@rmondello Great Talk, as someone who’s been trying to adopt passkeys when services let me, I leaned a lot.

@rmondello This was communicated so well and easy to understand for someone not in the industry at all :)

Reminds me of that 2018 passwords con talk. Awesome stuff!

@rmondello Terrific talk, thanks!

@rmondello excellent. Thank you :)

@rmondello Ricky, THANK YOU for calling out the practice of just adding Passkeys as an option for MFA! It's always so frustrating to see it used in the worst way possible. I want to be able to switch all my accounts from using passwords + OTP to JUST PASSKEYS! Preferably removing the password and other factors from the account entirely.

@rmondello Great talk, Ricky! You succeeded in the approachable goal. I don't work on anything that can utilize passkeys but I've been enjoying them more and more as a user and look forward to their continued evolution and adoption.

@rmondello
This sounds like a really interesting bit of information, the "why" behind passkeys is definitely a topic I want to understand. Do you have a transcript or a blog post about the topic? I would rather read an ruminate than listen to a keynote, sorry.

@rmondello great talk!

It leads to the obvious question how and when Apple is dropping the password and especially SMS 2FA for Apple Accounts. It seems to be a weak point when storing #Passkeys in the Apple Keychain. Unfortunately quite many processes are asking for a password still (without 2FA 😮) and using a Passkey for the Apple Account itself is missing.

I know you can’t comment, just to mention it… maybe it will increase some internal priority counters or something 🙃

@rmondello What’s your thoughts on sites that use passkeys + a second form of authentication? GitHub is one that comes to mind.

Doesn’t that defeat one of the benefits?

@rmondello
Ricky, that was an excellent talk. I'm glad I watched it.
I'm one of those people who still has serious reservations about adopting passkeys, and I was hoping you'd provide new information that changed my mind. My main reservation centers around the huge number of people who only have one device.
If their only device breaks, and
If they deleted the password authentication option,
Then they experience permanent account lockout.

I help people globally with tech support, including account recovery. I have a “no fix, no charge” guarantee. I’ve seen this problem first-hand. One device, broken or stolen, and accounts from
Microsoft,
Google,
Apple,
are gone forever.

You asked in your talk for collaboration and input, so here’s my recommendation: any adoption of passkeys, any implementation of passkeys, needs to include “error checking” that prevents a user from ever having only one way into an account.

@rmondello maybe it’s the nerd in me but I’m hesitant to use passkeys because they seem so opaque to me. Do you have any advice that might cause me to step of the ledge?

@rmondello Nice talk! Thanks for sharing.

Did you choose “Head over heels" as intro music yourself or was this chosen by the FIDO Alliance?

@rmondello Great talk, thanks 🙂

@rmondello <added to watchlist> 🎉

@rmondello It resonates with me what you said about actually allowing the user to drop the password. Some services allow that (PlayStation does it automatically), but at this stage most don’t yet. I’m happy that I can sign in to some accounts with a passkey, but the password is still there as a fallback, which I don’t need or want. This has further implications, in that I still need TOTP or SMS enabled to protect against password attacks, if a passkey isn’t asked for in that case.

@rmondello You're a really good public speaker, Ricky. You speak slowly, clearly, and communicate effectively. Great job!

I'm a web developer and I’d like to begin the investigation of supporting passkeys in our web apps. Do you have any good resources for what they might look like on the client & server?