[fishywang]

>exposing yourself to the mercy of a single organization

The nice thing about passkey is that unlike password, you can have multiple per account.

So you can register a passkey from 1password to website A, and also register a passkey from Apple keychain to website A, and also register a passkey from Google account to website A, and also register a passkey from yubikey to website A, so even if you are locked out from one of your accounts, you still have several other ways to log into your account at website A.

And _if_ your, say, Apple keychain is compromised, you can just revoke the passkeys from your Apple keychain from all the websites (yes it's tedious, but it's doable).

[efitz]

Having to have multiple passkeys per site to circumvent vendor identity lock-in is one of the main problems with passkeys.

[shim__]

I'd be so easy if this proposal were implemented: https://www.yubico.com/blog/yubico-proposes-webauthn-protoco... one could always register one or more additional keys without having access to them.

[buran77]

A door can be kicked in, a safe can be drilled, a password can be reset. But these keys (whether a phone or a Yubikey) to your digital life are irreplaceable if they're all lost. We've never been in this situation before.

The problem with any solution relying on a couple of physical devices as the sole access to your digital life is that the management and protection of those objects becomes one of the most important things in your life. These keys are supposed to give perfect security so by design making "software" copies brings that security to the level of passwords. But losing them kills your digital life.

You have two keys in the house and you have a fire or severe natural disaster? There's no reset for them and you just piled a tragedy on top of another. You want to restore them from a backup? You probably need the keys to begin with. People need one on them at all times, one at home, one or two in some other safe far away location but to still trust that they won't be misused there.

That's all people hear when they look into passkeys. "One more key" is not enough for most people, tech savvy or not.

[theamk]

Even if it's possible technically, I don't think it's very practical, as UX is very heavily directed towards a single passkey provider. I can imagine doing this for one or two most important websites, but not for each of dozens (hundreds?) websites users have registeration on.

[tzs]

It's not actually all that bad. I went through today and added passkeys for all the sites I use that support them, and for most it went like this.

1. I login to the site using my password, supplied by my password manager (1Password).

2. I go to the site's security settings and find their passkey settings. I invoke their "add a passkey" function.

3. If I'm on my Mac, using Chrome, Firefox, or Safari, I get a dialog showing me the site and the user name and asking if I want to save a passkey in my 1Password.

There is a security key icon on the dialog that I can click if I want to save the passkey elsewhere. That replaces the 1Password dialog with one offering to save a passkey in my iCloud keychain for use on all my Apple devices.

That dialog has an "other options" link which brings up another dialog that adds options to use an external security key or to save a passkey on an iPhone, iPad, or Android device with a camera. The latter option will show a QR code that can be scanned on that other device.

I save the passkey in either 1Password or my iCloud keychain.

If I'm on my iPad using Safari it is similar, except the first dialog shows both 1Password and iCloud as storage destinations, with radio buttons to pick between them.

4. Repeat step #3 once, storing a passkey in whichever of 1Password and iCloud keychain that I didn't pick the first time through.

Some sites let you give the passkeys names to make them easier to remember so there might be typing a name in there somewhere.

All in all, it is only a few seconds to add a passkey after pressing the "add a passkey" button on a site, so adding two is no big deal.

[chrisandchris]

I currently have over 700 credentials in 1Password. Consider me not interested for anything that takes any decent amount of time.

I really like the idea of passkeys but I think most people forgot that security and convenience are not working well together, and passkeys attempt to solve this problem.

Passwords have their own issues but they are so easy to transport to multiple stores, meaning loosing access is going to be hard(er).

And as long as there's going to be a single-point-of-failure (being it Apple, Google, 1Password or whoever stores your passkeys) without any _easy_ way to retrieve your passkeys again I'm advising against it.

With passwords, I don't care loosing access to my iCloud/1Password/whatever. A somewhat recent list of all passwords are stored in a safe place, printed out on paper. AFAIK this isn't easily doable with passkeys.

[tzs]

You can still benefit from adding passkeys to some sites. It will often be a little faster and/or fewer clicks than using a password, especially at sites where you have to enter a TOTP code.

For example at Github signing in with a passkey from the sign in page is two clicks. Click on "Sign in with a passkey", a dialog pops up from the browser showing the passkey it will use by default, and I click "Sign in".

With a password it is a click to have 1Password fill my email and password, a click to submit (which could be eliminated if I had autosubmit enabled in 1Password), and then it asks for a TOTP code. After the code is entered it is a click to complete the sign in.

Github's TOTP entry form is well coded, so if 1Password has the TOTP key it will automatically fill it. If you don't keep TOTP keys in 1Password you'll have to open your authenticator app and copy the code.

Considering that it only takes a few seconds to add a passkey for Github to 1Password, you'll make up the time that takes after just a few logins.

[fishywang]

I'm not sure what UX you are talking about, the majority of the websites supporting u2f/passkey have UX to manage your u2f keys/passkeys. (the only exception I can think of is early Twitter when it first implemented u2f, and at that point it only allow you to add a single u2f key, but even Twitter fixed that later and supports multiple keys now).

And (this is probably not emphasized enough) you really should never only use a single u2f key/passkey for a website, that's the recipe to get you locked out when you can't find your u2f key/get locked out of the provider of your passkey. I have at least 2 yubikeys on my keychain all the time (one for usb-a and one for usb-c), plus one for each of my computers, and passkeys from 1password, google, etc.. And whenever I add u2f keys/passkeys to a website I add all/most of them.

[bobbruno]

...and you just described why this is not ready for prime time. Managing a number of physical devices tied to completely opaque secrets stored by unclear providers in places you never see, with hidden agendas promoting their locked-in solution over all others and complicating everything out of one ecosystem.

Most standard users will either mess up royally or run away scared. Damn, I've been on this field for 30 years, I've been using 4 OSs, 5 different browsers and devices from every ecosystem, and I still find this whole thing too much of a hassle.

And yes, I do have a backup passkey. Even though I had to convince my skip-level that it made sense. I just find it all too complex to adopt it broadly.

[theamk]

if I am reading right, any time you set up passkeys on a web site, you add half-a-dozen passkeys from various services? Yeah, this sounds totally impractical to me.

Have you considered stopping using passkeys and using strong passwords stored in password manager instead? You will have approximately same level of security:

- Either way, if one site is compromised other sites are not affected (because password managers have site-per-password)

- Either way, you will be phishing-protected (because password managers autofill based on host name, and you are smart enough not to override it)

- Either way, it'll be game over if you get a malware on your computer (because it will steal your passkey out of 1password)

... but your UX for new website would be dramatically simpler.

[vel0city]

It's not much of a hassle. I'll add at least two when I want to start using a passkeys for a site. So maybe add a passkeys to the phone and to my keychain device. Then, next time I use the service on my laptop, I'll sign in with either my phone or keyring (whatever happens to be closer) and make one there. Then next time I want to use the service on my desktop I'll sign in with whatever I've got nearby and add my desktop and the token in my desk drawer. And maybe my password manager also has a passkeys, added somewhere in there.

It's not like every time I sign up for a new site I have to drop everything right at that instant and go add a passkey to every single device I own.

[gsich]

Those websites are unimportant enough to just use normal passwords.

[6510]

> And _if_ your, say, Apple keychain is compromised, you can just revoke the passkeys from your Apple keychain from all the websites (yes it's tedious, but it's doable).

without the key?

[rcxdude]

Without a standard automatable way of doing this, it doesn't happen in practice, even assuming people implement it competently enough to allow multiple passcodes (TOTP codes, for example, are often only one per account, which is similarly annoying for maintaining a revocable backup)

[FireBeyond]

> The nice thing about passkey is that unlike password, you can have multiple per account.

I would charitably estimate that of the sites currently supporting Passkey, the ones that support multiple passkeys are in the single digit percentage. So, practically, you can't.

[vel0city]

As someone who actually uses them in a lot of places, the number of sites I know that only allows a single passkey is one: PayPal. What other sites do you know only allow a single one?

[tzs]

PayPal allows multiple passkeys. I just added passkeys there today and had no trouble making two.

I have a vague recollection of running into some trouble when I tried to add passkeys to an account in their sandbox (sandbox.paypal.com) but don't remember what it was. I realized I don't need any of my sandbox accounts any more and deleted them all from my password manager rather than try to solve the problems. :-)

[vel0city]

They do now? That's good to hear. It's been probably close to a year since the last time I checked. Thanks for the update on that.

So then that really makes me wonder what all those other sites these people are using which do only allow a single passkey.

[tzs]

I haven't run across any single key sites.

PayPal's handling of multiple passkeys is kind of annoying. I didn't see any way to change the default labels it gives them, which appear to be simply the OS and browser names. So both of my passkeys are labeled "macOS Chrome".

Clicking on them tells when they were created but the resolution is only to the day.

If somehow my private key for one of the them leaked and I wanted to delete the public key I wouldn't know which to delete.

Some sites label the passkeys "1Password" and something like "Apple iCloud" which works a lot better.

I too first experimented with passkeys about a year ago, and then largely ignored them until this discussion prompted me to have another go.

A year ago I found them almost unusable. I had trouble getting browsers to recognize a passkey was available for a site, and I had trouble getting browsers on my Mac to use passkeys from the Apple keychain on my Mac. They would often put up a QR code for me to scan on my phone to use the passkey from the phone--and that was also not very reliable.

Now I'm hitting almost no problems.

There are still some settings annoyance with some sites. At PayPal for instance it asks for my TOTP code even when logging in with a passkey. There is no option to turn off TOTP for passkeys but leave it on for passwords.

[vel0city]

Yeah, sites should ideally ask for a label at passkey creation with a decent autogenerated one.

[lostmsu]

Ha, tell that to Apple. Last time I logged in to their App Connect it said that passkey can only be used from iOS or MacOS device.