if this is how most people encounter passkeys it’s no wonder that they fucking hate them. it feels like getting tricked. because it is getting tricked. I was tricked
Discussion
Loading...
Post
if this is how most people encounter passkeys it’s no wonder that they fucking hate them. it feels like getting tricked. because it is getting tricked. I was tricked
I'm a somewhat tech-savvy person, and passkeys just feel so much like I'm being scammed.
I trained myself not to trust the browser to store a password, and instead use a password manager, but now I keep getting prompted to let the browser manage some magical thing.
What happens if I need to use the same account across different devices? Do I use some complicated login practice on each one and get a magical key? Is there some way other than signing in to Chrome or Firefox sync to share the "passkey" (what is it, a cert, a gpg key, some other magic number?) between my devices. If so, how do I prevent that from being compromised.
I know there's no magic silver bullet for security, and the complete mess that I see when places do use passkey makes me really unsure about it as a solution.
@glyph if i'm prompted to make a passkey i just assume they're going to store it on their server, not my machine. NO.
it always feels like a snow job.
@glyph That is indeed how most people encounter passkeys! every time I buy something on Amazon it tries to con me into creating a passkey these days: it's so irritating I'm on the edge of deleting my account.
@jwz @cstross for a while I thought that banks were avoiding implementing cheap but sophisticated authentication methods because they'd already priced in the fraud and didn't want to bother spending "engineering resources" (an incorrect model of how digital services infrastructure is maintained, but I digress) to do something that would merely hedge a risk they'd already hedged, but this model has broken down somewhat as they have "spent the resources" and made things uniformly worse
@glyph @jwz @cstross I bought some yubikeys a while back because I thought I ought to be taking security seriously.
They were great at first.
Now, in order to use them, I have to dismiss at least two other offers of passkeys (that won't work) and press at least one button that looks like it's going to cancel the login but which is actually required to proceed.
@glyph every time i log in to minecraft, somehow i get to a stage in the auth process that says it's provisioning a new passkey for me (despite not clicking any passkey-related buttons anywhere in the process), and then it fails because it's an embedded web view and not a real browser. it really does feel like microsoft's login flow is really badly broken and that it mistakenly tales you to steps you did not ask for
@glyph@mastodon.social
It's super cool how you try to provision a passkey for Microsoft so you can log into Xbox with your phone quicker but Microsoft seems to be one of the only services that somehow overrides your passkey provider preferences on Android and will send that shit straight to Google Password Manager who, of course, has no real method to transfer those passkeys outside of their system.
So you have to break out your desktop computer and configure your passkey manager's browser extension so that Microsoft will register it in the right place and so it will sync to your phone and then you can sign into Xbox with 3 clicks instead of 49.
Fun!
#pluralistic describes it as the "fat-fingered economy" portion of surveillance capitalism.
They deliberately redesign interfaces to increase the changes of clicking on the wrong thing.
Linking phones to identities to laptops to home appliances to home addresses to email to bank accounts & credit cards to passports & driver's licenses...
@Npars01 hmm. I was about to object, because the economic incentives don’t quite line up the same way here, but maybe it IS the same incentive structure, just … slanted weird, and deployed vastly more incompetently
@glyph encountering a passkey on an iPhone is a way better experience than encountering it on windows. Even still the UX is a giant mess across the ecosystem.
(Insert rant about discoverable keys)
I do hope we sort this out, but it feels like an uphill battle
@cthos this whole experience was on apple devices but there is only so much that can be mitigated
@glyph *sigh* I am going to have to put up a rant one of these days about all the little annoying UX foot guns aren't I?
@cthos that will be useful, but, ultimately, https://mastodon.social/@glyph/115677038638322402
@glyph I agree there and also educating site owners (and have the IdP vendors help) on how to present them coherently.
But also, the spec is deep and confusing and people still don't get the discoverable vs non discoverable distinction and there isn't a clear delineation
@glyph my experience of using passkeys is that if by fantastical chance every single element of the software stack I'm using is compatible, then I'll randomly get a pop-up asking if I want to log in with a passkey instead of having my password manager autofill the password. There's no time savings. And it still wants a six digit code afterwards.
Last week one of my accounts, which previously did the passkey prompt, started instead prompting my to "touch my Yubikey". I don't have a Yubikey. I've never used a Yubikey for any account. But there's no option to click to contradict the software's assumptions. (Also, most users would have absolutely no idea what a Yubikey is or why you would touch one.)
My experience of using passkeys is strictly worse than a normal password manager. Plus, it's easy to understand how a password works, whereas it seems like I'm not allowed to understand passkeys, or at least nobody is interested in trying to explain it to build user confidence that they're secure, you're just expected to believe in the magic. Engineers who have only ever used top-of-the-line Apple products and never shared devices with another person took a formidable problem (password reuse) and invented a treatment that is significantly worse than the disease.
Bonfire Dinteg Labs
This is a bonfire demo instance for testing purposes. This is not a production site. There are no backups for now. Data, including profiles may be wiped without notice. No service or other guarantees expressed or implied.
Automatic federation enabled