William Brown, developer of webauthn-rs, has written a scathing blog post detailing how corporate interests – namely, Apple and Google – have completely and utterly destroyed the concept of passkeys. The basic gist is that Apple and Google were more interested in control and locking in users than in providing a user-friendly passwordless future, and in doing so have made passkeys effectively a worse user experience than just using passwords in a password manager.
Since then Passkeys are now seen as a way to capture users and audiences into a platform. What better way to encourage long term entrapment of users then by locking all their credentials into your platform, and even better, credentials that can’t be extracted or exported in any capacity.
Both Chrome and Safari will try to force you into using either hybrid (caBLE) where you scan a QR code with your phone to authenticate – you have to click through menus to use a security key. caBLE is not even a good experience, taking more than 60 seconds work in most cases. The UI is beyond obnoxious at this point. Sometimes I think the password game has a better ux.
The more egregious offender is Android, which won’t even activate your security key if the website sends the set of options that are needed for Passkeys. This means the IDP gets to choose what device you enroll without your input. And of course, all the developer examples only show you the options to activate “Google Passkeys stored in Google Password Manager”. After all, why would you want to use anything else?
William Brown
The whole post is a sobering read of how a dream of passwordless, and even usernameless, authentication was right within our grasp, usable by everyone, until Apple and Google got involved and enshittified the standards and tools to promote lock-in and their own interests above the user experience. If even someone as knowledgeable about this subject as Brown, who writes actual software to make these things work, is advising against using passkeys, you know something’s gone horribly wrong.
I also looked into possibly using passkeys, including using things like a Yubikey, but the process seems so complex and unpleasant that I, too, concluded just sticking to Bitwarden and my favourite open source TFA application was a far superior user experience.
My significant other’s microsoft account’s 2fa via usb key silently got disabled by microsoft after this passkey introduction.
Yep, microsoft cares so much about user’s security that they disabled the most secure 2fa method they had *and didn’t warn users that they were doing so*.
Enshitification creeps ever forward…
Its terrible. Absolutely terrible. I can’t hide my rage at these short term, customer hatful decisions the large tech companies are making with *security*. Freaking terrible. A pox on all of their houses.
Meanwhile, SQRL sits there, ready to be adopted by anyone. (https://grc.com/sqrl)
There isn’t a perfect solution, at least not yet… But there are more solutions than the one the big companies are pushing.
Yes, this is a visible degradation compared to YubiKey and similar 2FA devices.
Those were not only “hackable” (in the good sense), you could also have backups, and use them for other purposes (like SSH authentication, … with some effort).
Now, many sites, even PlayStation has moved to “passkey” for security, where I find it not working 50% of the time, and lacking practicality on the rest.
Authentication is broken for me — consistent 2FA every time I login from the same device, “Remember Me” and “Stay Logged In” that never works, asking to upgrade a subscription =every time= I login in (NY Times). I just want to go to my websites and read! Maybe it’s adblockers or javascript blockers or something but in general login is way more of a pain than benefit.
Certainly I’d be a big fan of a unified open standards login method where I didn’t need to sign off everything I read to an AI trainer.