Post

@rmondello I think the whole topic of (most) password managers locking the passkeys inside them with no export/import or other way to access them is on many peoples minds (mine included).

(e.g.: How do I create an offline backup? How do I sync them between devices, if I don‘t want to sign up for any cloud service, but also can‘t put them on a USB stick?)

@rmondello when are passkeys going to be PQC ready and how will this work? Will this involve reenrolment at some point in the future for existing passkeys?
I'm not worried, I know we have plenty of time and I have my own ideasiintuition (but I'd love them confirmed or contradicted by someone who actually knows 😊)

@rmondello passkeys and 2FA. do we need an otp token if our device already ask for biometric/password?

@rmondello what is the best way for families to use passkeys for shared accounts? How can "legacy" accounts with passkeys be accessed after the primary user dies?

@rmondello What happens if my iCloud gets full? What happens if Apple blocks access to my account for whatever reason?

@rmondello how secure are they really, and are they worth their inconvenience and ickiness?

@rmondello how can they be exported/backupped in a secure way across devices?

@rmondello my parents are starting to get old and they want to make sure their children and/or people they've granted power of attorney to can access their online accounts in case they're incapacitated or infirm. How can we do this with passkeys?

@rmondello why are all the big companies asking us over and over to create passkeys and they won't take no for an answer?

@rmondello

talk about passkeys on a USB security key (which makes me feel like I am in control) vs passkeys opaquely saved to local disk (which I feel like I dont control). Or even worse, saved somewhere hidden on the cloud

@rmondello The most important thing that's missing from all passkey stuff I've ever seen is a 5 minute introduction that can be understood by non-technical people; probably using concrete examples and a demo. (Even if the presentations are for technical people, this would help understand them passkeys.)

@rmondello Are there best practices for websites/apps implementing passkeys? One of the things I find frustrating is that lots of sites have different processes for logging in (do you put your email address innfirst? Click a button? Enter your password?!)

@rmondello are, and if so how, are they different than Fido2 or webauthn and all that? They seem all similar but idk if it’s actually the same or not

@rmondello How can I store my Apple account passkey in my third party password manager?

@rmondello When exporting data to another app in Passwords, when will we be able to filter just passkeys?

This is one of the things that I think is slowing adoption, (other than people not knowing what the hell a passkey is) the feeling of lock in and everything being a bit of a faff.

Websites not allowing you to delete your password when you add a passkey is not helping the image of passkeys being a secure replacement for passwords and otp.

@rmondello 3) and finally, people have wrong concepts all over the place: I have made the experience that average people often …
a) either believe they know passkeys and are heavy users of them - while in fact they’re not and are just confusing passkeys with typical biometric auth on their devices.
b) or they say they have no idea what passkeys are (and don’t use them) and then you find out they already have 7 passkeys in their Passwords app ;-)

@rmondello besides that, since I am preparing a passkeys rollout project in a large company and have talked to many people about passkeys over the years and explained their advantages, I have noticed a few things:
1) it is incredibly hard to explain passkeys to average, non-technical people.
2) only explaining why they are better, is not enough: without actually understanding how things work, people get lost, the first time they leave the “happy path”…

@rmondello What is the roadmap/ plans to meet the demands of more “high assurance” scenarios (e.g. regulated industries like banks)?

I mean things like device-specific, supplemental passkeys (to mark trusted user devices) or support for secure payment confirmation (authenticator/browser displays WYSIWYS transaction data).

Imo, these are (besides user confusion, what passkeys are) some of the topics that are preventing a quicker adoption in regulated industries like banks…

@rmondello some web sites refuse to allow me to create a passkey with Firefox running on my Linux laptop. Is this actually a good security practice for them?

@rmondello I still regularly run into sites that don’t correctly recognize I already have a passkey saved. It usually takes a couple of tries.
Maybe talk about common pitfalls or what techniques I can use as an end user to figure out what’s going on.

@rmondello

How do you recommend sharing passkeys with family members?

@rmondello How do we get people to understand the difference between biometrically controlled passkeys vs persona-style biometric info harvesting?

@rmondello Is the ultimate plan to force passkeys on everyone? If not, how can I stop the passkey nagging that I didn't consent to?

@rmondello How to make it stop! I don’t mean this sarcastically or facetiously. I am happy using a password manager for now, and visiting Apple or Amazon or Microsoft requires hitting a ‘cancel’ or ‘no’ or ‘decline’ button 2, 3, or even 5 times. On *every single login*.

Perhaps more important, I have a Dad in his 80s and in-laws who are the same, and having *carefully* moved them from post-its to password manager over the last several years, it is terrifying for them to be harassed about passkeys with no way to shut it off.

They’re trying to do the right thing, but the implementation is so poorly done that it’s really stressing them out.

@rmondello When I lose my passkey, what happens? Show me real-world recovery paths for known big companies.

Where are they stored and how can I manage them?

@rmondello I would love this: "How to turn a Pimoroni Tiny2350 into a Passkey using all Open Source software and firmware".

@rmondello How can I migrate to a new platform without logging into every single site with my old system to setup passkeys with the new system?

Authy? 1Password? Ok… now what if I want to migrate to a new password manager?

@rmondello How do they handle the edges cases when everything isn’t perfect.

Say I’m on vacation, I break my phone and buy a new one. I need to login to get my data so I can get my plane tickets to go home. If my login is a passkey, then what?

I’m at a family member’s home using their copy of TurboTax and need to login to my bank on their computer to download my records, but I have a PassKey, then what?

If the answer is fall back to password auth, then what is the point of the Passkey?

Why is there such a huge variation in implementations? On macOS Safari, some websites just login with a single click, others make me authenticate with my Apple Watch, and yes others make me enter my mac user password. Also annoying is websites that prompt for a passkey when I’m not using one. It’s all more frustrating than convenient, in my opinion.

@rmondello how can we force companies to stop using them in addition to passwords during the login flow.

I have a passkey. I don’t want to use the password!

😒

@rmondello I realize this question likely isn’t one for a talk, but mine is: why the passkey for my Apple Account can’t be saved in Passwords or a third party app like 1Password?

That’s the one passkey I “have” that doesn’t live up to portability.

@rmondello why wont they stop berating me asking me to use pass keys.

@rmondello What can developers do to support the adoption of passkeys for most people and most use cases? App developers, web developers, infra and DevOps, but also at a higher and wider level like tech orgs, in slow-moving government orgs etc.

@rmondello can I use passkeys to authenticate in command line tools? Can a command line tool request a passkey from the user?

@rmondello how can a tech-savvy user use them without being locked into a single browser?

@rmondello does "passkey" refer to HSMs like Yubikey? Are they still a good brand? I got into HSMs years ago and then dropped out. I know I'm supposed to keep at least two in case i lose one

@rmondello

How do the kind of regular people that constantly lose/abuse their stuff seanlessly maintain access to their accounts, even when their laptop, keys, and cellphone are lost, broken, stolen, uncharged, etc.?

What about personal catastrophies like house fires and flooding?

@rmondello passkeys for AppleIDs — handling multiple IDs for things like personal, developer, client. Etc

@rmondello I don’t think one specific thing needs addressing but looking at the other replies, there is a vibe that needs to be contended with: in my experience most people’s impression of passkeys is “this is a trick that my phone and website vendors are trying to do to me, which will eventually lock me out when I lose my device”. address that central anxiety in as many different ways as you can

@rmondello I’m excited about passkeys, but I often see poor implementations deter users from using them. What’s being done to help companies implement passkeys “the right way”?

@rmondello What makes passkeys "better", and also, "better for whom"?

@rmondello what’s the best way to get buy-in from the average consumer/non-tech person?

How do we move forward as an industry to using passkeys as the single source of authentication and deleting passwords entirely from user accounts?