I am going to be giving some public talks about passkeys in the next few months. What questions do you have about passkeys and what topics do you want covered in me exploring passkeys?
Post
Replies:
0
@rmondello how can we force companies to stop using them in addition to passwords during the login flow.
I have a passkey. I don’t want to use the password!
😒
@rmondello I realize this question likely isn’t one for a talk, but mine is: why the passkey for my Apple Account can’t be saved in Passwords or a third party app like 1Password?
That’s the one passkey I “have” that doesn’t live up to portability.
@rmondello why wont they stop berating me asking me to use pass keys.
@rmondello What can developers do to support the adoption of passkeys for most people and most use cases? App developers, web developers, infra and DevOps, but also at a higher and wider level like tech orgs, in slow-moving government orgs etc.
@rmondello can I use passkeys to authenticate in command line tools? Can a command line tool request a passkey from the user?
@rmondello how can a tech-savvy user use them without being locked into a single browser?
@rmondello does "passkey" refer to HSMs like Yubikey? Are they still a good brand? I got into HSMs years ago and then dropped out. I know I'm supposed to keep at least two in case i lose one
How do the kind of regular people that constantly lose/abuse their stuff seanlessly maintain access to their accounts, even when their laptop, keys, and cellphone are lost, broken, stolen, uncharged, etc.?
What about personal catastrophies like house fires and flooding?
@rmondello passkeys for AppleIDs — handling multiple IDs for things like personal, developer, client. Etc
@rmondello I don’t think one specific thing needs addressing but looking at the other replies, there is a vibe that needs to be contended with: in my experience most people’s impression of passkeys is “this is a trick that my phone and website vendors are trying to do to me, which will eventually lock me out when I lose my device”. address that central anxiety in as many different ways as you can
@rmondello I’m excited about passkeys, but I often see poor implementations deter users from using them. What’s being done to help companies implement passkeys “the right way”?
@rmondello What makes passkeys "better", and also, "better for whom"?
@rmondello what’s the best way to get buy-in from the average consumer/non-tech person?
How do we move forward as an industry to using passkeys as the single source of authentication and deleting passwords entirely from user accounts?
@rmondello The #1 thing preventing me from embracing passkeys today is my (possibly unfounded) fear about the backup situation. Currently I back up my Bitwarden database periodically to an encrypted drive that I keep in a safe. Is there an equivalent for passkeys? If not, what's the best practice on that for someone paranoid of somehow accidentally losing everything? (I'm sure you've answered this before somewhere, so sorry if so!)
@rmondello explain in simple terms how using a passkey delivers greater value to me, the user.
@rmondello if I'm already using a password manager, passkeys are basically an equivalent user experience. Are there reasons to use them anyway?
@rmondello
If you can access an account without a passkey using alternative methods is it not a bit moot as a security layer.
@rmondello if any are developer focused, definitely some kind of best practices guide for making using passkeys to login easier for users.
It’s so confusing to trigger the passkey prompt as a user, and I end up using passkeys less than half the time I could because the site doesn’t make the passkey flow easy to find - the fact that it’s separate at all is part of the frustration.
@rmondello what's a generally-accessible, single-sentence definition of what a passkey is?
(not explaining to the user why it's better, but explaining what it is, so they have a mental model)
@rmondello sometimes my fingers get too dry and TouchID stops recognising me which makes passkeys less joyful.
So my question is can you recommend a good hand cream or moisturiser?
@rmondello For me, the very basic. How is it secured? Is it standard? What are the implementations in free software? Why should I use them instead of TOTP?
how ready are passkeys for post quantum? I know in general asymmetrical crypto is said to be endangered, is it possible to "just" upgrade to post quantum or hybrid algorithms within the current implementations/protocol, or would a larger change be necessary? Or are they "safe" already?
I've seen people go back to passwords that are like 128 chars long since those seem to be safe from quantum, since they aren't used asymmetrically/with a "public key"
@rmondello making passkey UX user friendly. Most of the integrations with webauthn I know of make it hard to tell a) what is (not) happening when things go wrong and b) where the passkey went and sometimes even c) why there is a passkey if the user already had another auth method
@rmondello exports and more in the form: how to keep them alive and accessible when I lose my credentials (eg iCloud access), thus the option to export to another tool is important, but maybe a paper edition as a backup too?
@rmondello How do non-techies know to, and create, backups?
