back to article Will passkeys ever replace passwords? Can they?

I have been playing around with passkeys, or as they are formally known, discoverable credentials. Think of passkeys as a replacement of passwords. They are defined in the Web Authentication (WebAuthn) specification of the W3C (World Wide Web Consortium). This work evolved from several prior efforts including those of the FIDO …

  1. VicMortimer Silver badge
    Flame

    No and no.

    Passkeys are a BAD idea. What they're going to result in is users in the real world losing access to accounts, and with the current (also stupid) trend of users storing their data on somebody else's computer, that data. Passwords are hard enough to keep up with, lost devices are a real thing, and this passkey nightmare is going to result in a lot of torment for a lot of people.

    Passwords are flawed. Passkeys are worse.

    1. David 132 Silver badge
      Coffee/keyboard

      Could be even worse… skim-reading rapidly down the Reg front page, I parsed “passkeys” as “monkeys”. Will monkeys ever replace passwords? Now there’s a thought.

      1. Neil Barnes Silver badge

        Shakespeare thought it would take an infinity of them.

        Or something.

        1. Anonymous Coward
          Anonymous Coward

          Some recent research shows that all the chimpanzees in the world couldn't produce a work of Shakespeare in the predicted age of the universe: https://edition.cnn.com/2024/11/01/science/monkeys-cannot-type-shakespeare-study-intl-scli-scn/index.html

          1. LybsterRoy Silver badge

            The recent research may well be right in accordance with its own terms of reference but I would like to point out that they did not disprove the original theorem.

            1. Natalie Gritpants Jr

              Ugh. OK so an infinite amount of monkeys will produce Shakespeare, but you'll never find it amongst the infinite pile of Jilly Cooper

          2. Freddie

            Which is odd, given that in less than the age of the universe, humans evolved from chimpanzees and... created the works of Shakespear. Science 0, reality 1.

            1. MachDiamond Silver badge

              "humans evolved from chimpanzees and... created the works of Shakespear."

              Humans and chimps evolved from a common ancestor. There's a massive difference.

          3. graemep
            Devil

            You are supposed to use monkeys, which (assuming multiple species) are far more common than chimps (which are apes, not monkeys).

            If there are still not enough, the answer is to breed more.

            This is how IT works - if you have inefficient systems just throw expensive hardware at it, making it more inefficient so it can be parallelised etc. if necessary.

          4. gnasher729 Silver badge

            That’s not recent research. It’s known for many many years that more than 2^256 state changes are not possible using all the energy in the universe.

    2. H.T.

      With regards to losing them, unless you're comparing a memorized password versus a passkey I don't see how it's any different. My passwords and passkeys are stored securely on my laptop. Since I have hundreds of passwords I have no hope of memorizing them all and use a password vault with random passwords. I'm using KeePass installed on my laptop.

      If I lose my laptop, how is it any different if I'm using a password or passkey. Note, I have multiple backups of my KeePass database (.kdbx file).

      1. ChrisC Silver badge

        It's somewhat different because, with password based solutions, you at least have a fighting chance of being able to still make use of some of your passwords if you lose your laptop - and as you've noted, you store multiple backups of your keepass file, which I'm assuming reside on several different devices/locations, in which case if you did lose your laptop and couldn't remember a particular password, you'd only need to install keepass on another machine, pull in your backup and off you go.

        With a passkey solution where *one specific device* plays a significant role in the authentication process, losing access to that *one specific device* for whatever reason (lost, stolen, broken, eaten by the dog...) really screws you over, because now how do you authenticate yourself to *any* site or service? Doesn't matter how good your memory is, if logging in requires a response generated by a device which is now no longer able to generate that response, then sorry, you're out of luck until you can obtain a replacement device and have it authenticated.

        And even if this replacement authentication process is relatively easy (though, not TOO easy, otherwise that in itself would be a weakening of the security benefits of this scheme), it's not going to be as easy as either simply being able to remember one or two critical login details, or finding some device capable of running whichever password manager you've opted for.

        1. Anonymous Coward
          Anonymous Coward

          What happens when you die?

          We're currently trying to deal with my sister's estate after her untimely death - and we cannot get into her laptop or phone.

          Bank account tracing seems to be the only possibility to find her online-only banking and saving. Everything else will never be accessible.

          At least it's better than a friend of ours, who was left with no TV, heating, lighting or Internet because they were all "smart" and on subscription.

          Biometrics don't work post cremation.

          1. Doctor Syntax Silver badge

            Re: What happens when you die?

            You can just imagine the project meeting.

            "OK, but we need to plan the procedures for what happens if the customer dies, the device breaks etc. We'll have to have them in place for go-live."

            "Don't be negative."

        2. This post has been deleted by its author

          1. ChrisC Silver badge

            "Agreed, if you only keep your private key on one specific device."

            Indeed, but as this is one of the options presented in the article for how we might manage our passkeys, it seems entirely relevant and necessary to be pointing out the inherent flaws in said option, no?

    3. find users who cut cat tail

      Passkeys are basically how SSH pubkey authentication has worked for many years (except that sane people have the private key password-protected in addition). It is a great idea and well tested in practice. Sorry to inform you.

      Sure, they may not the best match for everything. But why the scaremongering? People lose and reset passwords all the time. With passkeys it would be similar, just the split between situations when you keep and when you lose (and have to recover) access being along different lines.

      Also, pubkey authentication should support multiple different keys for the same user & service (e.g. from different devices) out of the box. In other words, you can have redundancy – safely. In principle, you can have it with passwords too, but it is a mess and rarely done.

      And you can at least dream of things which are just impossible with passwords, like mass revocation of all keys corresponding to a specific device. (Seeing how well revocation works elsewhere, this one would probably remain a dream.)

      1. Doctor Syntax Silver badge
        Devil

        It's the practicality that matters. As things stand I keep passwords on a laptop with a master-password protected password manager. The laptop login is also password protected, of course. Those two passwords are all I need to remember. The laptop is synced to a NextCloud instance.

        I only access whatever the passwords protect from my laptop so if I don't have the laptop available I don't need them anyway and the laptop is a big chunk to carry around so I don't accidentally not have it with me.

        If what's being proposed is to replace the password manager by a passkey manager on the same laptop then I have to ask what's the difference (I'll come to that in a moment). Or is the passkey to replace the password that's currently protecting the laptop login? If the latter then it means I have to have the laptop and something else to hand. Given that it's already the case that I need the laptop plus a charged, switched on and in-signal mobile to do some things I know from personal experience that that's all too often a complete fail.

        But if you're telling me it's "just" replacing my passwords by something with a more secure protocol and that my everyday usage is unchanged then I'm still going to have to take a look at how that protocol's being implemented. I have one end of that in the form of S/W in my laptop and each remote service will have its own implementation. Oh. Just. Great. We all know what happens next, don't we? Some scrote working for either my laptop OS provider or for the S/W used by one or more service is going to spot an opportunity for an improvement, optimisation or tweak (icon: looking for idle hands) and the whole thing gets screwed on a regular basis - shall we say every other Patch Tuesday?

    4. Anonymous Coward
      Anonymous Coward

      Solution: change how browsers work

      Browsers nowadays are de facto failed authenticators: they verify HTTPS certificates, but do not go a step further proposed below. The base problem is that majority of users have no idea what URL is, or how important it is. Many still think Internet is a desktop icon. Or judge about web-site authenticity from its visual presentation.

      Solution: Majority of web-sites visited daily have no business asking for a password whatsoever. So within a browser only a few trusted URL/domains should allow logins. Each user must explicitly whitelist specific URLs to ever ask for a password later. The browser must show a big warning during initial URL approval and keep a whitelist locally or OS-account-based. That's it.

      Scenario: A user accidentally clicks on a phishing URL. Browser shows a big red warning telling the URL was not given permissions to handle logins, so it is likely fake and dangerous, then optionally sends user to the whitelist settings. The whitelisting process should be somewhat time consuming to guarantee that a user does not simply click OK-button as it happens with cookie warnings. For example require typing a longer numeric checksum, thus giving some time to think.

      Notes: OS-level or in-app browsers should do the same. A special login handling protocol may be needed within HTML. Or it should be always the browser to handle logins - not a web page. Bonus - browsers can quickly spot and block phishing domains, as many users deny access to a specific URL. Banks etc must clearly indicate how to whitelist their URLs when opening an account.

    5. Philo T Farnsworth Silver badge

      And, of course, you'll need a passkey to protect the passkey. And a passkey to protect that. And. . . so on until an infinite number of monkeys in an infinite amount of time produce all the works of Jane Goodall.

    6. MachDiamond Silver badge

      "Passwords are flawed. Passkeys are worse."

      If you have a password that protects the entirety of the kingdom, that's a problem. A gold depository has physical locks, biometric locks, card access AND guards. Even somebody with credentials and is known to the guards might not have access at 2am. Their access might be limited to certain areas and might require an escort.

      The same sort of layered approach can be useful for personal banking. You can log on, provide a password and view the balance of your retirement account, but can't move funds remotely. Another account can be set up with a limit by the transaction, day, week, etc. To bypass that, you might have to visit a branch of the bank, identify yourself to a staff member and use a terminal there. I've never needed to make a huge shift of funds with no notice. If I'm going to make a big purchase, let's say a car, I'll have a cashier's check for the purchase or down payment ready to take with me or I'll get one after making a final decision and any negotiations are done. Different limits for different people.

  2. Jan Ingvoldstad

    Lose your device, lose your access

    This point is not quite covered, and it’s a showstopper.

    What do you do when:

    - someone steals your phone/yubikey?

    - your phone/key dies/is factory reset?

    … and so on.

    Passkeys complicate things. But they are sort of better, still.

    1. An_Old_Dog Silver badge

      Re: Lose your device, lose your access

      I've never "put my life" -- passwords, or apps, in my smartphone. I've had one phone pickpocketed, and left another one on a commuter train. (The phone was never turned in to lost+found.)

      The "How do I regain access to my accounts and data when my passkey-storing device is stolen/broken/disabled -- without allowing miscreants to use that recovery mechanism to access/steal my data/money/access?" question is a primary showstopper.

      1. Paul Hovnanian Silver badge

        Re: Lose your device, lose your access

        This.

        The key revocation process will have to be thought out very carefully.

        1. Anonymous Coward
          Anonymous Coward

          Re: Lose your device, lose your access

          I think you meant to say 'should have already been thought out.'

          They think they have. They think that everyone should buy two of them and that Johnny Criminal will never be able to use the one that you think is stored safely. They also don't think that Johnny will break your fingers and your jaw to keep the passkey he took from you active.

      2. This post has been deleted by its author

    2. This post has been deleted by its author

      1. MarBru

        Re: Lose your device, lose your access

        Theoretically correct but farraginous.

        In addition, the very process of adding a passkey of sort, to an account, if possible at all, is the system weakness.

        Perhaps, in future the availability of reliable biometric scanning plus some sort of predetermined changing temporary authentication factor, for instance a password changed ad hoc by an agreed method, could become the norm.

        However, at the end, no method can be totally secure.

      2. eldakka

        Re: Lose your device, lose your access

        > You have 2 Yubikeys, you create passkeys on both.

        Okkaaayyy, I have hundreds of accounts spread across decades of use, so having to double up on creating passkeys (1 for each device, so 2x#accounts) is a lot of onerous work,

        > You lose one, you log in with the other, revoke the passkey on the lost one, and enrol a new passkey on a new Yubikey.

        Excellent, do you have the complete list of all websites/services/accounts I've ever created an account on? I sure as hell don't for me to be able to go to them all and de-register the device.

        > Or use two phones, or 2 Yubikeys, or something. Either way, it is a damn sight more secure than using a password.

        Well, yes, but so is requiring physical attendance where appropriately cleared and vetted technicians and supply chain takes a sample of my blood and does an DNA anaylsis of it to to verify that the person who's physically shown up is the one who's DNA is stored on file - oh and that that file has never been tampered with and is the DNA record that was originally submitted. More secure != better, people have to be able to use it and actually want to use it.

        And what happens if theres a fire at home so both the primary and secondary yubi-keys get burnt up? I guess you could have a fireproof safe for the secondary, but then you'd have to go digging it out all the time whenever you make a new account so you can use it and the primary to store the passkey. If you frequently have to retrieve it to register new accounts, you aren't going to want a time-consuming tumbler-lock safe, too much hassle. Maybe a safe that uses a key instead? Where are you going to store that key so someone doesn't just break in, find the key, unlock the safe and grab the yubikey? Maybe secure the safe with a passcode-type mechanism? Say it could work with a yubikey. Does this now mean you need a 3rd yubikey as you'll always want to have access to 2 to be able to unlick the safe to grab the 3rd - do you now use all 3 to create login credentials on every site?

        > Oh and if you're using a Yubikey or phone you typically have to enter the PIN or use biometrics to unlock the key before any passkeys are available. So if you've lost it it's no use to anyone else either...

        A rubber hose or phone book or, if the assailant doesn't care about being sublte, a bullet to the knee, can sort that problem (although, to be fair, that'd sort the problem of just getting a specific password out of the individual anyway).

        Now don't get my wrong, I think 'passkeys' (or as I see them: ssh key-pairs but unique to each end-point rather than pushing out he same public key to multiple end-points) are a good idea and devices like yubi-keys etc. But they introduce their own complexities that are perfectly fine for someone like me - a sysadmin who's been using ssh public/private keys for decades so is perfectly familiar with the concept - but it could be an extra level of complexity for the average person. Ad my ssh-key use is mostly for work purposes, so I'm perfectly happy with work having copies of my private and public keys that I use for work puproses in terms of having them backed up, or being replicated to any host I login to automatically, or even a 'break-the-glass'-style system where cyber securty can invoke an emergency function that gives them access to all stored passwords in an emergency (with things like auditing where notices go out that this has happened and so-on) or another admin being able to login to a host and as root copy my new public key to my account and so on, But I don't have that type of admin-support mechanism at home with my personal accounts, such as account-based private key replication so that it's "just there" therefore I can't rely on that support for.

        But I don't think passkeys and yubikeys will ever be a general solution for the general populace for security. Sure, for specific high-security populations (government employess for work, politicians, CEOs, really rich people, etc.) or for specific small-set high-security systems, like say bank accounts, but I don't see it ever being used for, for example, my TheRegister forums account, or random news commenting sites, etc. Hell, for those, password re-use is strong, because I honestly don't care if someone gets my credentials for a dozen forum/commenting sites, I prefer the convienience of being able to log into those sites in situations where it'd be onconvienient to use passkeys, e.g. my work computer. I have no way of getting personal passkeys onto my work computer easily (or legitmately, I'm sure I could get them on their if I tried by breaking all sorts of policies that could get me fired) , so while I can visit TheRegister from my work computer, unless I can remember and type in the password, I won't be able to login.

        1. LybsterRoy Silver badge

          Re: Lose your device, lose your access

          Shirley the answer is obvious, you store your passkeys in the cloud - in plain text of course so its easier for you to read.

          1. Victor Ludorum
            Joke

            Re: Lose your device, lose your access

            Plain text? Are you mad? Double ROT-13 at the very least!

            1. Anonymous Coward
              Anonymous Coward

              Re: Lose your device, lose your access

              Nah, Rot-13 has been broken for ages. Use Double ROT-26 for best protection.

        2. Ken Hagan Gold badge

          Re: Lose your device, lose your access

          "> ... So if you've lost it it's no use to anyone else either..."

          I can no longer see the post you were replying to but I might also add that UK law has the rather dumb requirement that "I've lost it." is no defence in court and so there is the whole question of how safe dare you make your system without placing yourself in legal jeopardy in the event of loss of hardware-or-memory.

        3. Bruce Ordway

          Re: Lose your device, lose your access

          "have the complete list of all websites/services/accounts"

          I actually do maintain a list of all my accounts since... I'm constantly retiring and/or trashing my devices.

          And, I never log on to anything using a phone... I only use it for making calls.

      3. SJA

        Re: Lose your device, lose your access

        So, this is not useful to the large amount of people that use insecure passwords. you don't reall expect them to do that right? And since you are savy enough, I assume you use a different long, random password on every site and also different username....

        1. This post has been deleted by its author

        2. MachDiamond Silver badge

          Re: Lose your device, lose your access

          "So, this is not useful to the large amount of people that use insecure passwords. "

          I just had to get a new password for my Copyright account and they require a 16-digit combination with all sorts of rules. One is that it can't contain 3 or more of the same letter. If you try to come up with something that you might remember, it's going to have too many of one vowel. I tried. In the end I used an online generator where I could give it some rules to come up with something.

          There isn't a whole lot that somebody can do if they get into my account at the Copyright office. I suppose they could file an assignment to themselves of my work, but that's not hard to untangle since I'd get a notification in the mail/email and those sorts of changes take time to process. I suppose that if I were a movie company filing a registration for the latest Batman movie, there could be some real money involved so being able to opt for a really complicated password can have some value for certain registrants. They require a new password every 60 days and won't let you reuse anything that you've used the last 75 or so times so you can't cycle between a few that you normally use. It's like putting a lock on the pantry cabinet that holds the canned peas when the burglars would know that those peas are what's behind the lock and not stacks of bearer bonds.

          1. Doctor Syntax Silver badge

            Re: Lose your device, lose your access

            This, of course is the sort of rubbish that's specifically advised against when it comes to good practice.

        3. Doctor Syntax Silver badge

          Re: Lose your device, lose your access

          " I assume you use a different long, random password on every site and also different username...."

          By and large, yes.

          Of course the sites that want an email address as a UID are a bit of a problem. If they're important (i.e. my money's at stake), they get an individual email address - one reason to have a personal domain. Sites which want an email address just for marketing purposes to be annoying (hi, there, booking.com) get an individual email address which will be blocked between my usage or one that's discarded immediately as appropriate.

          Sites which issue their own UIDs can be a bit of a problem too in that sometimes they follow a predictable pattern.

          It's a curation problem but one largely due to individual services' predilection for annoyance. I can't imagine passkeys being different in that regard. Essentially the combination of UID and password is just a long string of characters as is a passkey with only the protocol differentiating them.

          1. MachDiamond Silver badge

            Re: Lose your device, lose your access

            "Sites which want an email address just for marketing purposes to be annoying (hi, there, booking.com) get an individual email address which will be blocked between my usage or one that's discarded immediately as appropriate."

            That's the beauty of having your own domain(s). I have a set of email accounts that get used when I need to have one to get free stuff or sign up for something I'll only likely use once. As soon as the spam starts coming in, I see if there is anything I need to move to a "keeper" address and then delete the mailbox. I have phone numbers memorized that only ring. They are test numbers and have been since prehistoric times. Only occasionally do I get one kicked back at me when I use it. With all the lovely Big Data lists one can buy, I have tax ID numbers for people with the same name (only benefit of having a name that's common as muck). As long as I don't try anything fraudulent, getting in trouble isn't much of a risk. If it looks legit, there often isn't any questions. I was once Eric Idle for something. I had his old address in California memorized. He's since moved so while the address would check out (hasn't slid off the hill), his name isn't on the title. Nobody twigged to the lie. I doubt I could get away with being Taylor Swift for something even with bright red lipstick on.

          2. eldakka

            Re: Lose your device, lose your access

            > one reason to have a personal domain

            I've thought of doing this multiple times over the years. But I can't get past the fact that it's not 'your' domain. It's a rental. And you can lose access to it in multiple ways, forget to re-register, someone hacks your account at the domain registrar, an unscrupulous registrar just takes the domain and gives it to someone who bid more for it, the registrar jacks up renewals by 1000% to a price you can't (or won't) match, etc.

            I really think you should be able to 'buy' a domain, and the only renewal fees are hosting fees if you don't have your own DNS servers.

      4. Doctor Syntax Silver badge

        Re: Lose your device, lose your access

        "You have 2 Yubikeys, you create passkeys on both."

        This belongs in the same universe as "assume a spherical cow".

    3. DS999 Silver badge

      Re: Lose your device, lose your access

      Surely your passkeys would be saved along with the rest of your phone's content in backups/syncs. Then if you lose your phone, it is stolen, or it breaks you can buy a new phone and restore with the passkeys as part of restoring from backup. There's an asterisk here though because on iPhone (dunno how Android works) you can only use iCloud to back up security critical information like that which lives on the iCloud keyring if you have advanced data protection enabled, and it isn't the default (for good reasons I won't go into here) and the only other alternative is an iTunes backup to a Mac or PC.

      Now the hitch is that during that time without your phone you are without access to any sites using passkeys for login. It would also complicate stuff like switching from Android to iPhone as you'd need to copy that data from one to the other, and unless/until there is something specified in the passkeys standard I would not expect that to be a smooth process at all.

      Passkeys are in their infancy, it is in that sort of raw bleeding edge phase where you have to deal with a lot of discomfort to be an early adopter. I'm very much looking forward to using passkeys, but very much letting others endure that discomfort and waiting for the whole process to be a bit more polished.

      I kind of have to wait anyway because I run Firefox on Linux as my desktop browser, but would like to use Face ID on my iPhone to authenticate and have that communication take place between my PC and phone via bluetooth. Is all this even possible today? Maybe, but I doubt it, and it would certainly be a giant pain in the ass to try to set up. I might play with it some next year on to at least determine if all the pieces have that support, and see where things are at. I'm not even 100% sure Firefox supports passkeys, let alone having the pieces in place to allow it to use Linux's bluetooth software to talk to my iPhone!

      1. Anonymous Coward
        Anonymous Coward

        Re: Lose your device, lose your access

        If your passkeys are backed up elsewhere, that's probably another security problem.

        Yubikey + Firefox works, as do many of the other standard keys. Exceptions are basically the ones that don't properly implement certain features that some passkey creation software requires.

        And yes, you can connect an iPhone to a Linux desktop.

        https://www.makeuseof.com/connect-iphone-with-linux-using-kde-connect/

        1. DS999 Silver badge

          Re: Lose your device, lose your access

          If your passkeys are backed up elsewhere, that's probably another security problem

          Why? If it is backed up with a key you only possess (and with iCloud a key very difficult to share with others) where's the security problem?

          1. doublelayer Silver badge

            Re: Lose your device, lose your access

            Let's take a user who has an iPhone but no Mac. They store their passkeys on their iPhone. They're the outdoorsy type so they end up climbing a mountain and dropping their phone, which finds a path of less resistance than they will and goes down the mountain really fast. They will never find it again or if they do, it will have found a boulder which doesn't want to absorb any of that momentum and generously transferred it all into destructive force. How will they get their passkeys back?

            Option 1: the data is in iCloud, and option 1A iCloud or option 1B at least the store containing the passkeys is secured with one of those passkeys. They don't have them on a non-iCloud source. They won't be able to recover them. Either Apple can (1A), with or without their consent, or Apple can't either (1B).

            Option 2: Their passkeys are stored in iCloud, and iCloud is not secured with a passkey. In this case, they can recover them if they can get access to the iCloud account with their password. Great, no data loss. Also, anyone who successfully obtains their iCloud password is in a position to do the same thing. So now iCloud is an insufficiently defended valuable target.

            It works if you have an iPhone and a Mac on the same account and only lose one of them, at least the best option, 1B, does. Not everyone has that.

            1. DS999 Silver badge

              Re: Lose your device, lose your access

              First of all, AFAIK you can't use passkeys to access iCloud. Maybe that will change someday, but it is a login/password plus 2FA (typically your Apple devices are the second factor but you can use one of those hardware devices if you're extra paranoid) You can only STORE passkeys on iCloud as part of your overall iPhone backup - but they won't be stored there in all circumstances and when they are they are IMPOSSIBLE for a third party to access even if your iCloud login/password AND 2FA are compromised!

              For your option 1, when you set up advanced data protection (which would be required for passkeys to be backed up to iCloud) everything is encrypted with a key that exists only in the Secure Element of devices linked to your Apple ID. For recovery purposes Apple provides a recovery key, which decrypts an encrypted copy of the key stored in iCloud. Without that if you lose access to your data then it is gone forever, no one can access not even Apple - you are warned about this when you enabled advanced data protection and that's why it is NOT the default.

              To access the recovery key you either set up a recovery contact (a trusted person who holds a copy of your recovery key on their Apple device or iCloud in some manner - I'm not sure about the details there since I don't use that) or you maintain the recovery key yourself. So e.g. if your wife's iPhone holds that recovery key and once she approves it can be used to recover your iCloud contents including the passkeys. If you manage it yourself you're responsible for maintaining a 28 hex digit key in a secure manner but not so secure you won't lose it - because again if you do and you need you're SOL!

              So option 1 is not a problem if you've set up advanced data protection, unless your phone goes down the mountain and either you've lost your recovery key or your wife was your recovery contact and her phone went down the mountain at the same time. If you haven't set it up, and haven't backed up via iTunes to a Mac or PC, then you've lost your passkeys. And passwords, and health data and various other security related stuff. Apple should probably do a better job of letting people know that certain stuff is backed up by default, but if you consider your passkeys that important it is on you to make sure they are properly protected.

              Your option 2 is not a possible scenario. You can ONLY backup stuff like passwords and health data if you either have advanced data protection enabled or you do an iTunes backup directly to your Mac or PC. Stuff with greater security thresholds like passwords, passkeys and health data can NEVER be accessed via iCloud over the web or any other mean than an Apple device linked to your Apple ID. Because it is either encrypted in a way that makes it inaccessible from the web, or it wasn't backed up there at all.

              1. doublelayer Silver badge

                Re: Lose your device, lose your access

                That helps answer the question. I didn't know most of that about iCloud's storage. Unfortunately, it doesn't really fix the problem for the average user, it just clarifies what problem they'll face. Most of them will face the problem where they didn't know they had to enable advanced data protection, and therefore they have no backups of their passkeys at all. That is a reasonable precaution on Apple's part, and I'm glad they did it because otherwise I'd be worried about anything they might be holding for me, but it doesn't help with the user-friendliness gap that passkeys have. That kind of problem can easily hamper adoption from sites that don't want to see users locked out or users who have heard horror stories of a mountain locking someone out of every account simultaneously because of those stupid security people who keep complaining about the password "password123".

                1. DS999 Silver badge

                  Re: Lose your device, lose your access

                  Yes Apple should do a better job of telling people what is getting backed up and what isn't, but its a tradeoff - the more you tell them stuff like that and force them to make decisions like whether to enable ADP and the consequences of that the less it is "easy to use".

                  I'm not sure what Google does with their backups but there are only three ways it can work. 1) it backs up everything using the equivalent of ADP meaning if you lose the key to restore it you lose everything; 2) it has an option like ADP that is off by default and doesn't back up everything meaning you can lose certain data but not everything; 3) it backs up everything by default but without the equivalent of ADP - meaning anyone with access to your Google account can access your data AND that Google can provide it to whoever presents them a subpoena (or not, depending on how much shady stuff you think governments do behind our backs)

      2. Dan 55 Silver badge

        Re: Lose your device, lose your access

        Firefox supports passkeys on Yubikey, a password manager, and whatever the underlying OS provides. I understand Chrome and Safari are the same, the only difference with Safari is you don't get Safari on non-Apple devices.

        Windows stores passkeys only on that device, Android and Apple will sync to other Android and Apple devices within the same ecosystem if you have a Google or iCloud account. Presumably MS will also come up with passkey sync and you'll have three sets of passkeys which won't travel between ecosystems.

        As soon as I read about passkeys however many months ago it was my spider sense went off and lo it has come to pass. Unless you're going to go with a Yubikey or a password manager it's just yet more lock-in and if you already have a Yubikey or a password manager* with a complex password you're already secure anyway.

        * that hasn't suffered a data breach...

        1. DS999 Silver badge

          Re: Lose your device, lose your access

          Yubikey? Yuck. Like I want something to carry around with me for that purpose, and have to worry about losing.

      3. MachDiamond Silver badge

        Re: Lose your device, lose your access

        "Surely your passkeys would be saved along with the rest of your phone's content in backups/syncs. "

        A phone would be the worst place to store keys. They are way too easy to go walkabout and since plenty of people ARE stupid enough to have all of their financial life on their phone, they are big targets. Even if you do spot that someone has taken your phone, how long would it take you to cut access? .... without a phone.

      4. Doctor Syntax Silver badge

        Re: Lose your device, lose your access

        "Then if you lose your phone, it is stolen, or it breaks you can buy a new phone and restore with the passkeys as part of restoring from backup."

        And when you come to buy the replacement the bank wants to send a text to your old phone for 2FA.

    4. ChrisC Silver badge

      Re: Lose your device, lose your access

      Another potential issue is that you can't always assume that the passkey device will be able to receive the request from the requesting device, or send the response back to it.

    5. MachDiamond Silver badge

      Re: Lose your device, lose your access

      "- your phone/key dies/is factory reset?"

      Yes, you take your phone in to be serviced and find out when you get it back that the tech did a hard reset or the handset was swapped for a working one (that was reset).

      You would have backed up your data before taking it in, but you know, it was broken and you couldn't.

      A physical dongle you'd plug in didn't make it out of your pocket before going in the wash.

  3. Dinanziame Silver badge
    Stop

    Count me out

    I see the point of having two-factor authentication — having a yubikey, or a couple of yubikeys for different devices, on top of using a password. That's the two-factor part. More factors, more security: Now, instead of just having the password, I also need to have a yubikey. But replacing the password with a passkey stored on a phone or a laptop, that's a different story. Not only it means that if I lose the device or it is stolen, the thief can do whatever they want. What's even worse is that the device containing the passkey can get hacked.

    1. klh

      Re: Count me out

      This. I don't understand why people still think this is a good idea. The whole point of 2FA is something I know and something I have - I was sure passkeys would give people an alternative to a hardware token, not replace passwords. While a passkey can't be phished, making it replace the password makes unauthorized physical access so much worse.

      It's like having an SSH or GPG key without a password.

      Though the "I lose the device and I lose access" part is already solved - put the passkey in a password manager that's synced (or in case of hardware keys have a second one).

      1. Doctor Syntax Silver badge

        Re: Count me out

        Though the "I lose the device and I lose access" part is already solved - put the passkey in a password manager that's synced (or in case of hardware keys have a second one).

        Good theoretical solution. How do you implement it in practice so that you can have one lost or stolen but not both and yet have that second one available wherever you happen to be in an acceptable time-frame and without needing some sort of access which depends on having a passkey available?

    2. Notaek

      Re: Count me out

      Actually... Passkeys on their own have three factors. The first is what is known, that is your username/email, the second is what you have, your hardware, the third is physical presence, touching your key. If you worry a lot about devices getting stolen, all hardware keys have the option of a fourth known which can be a mandatory pin after touching.

      1. Dinanziame Silver badge

        Re: Count me out

        The first is what is known, that is your username/email

        This is silly. The email is publicly known; anybody can know it so it can't be used for authentication. And touching the key works for keys; when a passkey is stored in your laptop there is no presence requirement and the laptop can be hacked from anywhere. Some laptops have equivalent hardware that can only be activated physically but it's not the norm.

      2. Missing Semicolon Silver badge

        Re: Count me out

        Biometrics are not another factor of themselves. They are merely ID. They are not revocable, and they cannot be secured, as fingerprints are liftable and faces are photoable. Not all phones are expensive high-end devices with 3D scanners for reading your face.

        1. Joe Gurman

          Re: Count me out

          Don't know about other systems, but Apple's Face ID is implemented by scanning that can distinguish between a three-dimensional face and a photograph, and the vectors extracted from that scanning are embedded in a devices "secure enclave," which I believe has been demonstrated in proof-of-concept to be vulnerable by boffins if they have physical access to the device (and can somehow evade security procedures to log in), but for ordinary humans, including crooks, pretty secure.

          "[E]xpensive high-end" Well, I guess you get what you pay for, in security as well as anything else.

      3. Doctor Syntax Silver badge

        Re: Count me out

        "If you worry a lot about devices getting stolen, all hardware keys have the option of a fourth known which can be a mandatory pin after touching."

        Oh, good. It's been stolen but it's still secure.

        But without it I'm locked out. What do I do now?

  4. Anonymous Coward
    Anonymous Coward

    Passkeys have been destroyed by Google

    Passkeys are never going to work the way they were intended, Google has seen to that: Passkeys: A Shattered Dream

    1. doublelayer Silver badge

      Re: Passkeys have been destroyed by Google

      Several of the points raised in that blog post are good, but there are a few that I think are missing the point.

      For example, one objection in the post is that Google decided not to implement restrictions on providers of passkeys. The point that Google can effectively change the standard by not bothering to implement things they don't like is certainly valid, though it's not like they actually changed the standard and anyone else could also just ignore parts they don't like. However, the specific thing they didn't implement was so bad that I'm glad, and a bit surprised, that they didn't do it. Effectively, it was a way for sites to block key generators, meaning that they could easily restrict you to using one of their choice. That is a terrible thing. For example, if one site gets you to use their key system because it's the only one they accept, it's likely to get users who use that key system to store everything else. Privacy lost in ten lines of code. The argument for why you need that is "a business where we have policy around what devices may be acceptable". To me, this sounds like every other business who thinks that everyone's computer should be locked down so that their preferences are easy to enforce. I don't like it. Businesses can implement their own filter. For instance, they could not let me install software-based key managers other than the ones they like and could block hardware-based ones so only authorized ones work if connected, or they could just tell people that other ones are not allowed and that there will be consequences if you ignore that. Google did a lot of bad things with these, notably the comments about Android's treatment of them, but blocking the Authenticator Selection bit is welcome to me.

      Most of the challenges I see with passkeys are not due to deliberate messing about by tech companies. They're challenges inherent in the model. I use a hardware token to access things. I know that, in order not to be locked out, I need to have a backup something, in my case another token. I have to pull it out and enroll it any time I enroll the first one. I have to keep it safe in the meantime. If I should ever lose both of these, there will be a bunch of annoying problems to get around. If I want to access something on a different computer, there will be friction. Maybe I left mine at home. Maybe the computer I'm connecting to doesn't have USB-C ports and I don't routinely carry a USB converter. None of that is Google's fault, and none of it is simple to explain to users. Passkeys were sold as a panacea to the problems of passwords, and they can be a massive improvement, but they aren't an improvement for every user or every use case.

    2. Gene Cash Silver badge

      Re: Passkeys have been destroyed by Google

      Jesus H. Christ on a pogo stick.

      Whatever happened to making your website READABLE?

      1. Paul Herber Silver badge

        Re: Passkeys have been destroyed by Google

        Could be worse. Could be black text on a black background with a black button that gives you options in black text to vary the intensity from very black to very, very, very, very, very dark blue.

        But I could never get that depressed.

        1. 42656e4d203239 Silver badge
          Joke

          Re: Passkeys have been destroyed by Google

          >>Could be black text on a black background with a black button that gives you options in black text

          You are Hotblack Desiato and I claim my £5.00...

          1. Paul Herber Silver badge

            Re: Passkeys have been destroyed by Google

            The real Hotblack Desiato doesn't get up in the morning awake from the dead for £5.00

        2. This post has been deleted by its author

    3. Ian Johnston Silver badge

      Re: Passkeys have been destroyed by Google

      From that article

      Users should be able to use any device they choose without penalty.

      Because, presumably, it would be so much neater to have every site specify its own authentication device. Just how many devices would I be expected to carry around with me?

  5. Anonymous Coward
    Anonymous Coward

    Might be a blast furnace for users who give remote access to scammers

    My only big concern about passkeys is their ease of use by scammers who gain access to victims’ computers.

    All year long I help scam victims who fall for popup ads masquerading as computer warnings.

    In all cases, the victims gave remote access to scammers.

    I fear passkeys will allow such scammers to log into sites with only the computer’s user login password or an even lower bar.

    These scammers successfully (an autofill typo had sinfully here) coax the victim into typing their computer login password to change system settings on Macs. On PCs, they can just click Yes on prompts.

    Passkeys seem more like a protection for websites than users: sure gullible users can’t recite or type their passkeys for scammers, but once scammers control a victim’s computer (mac or pc), the victim has lept from the frying pan to the blast furnace.

    1. Anonymous Coward
      Anonymous Coward

      Re: Might be a blast furnace for users who give remote access to scammers

      "Passkeys seem more like a protection for websites than users: sure gullible users can’t recite or type their passkeys for scammers, but once scammers control a victim’s computer (mac or pc), the victim has lept from the frying pan to the blast furnace."

      The average user is already in the blast furnace. They will have let their browser remember their passwords, and they will have let websites remember their credit card details.

    2. Missing Semicolon Silver badge

      Re: Might be a blast furnace for users who give remote access to scammers

      Oh, yes, just like Chip and Pin. Who's main purpose is to shift liability onto the customer.

  6. Paul Herber Silver badge
    Facepalm

    I can see both the pros and cons of multi-factor authentication, but not just 1 method. Years ago I had a certain Paypal account that was assigned to my then home phone landline number. I moved house and lost the phone number but forgot to change this on the Paypal account beforehand. 100% my fault. Luckily there is only a small sum in the account but I have now lost access to it.

    But I am in now fear of losing my mobile phone as that is the 2FA method for many things

    1. Anonymous Coward
      Anonymous Coward

      if you lose your mobile

      You need to have the keys stored in another location, either a 2nd phone with the same app installed, or with the setup codes stored securely. I had all of mine stored both ways, in a password manager and on a 2nd device...which is a good thing because i dropped my 2nd authenticator device last week and it no longer works.

    2. Sloth77

      There are cross-platform 2FA apps that will sync across multiple devices such as Authy or Microsoft Authenticator. Don't use Google Authenticator lol

      1. Ali Dodd

        watch out for MS Authenticator

        the backup process is bloody terrible and you may have a nice list of authenticated account on restore but that's all it is a list and you need to reset them ALL up again. That has happened to me in the past.

        Authy is good but been bought in the last couple of years and they have stopped various good features like the desktop version. Been most impressed by Authenticator pro, great set of backup options (and secure export - no lock in!), easy to use and even has a smartwatch option so I don't even need to get my phone out to view a TOTP.

        1. Doctor Syntax Silver badge

          Re: watch out for MS Authenticator

          You trusted everything to somebody else's computer and let them make the rules?

        2. John69

          Re: watch out for MS Authenticator

          I think TOTP is the best answer, but you need to back up the code at the point of registration. You save the code below the QR code and back that up securely. You can then always generate the password with something like GNU oauth2.

  7. AVR Bronze badge

    How many devices have you used?

    Seems like it'd be unworkable for hot-desking, and there's a lot of that in offices now. If every office worker needs a passkey for every device they might use then the number of passkeys explodes. Thin clients might help some, but maybe not if you need to do a presentation in the upstairs meeting room.

  8. Richard Boyce

    SQRL

    Steve Gibson is a well-known guy who put a LOT of thought into this problem, and devised an excellent system to replace the way we currently use usernames and passwords. The major problem that the industry had, I think, is that SQRL is completely open, placed in the public domain and requires no third party to act between the user and web sites. So there is no way for any third party to control or limit its use and no way to directly monetize it. It also didn't help that it took Steve Gibson five years to finish and polish it, albeit with a lot of volunteer support. Plus FIDO, a system that can be used to make money, was being worked on in parallel, but which has also largely flopped.

    For interested people, the system is described and defined at https://www.grc.com/sqrl/sqrl.htm . There is a two-hour video of a presentation given by Steve Gibson available on the main page.

    1. Anonymous Coward Silver badge
      Big Brother

      Re: SQRL

      That probably also has a lot to do with how much people despise Steve Gibson.

      He's a clever guy & offers useful resources (or at least used to be useful), but you try talking to a security professional and starting with "Steve Gibson says..."

  9. Tron Silver badge

    Just promote the sensible use of passwords, teaching it in schools.

    Some can't cope with anything more complicated than passwords. 2FA by text requires you to additionally have a phone and signal and be OK using it. That locks more people out. Go further than that and you just lock too many people out.

    I have a 4G phone dedicated to 2FA that lives next to my PC. I made a call once a month to keep the sim card current. Last week Vodafone expired the sim card. Why? Who knows. It will work until the cash runs out. Then I have to get another sim card. I don't need this sh*t. And why lock a service to a mobile phone, which is the most frequently stolen thing in the galaxy. In other words, this is already too much hassle. More devices, more FA will not help. And involving biometrics would be a really bad idea. We should not be handing over more ID stuff to third parties.

    Oh, and those 'tick the pictures that include a fire hydrant' things are an Americentric pain in the arse too.

    So, that's a 'no' to pass keys. Nothing is perfect, but if something works OK, and passwords generally do, leave them be.

    1. John69

      Re: Just promote the sensible use of passwords, teaching it in schools.

      "Some can't cope with anything more complicated than passwords." Passwords are the most difficult to use. The user has to determine if the entity they are talking to is the same as who they talked to last time. HTTPS sort of provides this via a third party, but it is not easy. A system that does not require one to do this should be easier. The dark web manages it with PGP, how can the rest of the world make it so hard?

  10. deevee

    Just leave passwords alone.

    We don't need 2FA or passkeys or pass-phrases or YUBI keys, or 25 character complex passwords etc...

    1234 as a password is all we need!

    If we need a complex password PASSW0RD is fine too!

    1. Anonymous Coward
      Anonymous Coward

      Even better, just GIVE all your money and information to criminals and then you won't need passwords at all!

    2. Paul Herber Silver badge

      Just use the equivalent for PASSW0RD in some other language, like Faroese. But then if you are Faroese then English is a foreign language so that's ok then.

    3. LybsterRoy Silver badge

      As an alternative websites could just stop demanding you create an account unless its actually needed, and delete the needed information once its used.

      I'm OK with it being an option but for a website where I may want to buy something again next decade why do I want an account and have to remember which email account and password I used last time and, if I try and create a new account because I can't remember but have the misfortune to pick the same email address, oh dear - you MUST login.

      1. This post has been deleted by its author

  11. mmccul

    Authentication is hard

    I've looked into passkeys a fair amount, and the more I dug in, the more cynical I've gotten. It's proof of control as a single factor authenticator. There is no second factor in most implementations.

    Yes, some implementations require a PIN to activate a given credential, but that is rare (and didn't permit non-numeric PINs in the implementation I was seeing). I also see very few implementations that are implementing protections to prevent the private key from being extracted or copied elsewhere.

    There's a certain irony that in the era of multi-factor authentication, we are seeing so much push for a single factor authenticator.

    1. Chloe Cresswell Silver badge

      Re: Authentication is hard

      "require a PIN to activate a given credential" that would be fun for me with my dyslexia/dyscalucalia. I don't even use PINs with my credit/debit cards as I can't remember numbers in the right order.

      Anything that requires a PIN means either I can't use it, or I need it written down.

    2. Rahbut

      Re: Authentication is hard

      I notice that PayPal will let my PC login using a Passkey on my phone... and I have to type in a TOTP as well (with the authenticator also on my phone).

      Whilst still having MFA, this feels more convoluted than just using a password manager to me - which I guess is the main thrust of this article.

      1. This post has been deleted by its author

        1. Tim99 Silver badge

          Re: TOTP?

          Fluff?

  12. sarusa Silver badge
    Devil

    Seems like a terrible implementaton.

    Passkeys seem like someone was thinking really hard that 'passwords are kind of bad' (which is true) and 'what can we do to replace them?' and came up with something even worse after spending like a weekend thinking about it.

    I keep getting pestered to use passkeys now, which is very annoying, but guess what? My desktop, very deliberately, has no biometric pass information. I have no cameras or fingerprint readers on it. And am I really going to haul my phone out separately every f@#$ing time I want to log into a website? No, I am not. Do I want to be completely locked out of my critical websites when my phone is lost? No, I do not.

    So for me, who has relatively decent password hygiene (keepass with password + deceptively named keyfile), and keypass is moderately convenient for filling things in, this seems like several steps backwards in every way.

  13. SJA

    Self hosted Bitwarden / Vaultwarden

    I use self-hosted bitwarden (and hourly backups) and it supports passkeys. I use them only rarely because they don't work well. But at least with Bitwarden I am in control of the passkeys.

  14. Notaek

    I solved it

    I've developed a password-less and email-less registration and login system that solves the problem of multi-device authentication for the same account with my tool at aiadbuilder[dot]net. I simply let users "bridge" their accounts by using OTP via their chosen auth app. This way, you can have mutiple devices as hardware keys to the same account.

    What about new devices and losing access? Simple, I charge users accounts a random amount between 0.01 and 0.99 cents (nonrefundable) as an account recovery verification test. They just has have to tell me the amount first go, currently manually done, but this could also be automated.

    The entire system is completely PII-less. Hoping that lack of KYC doesn't come back to bite.

    This is such a frictionless signup and login process. I wish all sites used it.

    1. Reiki Shangle

      Re: I solved it

      Any intention of releasing this as an independent product?

      1. doublelayer Silver badge

        Re: I solved it

        You wouldn't have to. TOTP authentication is supported by a bunch of libraries. If I'm understanding their account system, all you have to do is create a TOTP login system the normal way where it's a second factor, then remove the password field so TOTP is the only securing factor. You don't need to buy that from someone else.

        Whether you should build it that way is a different question. For a lot of users, that is going to be confusing, no more secure than passwords, and more easy to lock out. Without actually collecting some contact information, the method of account recovery described will be fragile at best. If you do collect contact information, users are used to being able to reset their password without having to pay fees for it. Theoretically, it lets people who are motivated to secure their own accounts lots of room to do so by adding security to their TOTP provider, but such people can already do a lot of things even if it was just a password.

    2. doublelayer Silver badge

      Re: I solved it

      "The entire system is completely PII-less."

      Except, presumably, for the payment method you use to charge them for account-related actions, which is either the PII-rich payment card or the will-drive-away-most-users cryptocurrency wallet with mandatory minimum holding so you can charge these fees.

  15. VoxDei

    I tried to use a passkey the first time a service I used offered me the option. It was kind of a pain, and as soon as I realised it appeared to be blocking the possibility of being able to sign in on a different device I backed it out again. If I as a software engineer and tech enthusiast can't get the thing to work smoothly first try (and frankly I needed that experience just to be able to undo it once done), what chance does the average user have? Unlikely to be trying them again.

  16. H.T.
    Pint

    Count me in, please.

    This post is slightly off topic. As a system administrator, my two favorite advances over the years have been package management (yum/apt) and passkey authentication. As pointed out in the article, passkeys are simply more secure. Passkey authentication doesn’t send your private key across to the server.

    As an administrator I’ve had password authentication for SSH disabled for years. Did people complain? Of course, that’s what they do. They complained when they were forced from telnet to SSH. It’s new. It’s different. It’s difficult. And my favorite, I can’t get my work done now.

    Now I can deploy new servers in minutes using configuration management tools that creates accounts with the user’s public key. No more creating passwords, setting force change on initial login and sending them securely to the end user. The teams I work with now have no issues with public keys.

    With regards to web site authentication. We forget that passwords had/have their own learning curve. Attempting to create a new account for a website was like inserting a USB key; takes 3 tries. Ever enter a USERID and have “not unique” returned. Resolve that and then your password used a special character they didn’t accept. We’ve moved from a simple 8 characters to requiring long complex passwords with special characters. We forget, passwords can be a pain. Just try to helping someone who doesn’t use computers create an account.

    As always, the devil will be in the details.

    1. Missing Semicolon Silver badge

      Re: Count me in, please.

      "I can’t get my work done now.". That's your failure, not theirs.

      1. doublelayer Silver badge

        Re: Count me in, please.

        If they are actually unable to do their work, it might be. If they are able to do their work but they have to do something they don't feel like doing, that's theirs. Everyone's had that. Sometimes there's a good reason, like using SSH keys instead of passwords. Sometimes there's a reason that makes sense for the business even if it doesn't directly apply, like switching a software provider because they charge less money. Sometimes, the reason is bad, like switching software provider because they bribed someone to switch. However, in none of those cases would it be IT's fault that users have to learn and then do something new. If what they need to do is still possible, and equally or more feasible to do, then that's just an annoyance. They can complain about that and see if the annoyance can go away, but if they claim that they can't work even when they can, they are demonstrating their own lack of skills.

        1. Anonymous Coward
          Anonymous Coward

          Re: Count me in, please.

          At my last - and final - workplace I had to contend with an IT department which put a ridiculous number of hurdles in the way of doing work. For example, I typically had to enter my password more than twenty times per day for different systems, applications and commands within applications. Possible, but rather wearing after a while. IT departments need to learn that everything they make people do costs their employer money.

          (A back of the envelope calculation showed that their password entry demands were costing the university around £100,000 per year in staff time.)

          1. doublelayer Silver badge

            Re: Count me in, please.

            And that's an annoyance that they should be trying to improve, probably using some kind of SSO system. However, if I use your numbers and make a couple assumptions, £100,000 per year and assuming 500 staff means £200 per user per year. I think their financial department will be sort of fine with this. IT should still improve it. Unless you were working on something easily weaponized, that is too many times you have to authenticate yourself. They should reduce the frequency where reauthentication is necessary and see if they can simplify the reauthentication process.

            The problem is that there are some users who will react similarly when told they have to enter a password and enter a TOTP code from another device once or twice a day when they access the account with lots of money in it. There are times when the extra delays to getting to the place you need to be are necessary and the cost of the added security is more than worth it. In that case, the user's annoyance is not something you can reduce without removing the security and their disapproval of a change in system is not sufficient reason to do anything differently.

    2. Doctor Syntax Silver badge

      Re: Count me in, please.

      I take it your users are provided with some SPF on which to store their public keys.

      1. MrXonTR
        Coat

        Re: Count me in, please.

        I logged in just to say, mine's the one with SPF50 in the pocket.

    3. doublelayer Silver badge

      Re: Count me in, please.

      A non-unique user ID is not a fault of passwords. Passkeys will still do that. There are advantages to them, but don't give them credit for things they don't fix or would be fixed regardless of the authentication mechanism.

      Similarly, passwords can be a pain, but passkeys can be even more of one. For work-created accounts, it is often less of a problem. IT can manage a lot of the work, they already figured out where they're stored, and if the laptop is stolen or accidentally smashed to bits by a train, IT probably has processes for revocation and regeneration, or if the keys can be proven destroyed rather than compromised, maybe even restoration from a backup. The average user does not have any of those things. By now, they've mostly figured out how to have a password and write it down. Passkeys are less convenient in every part of the process except the logging in from your computer part. This doesn't mean that we don't use passkeys. It means we have to understand why they will be unpopular so we can fix whichever of those elements we can fix and build up the experience necessary to train users in those parts that can't be improved.

  17. Missing Semicolon Silver badge
    FAIL

    Single point of failure

    Expecting your device to be completely secure 100% is just fantasy. If the world moves to 1-factor auth controlled by the private key stored in your device, that will become the prize the hackers are looking for, and will get breached within weeks.

    Remember, there was a time when organisations (like banks) went to the trouble of handing out various kinds of hardware token as 2FA for their accounts. These were either stand-alone toggles with little LCD displays, or minimal terminals over your bank card (used as a smart card). Then they worked out that they could stop paying for this by using hardware people already had - their phones. This is not more secure - just cheaper (in fact self-funding, if you stuff enough tracking in the app).

    This passkey nonsense is just more of the same, outsourcing website security to mobile phone security, and hope nobody gets hacked.

    1. Doctor Syntax Silver badge

      Re: Single point of failure

      I came here to say exactly the same thing. It's not so much that the device becomes a target for cracking.

      We have now reached a point where it's expected that a mobile phone will be to hand, switched on, charged and receiving a signal at all times. It may be lost, stolen, have a flat battery, be in the car, a different room, whatever. Without that availability there's no guarantee of being able to make an online purchase, manage a bank account or whatever. (Being retired it doesn't actually have any functionality for employment purposes.)

      The smartphone is rapidly becoming a single point of failure for life. Have we learned nothing?

      1. Anonymous Coward
        Anonymous Coward

        Re: Single point of failure

        > The smartphone is rapidly becoming a single point of failure for life. Have we learned nothing?

        This is what confuses me about modern "stick it all on the phone" systems.

        So when out drunk and a phone gets stolen\smashed\dropped in river how do they get home?

        * No cash for a taxi.

        * Can't swipe a credit card from a different pocket.

        * Can't use the Uber password they had memorised.

        * Can't phone a mate to collect you as their number in the phone contacts.

        * Can't walk home as don't know how to get there without Google Maps...

        1. doublelayer Silver badge

          Re: Single point of failure

          To be fair, a lot of those would have applied earlier. If someone was robbed before the dominance of smartphones, they would still not have any cash and, unless the thief was considerate enough to leave them payment cards, no card to use to get a cab. The only methods left would be walking home with a better memory of how to do so or calling a friend with a memorized number, both of which are still possible* and done by a lot of people. Most of the people I know don't use navigation apps routinely when traveling near their home, and even those who do do so because the apps are reporting on traffic rather than because the users don't know the way.

          * Finding a place where you can make a call is harder than when there were public phones, but there are probably a few businesses who will let you call if your phone has been stolen. Of course, you had to pay for the public phones, so it wasn't necessarily perfect then in a post-robbery situation.

        2. gnasher729 Silver badge

          Re: Single point of failure

          That’s when you send a message to your mum. “Mum, I lost my phone, please send me money”. Except mum has been told only a scammer would do that. Prepare for a long walk home. I always have 2 cards and some cash hidden away.

    2. LybsterRoy Silver badge

      Re: Single point of failure

      -- if you stuff enough tracking in the app --

      DO you mean I can get a banking app on my smartphone - wow!

  18. Anonymous Coward
    Anonymous Coward

    So, nothing changes

    Before passkeys

    {average USER} gets fucked

    Using passkeys

    {average USER} still gets fucked

    But, above average users are fine, same as they are now.

    yubikey for me and good luck remotely putting that in the usb slot when requested.

  19. MashedPotato

    I write them down

    All my passwords written in a book that never leaves my bedroom. My bedroom is very quiet so I know if I am being whaled. Passwords written in water soluble fountain pen ink so that the contents can be destroyed by dropping in a bucket of water in the case of the zombie apocalypse. The main advantage of the password book is that I can give it to my family who can now log in to my accounts if I am I ill forgetful senile or dead.

  20. PCScreenOnly

    Usb blocks

    Worked at a company where they locked the usb ports to specific devices. Plug your usb in and it needed to be formatted before use and could then not be used elsewhere

    Not good for a yubikey environment

  21. sedregj Bronze badge
    Childcatcher

    Implementation

    "My last concern about passkeys is that the implementation seems to have failed the “make it easy for users” test, which in my view is the whole point of passkeys."

    When it becomes complicated, you will lose customers.

    I speak as the owner of an IT company and son of parents with complex IT needs and a wife who is a highly sophisticated social media user. Each class of user needs a suitable approach.

    Mum and Dad: Prone to writing things down in random places and forgetting where. I got both of them to buy an old school address book for just IT related passwords (I know there will be mission creep but the books are the source). The books are locked away and quite hidden but still accessible also, each password is slightly hidden according to a really simple code - steganography really. However, I have managed to get them to use separate and complicated passwords for each site.

    Wife: I maintain a Keepass database for both of us. I'm gradually migrating the boss over to random passwords. We've been married for 18 years and I expect to finish this job within about five more years.

    It's all very well inventing cunning and fancy schemes but I suspect the kiddies that develop the next cool thingie are basically children with little to no experience of the real world. This is not something you nerd harder over. You have to look at the actual use cases, do a proper security review and create a solution that is appropriate. One that balances good practice with what is practicable.

  22. dave 76

    2FA can be a Catch-22 when moving countries

    I've just moved countries and can not access my original phone anymore.

    So trying to update my mobile number on many sites, they insist on sending an SMS to my original phone for confirmation. Which I cannot access from overseas.

    Why didn't I do this before I left the original country? Because I didn't have my new number yet.

    Not sure how to get out of this validation loop other than abandoning my original account and creating a new one. In many cases that's possible but not when it is a banking site.

    Eventually I will work out how to get out of this Catch-22, will probably involve a plane flight back to my original country for a day.

    1. Doctor Syntax Silver badge

      Re: 2FA can be a Catch-22 when moving countries

      "it is a banking site"

      All you need is to find and visit a branch of your bank where the staff are empowered to sort it all out for you.

      Ah, I see your problem.

    2. gnasher729 Silver badge

      Re: 2FA can be a Catch-22 when moving countries

      Before you move check that your phone supports roaming.

  23. Mockup1974

    Pointless

    >One approach binds the key to a specific piece of hardware

    No thank you, I don't want that.

    >The second class of passkey implementation allows the credentials to be copied among multiple devices, typically using some sort of password manager

    I'm already using a password manager to store my passwords and TOTP seeds. How will a passkey be useful?

  24. venkatarangan

    Thanks for a well-written article that explains the scenario around passkey very well.

  25. John69
    Linux

    It seems most of the complains are based on the system being used. I am no expert, and I gave Passkeys a quick test. Using ubuntu and KeePassXC I got a fully backed up and transferable Passkey login to Github in only a few minutes with no hardware or external service required and no confusing multiple systems asking me to do the job.

    The real problem is the requirement to have a password backup, but this is not inherent to the Passkey technology but the implementations by the servers.

    1. hayzoos

      I think you are correct. Implementation choices are critical to the success or failure.

      In your situation, Linux distributions have yet to integrate passkeys so that system would not ask to do the job. The browser is the next possible system that can confuse by offering to do the job. Your browser either has also not yet implemented passkey support or your settings may have disabled passkey support. I use Firefox but an external password manager so I have turned off FF's password storage which may be how it handles passkeys.

      I think there are far to many options for implementing passkeys and little guidance. I think the goal was to make passkeys easy to adopt by service providers and many options to help in this goal. The result is to much variation to the end user. Some view them as a secure biometric authentication, others as a secure simple single factor authentication, and the list goes on.

      In some implementations, a device's storage is limited so broad adoption will run into a roadblock. Hardware keys storing passkeys as an example, you would need to purchase more hardware keys, but newer ones will have more storage. Passkey loss account recovery suffers from the same problems as forgotten password recovery, the biggest being the weakest link in many implementations. A user does not always get to choose where they can store the passkey in some implementations. Some could be Windows, Mac, Android, iPhone only; sorry penguins and others.

      I predict passkeys will be as well accepted as hardware keys, not very.

  26. Zippy´s Sausage Factory
    FAIL

    No. Just no.

    So you can’t accidentally use a passkey on a bogus site.

    Unless the site has been hacked. I mean, HIBP exists for a reason.

    Similarly, the problems of password reuse across sites are avoided.

    Although if you know someone's user name, and the key algorithm isn't great... I mean how many developers think they're so smart they "roll their own" encryption...

    Yeah, I'm out.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like