[godelski]

A few weeks ago I had a bug with bitwarden where every passkey wanted to load from the macbook instead of bitwarden. I ended up being locked out of a few accounts that didn't have OTPs as a fallback. Mostly inconsequential stuff like Twitter.

I love passkeys, but they're still kinda hard to use. There's several sites that wont let you enroll multiple ones and it's easy for systems to step on each other like the aforementioned experience.

The problem is fallback. All my banking apps have SMS OTP fallbacks and that's no better than having only SMS OTP. If you're building these systems make sure you have good fallbacks. What matters in design is not so much how well it works when things go right but how well it works when things go wrong. With security you really cannot ignore edge cases

[xandrius]

If you're using Firefox, it's a known bug and you can fix it by reverting the bitwarden extension and then wait for the fix.

[nixosbestos]

Can you give any more details about this? I had bumped into this and couldn't figure out if it was actually Bitwarden extension but or a Firefox bug.

[awesome_dude]

I read this thinking "The BEST security is the WORST usability, and vice versa"

The easier it is to do things, like use another channel, the harder it is to keep secure.

The easier it is to keep secure, the harder it is to use.

[jeroenhd]

I don't think this is a security vs usability thing. A lot of UIs are intentionally confusing.

Apple wants you to use iCloud passkeys, Microsoft wants you to use Microsoft Account passkeys, Google wants you to use Google passkeys. Even if you have a dedicated USB device plugged in, browsers keep defaulting to the cloud accounts.

Bitwarden's approach is to simply hijack the passkey request before the browser can respond and throw itself front and center. It's a terrible hack but it works on every browser at the very least.

If these companies cared about their users more than they cared about throwing up walled gardens, they wouldn't put a USB key behind "Choose another method" -> "Dedicated device" -> "Security key" -> "Confirm" while offering one-click login with their cloud account. And they would offer a proper API for third party applications to integrate into the native passkey storage.

[jogu]

Yeah, the passkey provider management is absolutely horrendous and is the biggest blocker to passkey adoption in my eyes. I have 3 different sources (iCloud keychain, Yubikey, and Enpass) and in the best case it's some extra clicks like you mention, in the worst case it just simply won't let me select the correct provider.

I've resigned to registering a passkey into all of my providers and just letting the most platform native option win for now.

[raw_anon_1111]

Apple does have an API to allow third parties to be used to store passwords and passkeys and they show up during the standard flow from a browser.

[godelski]

I remember once I was working for a big tech and we had windows computers. I tried to use Hello so I could login with my fingerprint. It broke outlook for some reason. So I switched to a Yubi key since they were offering.

Every login was the same: fails -> try again or try different method -> list of methods (including "security key") -> ok -> tap security key -> ok

It would not let me set the key as the default and there were two unnecessary clicks. The box literally only had a single button (besides the standard x on the window)! It was absolutely infuriating.

I'm with you. I don't believe these companies are actually trying to create the best solutions. And you can absolutely see that when you try to move from one ecosystem to another.

Look at my problem again and now consider had I been using my iCloud key and wanted to login from my Linux machine. It literally wouldn't be possible!

[Shadowmist]

If your desktop browser has Bluetooth access you can scan a barcode with an iPhone.

[miohtama]

This is the problem when UX guidelines are not part of the standard.

[godelski]

That's one way to read but I think a narrow way. Besides, my issue wasn't actually an issue with security now was it?

In practice we don't actually want the best security though. We frequently make concessions. I mean with my bank I don't want "the best" security. If I lose my credentials I don't want to go broke. If my credentials get hacked (especially if hacked by no fault of my own!) I want that money recovered. These things would not be possible with "the best" security.

In fact, in a different interpretation I would call those paths less secure. Ability to recover is a security feature just as much as it's not.

Both security and privacy do not have unique all encompassing solutions. They are dependent upon the threat model.

Importantly when designing things you have to understand modes of failure. When you design a bridge you design it to fail in certain ways because when/if it fails you want it to do so in the safest possible way. Why does this pattern of thinking not also apply here? It seems just as critical here! In physical security you also have to design things for both fail open and fail closed. You don't want you always fail close, doing so gets people killed! So why is the thinking different in software?

Not to mention:

How do I login from my Linux machine if I'm only using my iCloud key?

Your logic would lock me into the apple ecosystem forever and that's a worse security setting than anything else we discussed. Apple decides to become evil and I'm just fucked. Or swap Apple with Microsoft who is actively demonstrating that transition

[morshu9001]

Some of the things that came out before passkeys were harder and not more secure, like OTP. Especially the way that earlier versions of Google Authenticator implemented it. We're finally close to a permanent "remember me" button that most people wanted, but it needs a bit more polishing.

[xboxnolifes]

> All my banking apps have SMS OTP fallbacks and that's no better than having only SMS OTP.

In terms of security, yes. But not in terms of convenience.