[crazygringo]

The subject here is literally websites trying to push passkeys on users. That is who is asking us to.

About every week now Amazon tries to trick me into creating a passkey. It doesn't even ask, it just goes ahead and triggers my browser passkey creation mechanism without my consent. PayPal recently tried to force me to create one too and I had to kill and restart the app because that was the only way to skip it. I'll stick to my password with 2FA, thanks.

[Marsymars]

It's wildly obnoxious that browsers don't let you generally suppress these prompts.

And if you take the nuclear option and strip your browser of WebAuthn support, then you obviously can't use any passkeys, which doesn't work for me - I have two sites where I do want to use passkeys (because it's the only way to avoid SMS-based MFA on every login), but I never want to see passkey prompts for any other sites.

[stouset]

We have now gone from having to “redo everything” to being asked to switch to a passkey by a grand total of one website.

I’ll be honest I’ve heard a lot of griping about passkeys but I have gone out of my way to switch over to them and have had precisely zero issues over the dozens of sites that I’ve bothered to make the switch on. Login flow is simpler and doesn’t rely on a browser extension guessing at login fields or trying to figure out when passwords change.

Sometimes the new thing really is just better.

[crazygringo]

You claimed "Nobody is asking you to".

Me giving an example of one major website (actually, I gave two) is all that is needed to disprove your claim. I could provide plenty more examples of major websites asking me to, but I don't need to. I could provide plenty of examples of people telling people to "redo everything" with passkeys, but your own comment is literally advocating the same thing...

Please don't mischaracterize the conversation that is plainly visible for all to see. Just accept that you tried to suggest that nobody is asking users to switch to passkeys, and you were wrong. It seems like your error is that you just haven't been seeing it personally, since you switched on your own before the nagging started, and so you weren't aware of it. Well, now you are.

[stouset]

> > Why should I redo everything?

> Nobody is asking you to?

Nobody is in fact asking you to change everything.

[crazygringo]

They literally are. You can easily google articles telling people to use passkeys for all their supported accounts. I'm not going to google it for you.

Why you are trying to claim the opposite is beyond me.

[jazzyjackson]

Hey Crazy Gringo, you may be schizophrenic. An article recommending a security update is not, in fact, telling you to do something.

[alterom]

>We have now gone from having to “redo everything” to being asked to switch to a passkey by a grand total of one website.

Yeah right.

When passkeys were rolled out, I was told it's OK because "passwords are always going to be required to be an available alternative".

Now we've moved the goalposts to "it's just one website".

>Sometimes the new thing really is just better.

And sometimes your backpack is stolen when you're traveling, with your phone and laptop (happened to me in Poland), and you need to log into your accounts while having none of your devices or your phone number available.

Pray tell then what.

[stouset]

What if I told you I was not one of the people saying that? You can’t take two different people with two different opinions and say “Look! You’ve moved the goalposts!”

If passkeys are significantly better, passwords will gradually stop existing. If passwords are, passkeys probably won’t catch on.

> And sometimes your backpack is stolen when you're traveling, with your phone and laptop (happened to me in Poland), and you need to log into your accounts while having none of your devices or your phone number available.

I personally keep a separate YubiKey that—along with a memorized password—is sufficient for me to retrieve my password manager database and unlock it. If this is a sufficiently motivating use-case for you, you too can take these kinds of steps to mitigate the risk.

But since we’re playing the “what if” game, what happens if you get early onset dementia and forget your passwords? Pray tell then what?

[alterom]

>along with a memorized password—

So, your solution is passwords with extra steps.

Thanks but no thanks.

>I personally keep a separate YubiKey that—along with a memorized password—is sufficient for me to retrieve my password manager database and unlock it.

So, basically, having to create and maintain a backup device to keep separately from my laptop/phone in case they get stolen, make sure I don't lose it, but carry it with me everywhere like a crucifix.

That, and still having to remember and use a password, because otherwise the thieves get control of everything once they steal my device.

Sure. That's not objectively better than passwords which don't require this sort of hassle.

At the very least because it still requires a password.

>you too can take these kinds of steps to mitigate the risk.

OK. I can. I don't want to have to do these kind of steps, or any other dance to mitigate the real risks that passwords already protect me from.

Passkeys mitigate risks which I don't run into (”what if someone learns my password?”), while introducing others.

They are a convenience for people who run the system because they off-load those risks onto users.

>But since we’re playing the “what if” game

You're playing games with contrived hypotheticals.

I've had my laptop, phone, and wallet stolen on an overseas trip.

>what happens if you [...] forget your passwords?

I click the "forgot your password?" link which every website that uses passwords has.

Having a notebook in a vault with passwords also solves this problem.

I don't get a sudden onset of dementia which causes amnesia when I travel.

But I've lost my devices and had them stolen from me overseas.

It was a big enough hassle even though I did have the passwords.

[jazzyjackson]

If a website only supports one passkey on one device, it's a shitty implementation. To be fair many websites have shitty implementations, so I ended up using my yubikeys to store the secret for OTP codes.

Having only one device that has authority to log into your accounts is obviously not a good security model.