the service providers and breaks if they get it wrong, truly making it their problem to solve. (It's the direct source of most of the complications described in the linked article's section #13, and indirectly mentioned in other sections.) Passkeys are domain specific and only domain specific and browsers do and will enforce that. It does what auto-fill can't and if a service provider uses multiple domains and gets things wrong, they are broken and have a service outage on their hands to fix, rather than "maybe they temporarily changed domains" still being a phishing vector for those relying on auto-fill as an anti-phishing deterrent (that still catches people that should know better because too many well known services are unreliable about temporarily jumping domains or just plain using way too many domains due to internal silos that shouldn't be so visible externally [cries in Azure]).

[klabb3]

Thanks for clarifying. And I agree with you. Users doing manual domain matching by gut feeling and glancing on the critical path was not a great idea, but made even worse by jittery companies who confused DNS with their org chart. So in that sense passkeys are superior, even to (traditional) pw managers. I’d be the first to cheer for a great passkey integration in my pw-manager of choice.

What I worry about is that companies will (yet again) grossly misuse improved auth technology to make the combined auth flows an even bigger shit mound than it already is, both for users and the poor souls who have to implement them. I don’t know exactly how, but I’m sure they’ll find a way.