[tempnow987]

TOTP with a changing code is simple to understand and use and very resistant to both SIM Swapping and all these push based notification attacks. Push based notification attacks are relatively easy to social engineer as well - call, say you need to confirm identity and push.

Passkeys are a nightmare. For whatever reason they play SO SO badly. Microsoft / et al all seem to compete to screw this stuff up. Seriously, if you are logged into a remote desktop, the push goes through chrome to some microsoft thing which has a different pin / password / whatever. What's even crazier - I have a yubikey and somehow the passkey doesn't need the actual hardware key to be plugged in - so this passkey is being stored somewhere else.

Keep it simple. I liked the U2F yubikey flow where you had to touch the yubikey to authenticate and I like TOTP well enough as well.

[ufmace]

This, I find passkeys very difficult to understand.

It seems I can use my phone as my "passkey". Okay nice, that should mean I can use the same one on multiple devices, just like with a hardware Yubikey, right? Well apparently no. Use a phone as a passkey on one device for a web account, try to log into the same account on another device, using the phone passkey, and it doesn't work, claims there is no passkey. I can't see what passkeys are actually present on the phone, so I don't know what's wrong.

There's so many different ways to have and use passkeys, and no way to tell what the status is. I have no idea how the less-technical users are supposed to be able to figure this stuff out.

[tempnow987]

Totally - it's super confusing! Apple actually seems to let me plug my passkey into my device (including my phone) and then it works. But I'm not native apple - all my work stuff is Windows / Linux etc. And passkey is garbage there. I think even bitwarden is trying to hijack the passkey now. How is this a second factor? If my vault password is taken, and the passkeys are in the vault - then aren't you screwed.

The whole point of a little yubikey is that if someone gets my password, they also have to get the yubikey. The chances of that, while not zero, are MUCH smaller. And then I can do a little recovery envelope with a yubikey in it as a backup.

[sholladay]

When you created the passkey, there was an option to store it on an external security key. It was probably some smaller text or a button towards the bottom of the confirmation dialog.

Since most users would prefer to store it in iCloud (or competitor) and have it synced to all their devices, that’s the default. But you can keep using external security keys in this new passkey-based world. You just have to opt-in to it.

And yes, I agree that external security keys offer better security, at the cost of a little convenience.

[tempnow987]

I've tried to use an a key on a device, but they DON'T seem to work everywhere. If I use an apple phone for my key, how does that work with Chrome on Windows or just for Windows logins?

If I'm using whatever windows is pushing (maybe INSIDE windows - so if they get my pin/password I'm hosed?) how does that work on my iphone or for Apple TV login?

The whole thing is a freaking mess. U2F or whatever came before was so easy by comparison. Seemed to work very well cross platform. If you had a NFC version you could bring it close to your phone and touch a button and voila - authenticated. Or plug into a computer and touch a button. And it seemed to work with Chrome / Windows etc etc.