I am going to be giving some public talks about passkeys in the next few months. What questions do you have about passkeys and what topics do you want covered in me exploring passkeys?
Discussion
Replies:
0
@rmondello When exporting data to another app in Passwords, when will we be able to filter just passkeys?
This is one of the things that I think is slowing adoption, (other than people not knowing what the hell a passkey is) the feeling of lock in and everything being a bit of a faff.
Websites not allowing you to delete your password when you add a passkey is not helping the image of passkeys being a secure replacement for passwords and otp.
@deandmx I genuinely cannot believe that not having the ability to filter to just export passkeys, and not other accounts, from Apple Passwords is slowing down passkey adoption. That simply doesn’t pass the smell test for me.
@rmondello 3) and finally, people have wrong concepts all over the place: I have made the experience that average people often …
a) either believe they know passkeys and are heavy users of them - while in fact they’re not and are just confusing passkeys with typical biometric auth on their devices.
b) or they say they have no idea what passkeys are (and don’t use them) and then you find out they already have 7 passkeys in their Passwords app ;-)
@rmondello besides that, since I am preparing a passkeys rollout project in a large company and have talked to many people about passkeys over the years and explained their advantages, I have noticed a few things:
1) it is incredibly hard to explain passkeys to average, non-technical people.
2) only explaining why they are better, is not enough: without actually understanding how things work, people get lost, the first time they leave the “happy path”…
@rmondello What is the roadmap/ plans to meet the demands of more “high assurance” scenarios (e.g. regulated industries like banks)?
I mean things like device-specific, supplemental passkeys (to mark trusted user devices) or support for secure payment confirmation (authenticator/browser displays WYSIWYS transaction data).
Imo, these are (besides user confusion, what passkeys are) some of the topics that are preventing a quicker adoption in regulated industries like banks…
@rmondello some web sites refuse to allow me to create a passkey with Firefox running on my Linux laptop. Is this actually a good security practice for them?
@rmondello I still regularly run into sites that don’t correctly recognize I already have a passkey saved. It usually takes a couple of tries.
Maybe talk about common pitfalls or what techniques I can use as an end user to figure out what’s going on.
How do you recommend sharing passkeys with family members?
@stegrainer I got to someone else’s question before yours, but here you go! https://hachyderm.io/@rmondello/116551788313940201
@rmondello How do we get people to understand the difference between biometrically controlled passkeys vs persona-style biometric info harvesting?
@rmondello Is the ultimate plan to force passkeys on everyone? If not, how can I stop the passkey nagging that I didn't consent to?
@rmondello How to make it stop! I don’t mean this sarcastically or facetiously. I am happy using a password manager for now, and visiting Apple or Amazon or Microsoft requires hitting a ‘cancel’ or ‘no’ or ‘decline’ button 2, 3, or even 5 times. On *every single login*.
Perhaps more important, I have a Dad in his 80s and in-laws who are the same, and having *carefully* moved them from post-its to password manager over the last several years, it is terrifying for them to be harassed about passkeys with no way to shut it off.
They’re trying to do the right thing, but the implementation is so poorly done that it’s really stressing them out.
@rmondello When I lose my passkey, what happens? Show me real-world recovery paths for known big companies.
Where are they stored and how can I manage them?
@rmondello I would love this: "How to turn a Pimoroni Tiny2350 into a Passkey using all Open Source software and firmware".
@rmondello How can I migrate to a new platform without logging into every single site with my old system to setup passkeys with the new system?
Authy? 1Password? Ok… now what if I want to migrate to a new password manager?
@rmondello How do they handle the edges cases when everything isn’t perfect.
Say I’m on vacation, I break my phone and buy a new one. I need to login to get my data so I can get my plane tickets to go home. If my login is a passkey, then what?
I’m at a family member’s home using their copy of TurboTax and need to login to my bank on their computer to download my records, but I have a PassKey, then what?
If the answer is fall back to password auth, then what is the point of the Passkey?
