[Someone1234]

True. But then your hardware dies, and you're locked out of every account you own. It is objectively good security, but has a ton of usability headaches yet to be really solved.

I've seen orgs move to passkeys only, then offer reset-questions (e.g. city of first job, etc); because the Customer Service volume/workflow wasn't figured out.

[alterom]

>your hardware dies

Or your backpack gets stolen.

Oops.

I swear, people who idolize passkey security must never travel anywhere.

PS: "just have more devices with passkeys", they invariably say.

Yeah right because people are made of money, everyone has the forethought, and a 2nd laptop in the US is a great asset when you're in Poland and can't login anywhere.

[StilesCrisis]

I've been avoiding passkeys but more and more websites are trying to push them, and one website I use now requires them. I've already got a password manager! I don't need to change everything again!

[dboreham]

The good thing about this is they thereby also support FIDO2 hard tokens such as Yubikey. The UI is often confusing but you can always tell it to provision the key to your Yubikey rather than the OS enclave.

[Arainach]

That doesn't help if my machine (with only a few USB ports) gets stolen/lost with the token in it. It doesn't help if some of my devices only have USB-C and some only have USB-A. It's absolutely more annoying than letting my password manager fill things in or typing in a 6 digit code from my authenticator app.

[nightski]

Get a better password manager? Most store passkeys.

[Arainach]

If the passkey can be stored in the password manager, then there's no second factor and what's the point?

[stouset]

Your password manager almost certainly already has baked-in passkey support.

[StilesCrisis]

It does, but what's your point? Why should I redo everything?

[fragmede]

"redo" just press yes when the site offers and your password manager asks you to.

[stouset]

Nobody is asking you to?

[crazygringo]

The subject here is literally websites trying to push passkeys on users. That is who is asking us to.

About every week now Amazon tries to trick me into creating a passkey. It doesn't even ask, it just goes ahead and triggers my browser passkey creation mechanism without my consent. PayPal recently tried to force me to create one too and I had to kill and restart the app because that was the only way to skip it. I'll stick to my password with 2FA, thanks.

[bartvk]

Of course they are. Lots of websites are pushing it, including while using dark patterns. You need to sometimes explicitly cancel an onboarding flow to avoid Passkeys.

[Barbing]

>"just have more devices with passkeys"

Confirms that strategy then

For people who only use passwords having an extra device can help too. Google does not necessarily permit a login with a backup code, so to me it seems ideal to grab a spare phone, log into important accounts, and store it with a trusted party/friend.

It could be very difficult to login to an account like Gmail from overseas in the event of PC+phone[+hardware key] theft. Maybe no big deal if you can port your number to a new phone right away. Or maybe the trusted friend can help (unless Google still finds the login suspicious after all, no idea there)

[alterom]

>It could be very difficult to login to an account like Gmail from overseas in the event of PC+phone[+hardware key] theft

Literally happened to me in Poland, which is why I avoid passkeys like the plague.

(The thief got caught months later. That didn't help me.)

>Maybe no big deal if you can port your number to a new phone right away.

T-Mobile won't mail a SIM card overseas, and I doubt others will either. There is no "maybe", it's a certainty that you won't be able to.

>Or maybe the trusted friend can help

Yeah, my wife literally mailed me SIM card to Poland.

It took over week.

And a "trusted friend" would first have had to get it somehow.

>Or maybe the trusted friend can help (unless Google still finds the login suspicious after all, no idea there)

At least I logged into my accounts from that city before the laptop and phone were stolen, so my logins were not "suspicious".

That's with a password.

_____

PS: screw Citibank's mandatory phone -based "2FA".

[Barbing]

Oh my goodness, what are we supposed to do?!

Edit: and near 0 customer support too

[slau]

I travel a lot. By train, plane, and car. I also use passkeys when possible. I have multiple Yubikeys, stored in different locations. I also have a password manager, where I typically keep track of which logins aren’t yet backed up across physical tokens.

It takes a bit of effort, but it’s not impossible.

Yes, it means that in the event of catastrophic failure I might not be able to log in to some services until I get to one of the backups. I haven’t been able to imagine a scenario where that would be truly problematic.

[alterom]

>Yes, it means that in the event of catastrophic failure I might not be able to log in to some services until I get to one of the backups. I haven’t been able to imagine a scenario where that would be truly problematic.

No need to imagine!

Remove all passkeys from your phone and laptop, then go somewhere overseas without any of those Yubikeys.

Have fun enjoy a "not truly problematic" scenario of getting your Yibikeys from "multiple locations" you don't have access to, while being cut off from your messengers, email, bank account, etc.

Bonus points for having your card locked or stolen at the same time.

Or, imagine the backpack with your passkeys devices being stolen on an overseas trip.

Again: pray tell, then what?

[slau]

> Remove all passkeys from your phone and laptop

I don't have any passkeys on my phone or laptop. They're all on the Yubikeys.

I don't really see a difference with (some) password managers, though. If you use one of the keepasses, and you lose access to the file, you're in the same situation right?

And yeah, you're right, there is a risk of inconvenience. I'm not debating that. I just choose to organise my life in such a way that it is just an inconvenience.

[Joker_vD]

> and you lose access to the file,

It's literally at https://github.com/Joker-vD/keepassdb/raw/refs/heads/master/... in my case, plus a couple of other free hosting sites that support easy updates/reuploads, so losing access to it requires losing access to Internet — in which case you don't really need any (alright, most) of your passwords because you need Internet to connect to the services that require those passwords.

[slau]

OK, fair, I never left my keepass file exposed like that when I used keepass.

If I remember correctly, 1Password still requires a "vault key" in addition to your username and password, and it was definitely too long and not used often enough for me to remember.

[Joker_vD]

> It takes a bit of effort

That's a wild understatement. For most users, having a password manager is already very near to the upper bound of acceptable friction.

[jazzyjackson]

oh lawd, yes it does come down to 'who has the power to reset your account', and very few people want to take the path of 'no one has the power' in the case of lost credentials.

[kenniskrag]

> But then your hardware dies

A lot of services have password reset email features. If the email account has passkey you're screwed. But restore by snail mail can be possible but slow (for paid services). More secure? Don't know but same category of problems already known due to sim swapping attacks in mobile sector. But for sure the Mail account is a high value target.

Storing passkeys in a database may be possible but complex to do it right e.g. backup verification, avoiding to leak while backup etc.

[kenniskrag]

Edit:

Banking has no selfservice password reset. A lot of work for customer support due to identification. Nobody wants to do that for free and if the accounts are freenyou may get DOSed by bots which trigger passwort resets.

[themaninthedark]

At my work we required a complex password <15 characters lower + cap, number and symbols.

Updated to Windows Hello and passkey.

Now I can use a 4 digit pin to login.

[mjmas]

Yes, but the pin uses the TPM which allows other things like only ever allowing a low number of guesses before requiring a reset of the pin (using a password or other mechanism)

[themaninthedark]

Thanks, didn't know that!

[Barbing]

>It is objectively good security, but has a ton of usability headaches yet to be really solved.

Thank you, then this is still true today?

Disappointing the rollout was botched (recall cross platform and password manager difficulties). Haven’t done research since but even with some new UIs and flows promoting passkeys in the past couple months, haven’t regained my trust either.