There has to be some sort of cost benefits analysis for this as this will certainly piss a ton of people off especially the tech illiterate. Maybe passkeys are extremely simple but saved passwords being disallowed is a huge pain point.
The passwords have always been stored in your Microsoft account. Anyone who has their passwords there can just install Edge on their device and enable it as the autofill provider (no, that doesn’t require you to browse with Edge, just to log into it). This whole article is silly, as there is zero change to your ability to save passwords in your MS account or to autofill them on mobile.
More information: https://support.microsoft.com/en-us/account-billing/changes-...
I applaud Microsoft because a big player had to go all-in into passwordless authentication. I'm sure it won't be painless, but it might push others to adopt the approach eventually.
If you’re already saving passwords in an app, you’re being more secure than most users. A forced move to passkeys seems nuts when not all systems support them yet.
I’m also still concerned that passkeys seems more likely to fail the average user when they break or lose a device, compared to a decent password.
This (or by phone) is how I've transferred: all family accounts, all small community accounts, some business accounts, many friend-shared accounts, and it's also how some people ensure accounts can be accessed if they die. It's not a small problem.
That said, passwords are actually so bad that anything would be an improvement over them. While a stealable passkey vault sync'd to your malware-infested Windows laptop is not ideal for security, it's sure better than typing your bank password into your favorite forum because you don't understand that website administrators can see your password when you type it on their site. (Not to mention phishing.)
I don't think passkeys are going to replace passwords any time soon, and I don't think freeloaders are even part of the equation here. You can share a passkey through Bitwarden just as easily as you can share a password.
Freeloaders already need to jump through hoops to share passwords and even then they're getting off easy; if streaming companies actually cared about catching freeloaders, they could stop the practice all together. What they're doing now is just signalling them that you're not supposed to and adding very minor annoyances to the mix.
Btw. this type of electronic identity solution are not Norway specific, I know all the other Nordic countries have them, and they are, as far as I know fairly popular in the rest of Europe as well.
The next step in progress is to bake in functionality that can guarantee interested parties that it is you operating the terminal at all times.
Over twenty years ago, many of us warned about the dangers of increased and unaccountable intelligence service power. We saw what the Patriot Act would create.
We joined the EFF and the ACLU, or renewed our memberships. Organizations at the time that focused more on actual deep philosophical issues and how they relate to our political world.
Obviously the Patriot Act has saved lives. Terrorist events and neglected victims are tragic and VERY emotional.
But today, immigrants and others are spending their own lives protesting the actions of ICE. Their own very limited time on this planet.
I'm not here to judge Immigration and Customs Enforcement. I'll take flak for that among liberals. Again, I'm not judging ICE. In many cases they've been falsely accused where there was clear evidence they weren't at fault.
No, what bothers me is immigrants, who already have difficult lives, and Generation Z, who have less economic security themselves, are the ones marching in the streets.
Twenty years from now, who will be working extra unaccountable and unbillable hours protesting in the streets because the DRM and secure computing systems being pushed through today are abused?
Even if most of that abuse is a show, meant to divide citizens and law enforcement. There are people out there working for free for that show.
Who will work more in the future?
And like not judging ICE, I'm not judging the countries racing and battling to deploy secure computing environments. Knox and TrustZone and TPM and whatever new things await us in the future. There are reasons both for safety and economic security I dont judge.
And there are dark patterns around software supply chain weaknesses and online safety and incentives to accelerate those issues to push through security architectures.
Other countries are doing it. I hate the fucking game theory solutions that it encourages.
But what I'm worried is that in twenty years who will be working for free because our secure computing environments are found unfair?
And unfair can be many things. Governments push values, even when it's not explicit. When I'm using my integrated cyberdeck or implants or just ambient room device, what am I missing? What is being pushed into or out of my vision or awareness?
That's twenty years in the future, what's forty years in the future? I won't be here, but you bet your ass I'm worried. Because the people who I fucking care about now working their asses off for free are being blinded about the upcoming digital wreck, like they were in 2001.
* I believe myself here, that's key.
I'm typing this on my Firefox remote app. Everything is cached in it. It runs in a VM at home.
I suppose I am simulating having just one device.
Absolutely. The problem with narrowly targeted security measures is they are a poor fit for nearly everything.
I prefer passwords precisely because passkeys have achieved their design objectives. They are just not objectives that I share.
This is literally the opposite of what Passkeys are.
Hm, so then i need one for my account and one for every device where i use this account
> and b) stored on the device's secure enclave, where in theory you're never supposed to be able to export/exfiltrate them, only validate them
i heard that the new "device's secure enclave" is the cloud.
No batery, no authentication.
Why do i need an additional device ? A device controlled by another vendor.
https://mobileidworld.com/apple-introduces-cross-platform-pa...
It's still 2 factors. Just with less hassle (and resulting in more security due to better UX).
Hopefully this will entice people to switch to 1Password, but I’m pessimistic — it will most likely just convince people not to use password managers at all.
> We have partnered with 1Password to bring users a seamless plugin passkey provider integration in Windows 11.
after other details at least it does go to:
> If you are a credential manager developer, we invite you to integrate with Windows 11 to support customers in their passkey journey. To find out more about implementation detail, go to https://aka.ms/3P-Plugin-API.
The full info:
https://blogs.windows.com/windows-insider/2025/06/27/announc...
No idea who thought of this bad idea. Now I gotta move them all to Apple passwords or something else.
I'm trialing Winauth for some remote-only users. So far I'm happy with having the authenticator on Windows desktop.
It's about where I draw the line though.
It's a massive hydra and it's most dependable output is onerous requirements. And the more of those we heap upon light duty users, the more reasonable it becomes to circumvent them.
In this scenario Winauth is how we placate the unreasonable overlord.
“Why GNU su does not support the `wheel‘ group
Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn’t know how to do that in Unix.)
However, occasionally the rulers do tell someone. Under the usual su mechanism, once someone learns the root password who sympathizes with the ordinary users, he or she can tell the rest. The “wheel group” feature would make this impossible, and thus cement the power of the rulers.
I’m on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.”
https://www.meisterplanet.com/journal/2004/05/09/richard-sta...
What is Microsoft gaining from their push to passkeys? They knew this was going to piss off a lot of people, but they went ahead with it anyway. That makes me believe there's something else at play.
My experience with passkeys has been worse that my Bitwarden password auto complete, so needless to stay I'm sticking with my regular passwords on my Bitwarden (I know Bitwarden has Passkeys support. I don't want to use it)
The one with far more data gathering capability and generally less robust ability for the end user to assert control over it, and which is generally tied to a service contract that in many countries requires identity verification.
I think centralizing control is absolutely the core play for them.
> Autofill via Authenticator ends in July 2025 You can export your saved info (passwords only) from Authenticator until Autofill ends. Access your passwords and addresses via Microsoft Edge at any time. To keep autofilling your info, turn on Edge or other provider. (Learn more)
not sure the full Android feature set, but MS is moving their iOS autofill provider to the Edge app, which doesn’t mean I have to use Edge to browse, just changes which app hosts the passwords. I can still fill them using the native mechanism for any password manager to provide passwords to any password field.
Microsoft is not forcing anybody to adopt passkeys as far as I can tell. Although overall people should because passwords are quite frankly a broken idea. Almost as broken as the idiotic janky “we just emailed/texted you a code” bullshit that most sites do now instead of TOTP.
The reason for missing information is that this is blogspam an older version of AI slop.
Wonderful. The Remote Code Executor now takes care of your pass.... too. What can go wrong ?
One thing browsers are recognized for, it is their security record. /s
And they don't expect me to have a different passkey per device, right? Otherwise I still need a password every time I login to a new device.
And so I'll still need a password/passkey manager that stores that.
Similar to a password there isn't a way to recover it if you forget it.
>And they don't expect me to have a different passkey per device, right?
You can have it show a QR code that you can scan with phone, using your phone as a passkey.
But dissimilar to a password in that you aren't ever expected to remember it, can't write it down, and in other ways.
> You can have it show a QR code that you can scan with phone, using your phone as a passkey.
I can't keep my phone in my safe and still use my phone.
Okay, so don't put it in a safe. The key is stored securely in your phone.
No it's not, what if I drop my phone in the ocean. Sure in terms of encryption, secure storage and so on, it's securely stored. It's just no physically secured.
That's what concerns people. What happens if I lose my devices? What happens if I need to access an account which has been secured by a passkey, but I don't have any of my other devices, what do I do then?
If you lose access to your phone, click "forgot password" and recover your account through your email address, the same way you would if you'd forget the combination to your safe.
- I want to be able to share passwords for accounts with my family (some, but not all of them)
- I want to be able to load up my login information from whatever device I am currently working on; my phone, my home computer, my work computer, my wife's phone, etc
- I don't want to risk my phone breaking and losing access to all my accounts
Something like 1Password or Bitwarden fits all of that perfectly.
It's tied to vendor lock in. Which increases the ability of companies who develop certain technologies for the masses to increase the friction of interacting with things outside of the ecosystem. The argument is that if a user is unable to use an alternative, by hook or crook they will pay increasingly high subscriptions to access the services provided by that ecosystem. This increases a number on a spreadsheet, the only true compelling argument one could say
If you're referring to the inability to transfer passkeys across systems, that should be improving soon.
https://blog.1password.com/fido-alliance-import-export-passk...
https://arstechnica.com/security/2025/06/apple-previews-new-...
[0] https://github.com/keepassxreboot/keepassxc/issues/10407#iss...
Then _soon_ I might reconsider using passkeys.
I'm not making changes to my security workflows now based on promises that the lock-in potential will be reduced as some unspecific point in the future.
https://learn.microsoft.com/en-us/windows/apps/develop/secur... https://blogs.windows.com/windows-insider/2025/06/27/announc...
But one of the selling point is that they are supposed to help bog standard users be more secure. How many bog standard users do you see using a good password manager, despite how long we've been suggesting that they do. If they aren't going to use one for passwords they aren't going to use one to smooth the edges of passkeys use.
> - I want to be able to share passwords for accounts with my family (some, but not all of them)
This, but for another reason. To all those "I can do this with Keepass/Bitwarden etc", how can you share your Netflix password with your parents 100 miles away to use it in their smart TV? You cannot and will never be able to do it. Yes, passkeys improve security in some contexts but also tighten the grip of service providers.
I doubt streaming services are looking to make passkeys the only way to authenticate devices though. Too much competition, and too many valid use cases for use outside of a personal device.
Since when "you are not supposed to do it" works? :) Most videogames cannot be freely copied or modified/tampered with, according to their ToS; still, companies implement draconian DRMs/anticheat to block people from doing it anyway. This is the same situation.
I mean, it was an example. Replace it with an amazon account and the argument remains the same.
Like the millions of "terms of use" breached by the exact trillion dollar companies pushing for passkeys (Google, Microsoft) while training their AI models? Sounds like terms of use are entirely irrelevant in the first place.
Then see what happens if meta downloads an entire library and trains their AI with it.
No you don't, you want to share access, and the only way you can do it with passwords is by sharing the password itself. With passkeys you can have each person register their own passkey.
Plus that doesn't really address allowing someone else in your family to log into your account "temporarily"; ie if you want them to check something for you.
The built in password manager in iOS/MacOS also supports synchronizing passkeys across devices (via iCloud), and again, i'm not sure if you can share those passkeys between uses, but same argument as for 1password.
I’m a 1Password user. There are times I want to login with one of my personal accounts on my work laptop, auxiliary device I have, or family member’s device. On all these occasions, I’m not going to install 1Password and sync down my entire vault, just to delete it 5 minutes later. I simply reveal the password in my app and type it in. With passkeys there is no way to do this. It’s an edge case, but an important one.
I’d feel much better about passkeys if it wasn’t some mysterious thing locked away in a vault. If it’s effectively a public/private key pair, I should be able to see the private in my password manager and copy/paste it wherever I want, and however I want. If I could do this I would instantly understand what’s going on and be more accepting of it, though I’d expect I’d still run into some edge cases.
After entering your username, you select an option to use your other device to sign in and scan a QR code with it.
You can stop supporting new ones, but as soon as you destroy old ones YOU are a vulnerability, Microsoft.
How can I ever trust you to not delete secrets in future?
https://support.microsoft.com/en-us/account-billing/changes-...
And my absolutely favorite thing was when it itself came in the way of seeing the 2FA code for a modal entry and you had the option on the screen to hide the modal for 10 seconds in order to remember the number underneath…
See screenshot here: https://ibb.co/5Wh05rsd
Just like the 5S / SE before it, corporations just sort of stopped testing that screen size, which leads to dumb UI gaffes like that.
Another classic is button or menu text getting truncated. Spotify had that problem on the SE too.
The outlook app on my phone (and I can't use any other method because it has been disabled), frequently looses authentication and I stop getting notifications about calendar events, emails ..., missed several meetings and important emails because of this.
When trying to login on my desktop/laptop I get told to confirm using either outlook, MS authentication app. Guess what often I have been locked out on those as well, so now I have to go through the dance of logging in using a sms code instead. It's sometimes even worse, even on mobile I get told to confirm from my authentication app/outlook, where I'm just trying to log in.
Authentication request often only come through to my phone on the 3rd of 4th try. So now logging in to check my email suddenly takes 2 min, because I'm trying to get the popup in the app, it doesn't appear, I need to cancel the request, restart ...
I do not want any kind of password that relies on my phone, because phones break and can get lost.
So basically this forces me to change from a password to a PIN and this is supposed to be more secure?
If you weren't synchronising your passwords through the Microsoft authenticator app, you won't be affected at all. If you were, Microsoft has decided to be annoying and make you install their browser to get password autofill support back.
Microsoft prefers synchronising passkeys between devices because passkeys are immune to credential stuffing attacks, but you don't have to do what Microsoft wants.
Yes. I used an alphanumeric pin: my password. The main malware entry point is the web browser.
Not sure what it has to do with Microsoft, however, but then again, I would never use Microsoft's Authenticator.
I’ll also add. I don’t have a good mental model for what a passkey is or how it works. And again, like most users if I don’t really understand what’s going on I’m just not gonna bother with it. For all the complexity that it takes to implement secure login with a username and password, most of it is hidden from the user, with passkeys it feels like they’re shoving all the complexity front and center, but not explaining any of it.
You don't understand KeePass, which is fine, but please don't make bad assumptions like these if you don't understand the underlying reasons for why a thing is the way it is.
It's like calling out why there are two dozen email clients that speak IMAP.
> You don't understand KeePass, which is fine
Haha this is so hilariously smug and condescending I have to wonder: are you the real-life Comic Book Guy?
The only difference between an imagined smooth solution is the sync mechanism and a unified client application ecosystem, neither of which is really possible without a large company behind it.
I said you don't understand how KeePass works because you refer to 3 applications for 3 different OSes (2 mobile) as if they were a confusing mix of different applications, when really they're just client implementations around a single, formalized spec. And most folks don't use both iOS and Android so really there's just your choice of KeePass desktop app and one for Android or iOS.
No one says the plethora of email client choices is confusing. This is exactly the same.
It doesn't support passkeys yet so I'm surprised you mention it because this is what I wait for a full cross-device (for me) support, to start using passkeys
I also don't have a good mental model of how passkeys work. I could get informed. But why should I bother? I'm a busy person. Passwords have worked for me for more than 25 years, and passkeys seem much more fussy and inconvenient (what if I'm traveling and connecting from a random computer in an hotel/airport? I imagine I'll be expected to do something with my phone, as modern cybersecurity seems to be based on trusting everything to the phone -if it gets stolen, bad luck- but what if I have no battery?). I guess I'll have to find out if they force them on us, but if I (a CS PhD and professor) have to actively find out in order to use them, it's going to be chaos with regular users.
It’s just really hard to wrap around your head that this is the actual implementation with so many drawbacks given most people have 2+ devices, and different OSes to provide it.
I won’t use them.. although I’d have loved to use them.
When they worm they work, but I can’t trust them completely, so what’s the point? There’s no difference with a password, except that the sign-in process can be streamlined when everything works
There is one other major difference behind the scenes: With passkeys, the service you’re logging into never has enough information to authenticate as you, so leaks of the server-side credential info are almost (hopefully completely) useless to an attacker.
They are woefully designed and implemented, wish we just cut our losses with them and stopped pushing them.
Tuck them away in settings, not on the default login path.
The idea of passkeys is that they are supposed to be tied to a hardware device. And this leads to very odd situations, like Chrome asking Windows to authenticate, and Windows having to ask for the passkey on an Android phone.
I migrated to Bitwarden around 3 weeks ago and now Chrome is no longer asking Windows to authenticate, but Bitwarden. But then Bitwarden doesn't have the passkey, so it will offer to delegate to Windows, which will in turn reach to the Android phone, unless it's one which is stored in Windows.
This are the kind of problems which arise, and for a 75 year old senior who never dealt with all this crap, this is nothing but a huge annoyance, because they simply don't understand what's going on. It was easy with username and password.
What I liked the most was username+password and a Yubikey for OTP. And for what can't or no longer wants to deal with Yubikey, I've moved to app-based OTP. And now I'm starting to get forced to move to passkeys, which annoys me a bit because things are no longer so clear.
No, not really. That was more of a U2F/WebAuthn concept. Passkeys are intentionally permitted to be attached to accounts.
You can use hardware bound tokens as passkeys if you prefer, of course. However, that approach has led to a huge amount of people getting locked out of their accounts because they lost their Yubikey or reset their phone.
There are implementation improvements to be made, for sure, especially on Windows. However, that same 75 year old also won't know to look in Edge's password manager when Bitwarden says it can't find a password for a given website.
And let's be honest, that 75 year old won't be using Bitwarden or a password manager anyway, their password will be NameOfGrandkid2003 despite being told to pick a different one after the last time their account got taken over.
I wish I could use passkeys more often but when websites offer 2FA of any kind, it'll be through TOTP, and usually without providing any recovery codes either. TOTP and email+password aren't going away.
I thought Webauthn is a U2F continuation that uses them for both 2FA and login... and the login thing is called "passkey". It is not?
(I implemented U2F 2FA before and still cannot figure this out.)
Just to say that we should be careful with our generalisations (I know you didn't start this one).
[1]: https://www.w3.org/TR/2019/REC-webauthn-1-20190304/#sctn-aut...
[2]: https://en.wikipedia.org/wiki/WebAuthn#Reasons_for_its_desig...
For example, nearly every visit to my Amazon orders page I am now greeted with a nearly full screen modal browser popup letting me know about passkeys and why I should switch to them RIGHT NOW. I politely declined - the first thousand times. I don't know if this is a site or browser issue and frankly I don't care anymore. It's spam at this point and I want nothing to do with it.
My hesitancy was rooted in concerns about potential issues pretty much what you just described so glad to know I was right.
Seems like passkeys use a very simple model where you are using a single device with a single browser or are somehow syncing across devices with some cloud service - and from your description it sounds like that doesn't even work.
No thanks - I'll stick with passwords. Did everyone forget about hardware tokens which are device and OS-independent and rely on no external infrastructre?
Unlike passwords, you can have multiple passkeys per account. You can have 5 passkeys for your amazon account if you use your amazon account on 5 different devices. If you lose device 4, or if it gets stolen, you can just delete passkey 4. The other ones are safe.
Or, you can use a syncing service like a password manager. Both solutions work!
I have Bitwarden for personal and now 1Password for work, so might hit the issue at some point.
Since I use a Mac, I will refer to my MacOS experience: Keychain and now Passwords will sync passkeys via iCloud to any other device. The end result is that you only have one passkey. Pretty seamless experience.
Trust issues aside, is there a way to get those passkeys out of there?
Suppose you want to switch from iCloud to whatever else, can you export and import those passkeys?
Other tools do, though, like KeepassXC or any other password manager really.
Can I still have a seamless experience with passkeys, or have they made that difficult? Do I need to remember to reject the dialog offering to save keys on Keychain and learn to use a 3rd party passkey service?
What am I supposed to about all the passkeys that will be needed at my multiple jobs, which I access from my own Macbook and phone? Can I use a single service, ideally open source, or do I need to use several "passkey sharing & backup managers", one for each entity and one more for my personal keys?
So the motivation for why big tech wants them is clear. They've just not managed to make a compelling case for why anybody else should want them.
The only way pass keys become a widespread thing is if they force the issue by removing password authentication, and I don't see that happening any time soon.
Worth my point for this emphasis.
Can concur.
This is what I've figured as well, and even if my password manager claims "eventually we'll support it, once it's available" (https://blog.1password.com/fido-alliance-import-export-passk...), I've been putting it off until the implementation is actually in place.
But the question is when that'll be. Last I've heard about the whole "Risk of lock-in from export blocking" is:
> The general vibe is supportive and language has been added to this effect, though it looks like we haven't done a public working draft in some time so I don't think that's externally visible yet. Also usual caveats about in-progress work subject to change.
https://github.com/fido-alliance/credential-exchange-feedbac...
I guess time will tell. But for now, considering the history of lock-in on the web, it's best to stay away from Passkeys for now, until they figure out a proper way of avoiding it.
The real test will be, how easy is it to move passkeys from say 1Password to Keepass XC (open source). It’s on my todo list.
For now, 1P’s passkey support appears to work quite well with all the sites I’ve tried. I’ve got multiple devices (Linuxes, macOS, Windows) and passkeys just work. I like the fact that 1P is cross platform, but after all it too is proprietary.
AFAIK, there is no export from 1Password with Passkeys yet, so maybe better to put it in your calendar to check back in 6 months or so.
> passkeys just work
Yeah, I'm not doubting that, but I cannot reasonable base my core authentication on something that locks me to one service, that just feels to irresponsible. Hence the wait for proper import/export before spending any time on this :)
The rest of the platforms give you zero ability to export or back up your passkeys, which makes them worse than useless.
Have they shared any details about if this is actually cross-provider/platform import/export? I feel like if Apple doesn't outright share those details, they're talking about import/export within the Apple ecosystem.
> Q: Are stored passkeys included in Bitwarden imports and exports?
> A: Passkeys are included in .json exports from Bitwarden. The ability to transfer your passkeys to or from another passkey provider is planned for a future release.
https://bitwarden.com/help/storing-passkeys/#passkey-managem...
But I'm not sure I understand the last part, how is the "ability to transfer your passkeys to another passkey provider" planned for a future Bitwarden release, if the Passkeys are already included in the export data? Wouldn't that be up to other Passkey providers to implement the import? Or is the export data not complete enough for an import?
I mean, that's what Microsoft is doing here, no? They're changing their password manager to only accept passkeys, not passwords and to block off autofill functions. Granted, right now they're the only vendor to do this, but that's a pretty risky precedent to create.
Passkey is convenient for log in (and also - quick) but worst case scenario I still have passwords. I wouldn’t trade in passwords completely but I prefer passkeys to OTPs.
I know passkey vendors will say they’re working to make interoperability easier in 2025, and that’s true. Equally the number of users who’ll take advantage of this interop will be a rounding error. The net effect will be even more platform entrenchment.
In practice, unfortunately the UX gains are not realized because interoperability is unsolved, because vendors have little motivation to solve it and eliminate the lock in.
Not sure if Proton does the device specific stuff under the hood (and hides it well), or if they are abusing the system by simply sharing the private key over all devices? (That is misuse right? Idk, I had the same experience with BitWarden). The keys should be device specific right? That's the 2fa replacing magic.
I too, have no idea. And I too am a bit disappointed it is so difficult to understand what happens. I do believe I can just export the keys and import somewhere else (i.e. Proton <-> BitWarden), which would suggest one passkey per account... Hmmm... Also, I believe it's just Google and Apple that try to make this a walled garden, it wasn't designed to be like that.
No, they can be synched. There are different types of passkeys, synched and device-bound (for YubiKeys, etc.)
Hope this clears up the confusion (haha).
I'm not sure if that has changed since years ago (when you last tried), or that that is a Dashlane thing. In any case, that's not how it is now. I've stored them in 1Password. I can use them on any 1Password-enabled browser, and on my Android. They're slightly easier than password flows, and much easier than MFA flows.
> I’ll also add. I don’t have a good mental model for what a passkey is or how it works.
It's a public and private key-pair. You keep the private key, the server gets the public key on registration. When you login the server sends a challenge. "You" encrypt it with the private key and send it back. The server uses the public key to verify and boom, you're logged in.
I then discovered SSH and how it worked, asked in some public forum why there isn't a way to log in to websites using an ssh keypair, and was ridiculed for it.
Ah well, glad times change.
But that’s only inconvenient when you want access back. Most B2C don’t care about you enough to offer those processes.
In an alternative universe, the web standardized something like "tripcodes but cryptographically secure" which would keep any secrets out from servers, and we'd just be dealing with signed data.
One could always dream :)
> When I click “add key,” three different bits of software compete for my attention.
> First up is the password manager, offering to store a passkey. (This is the first time passkeys have shown up in this process – you can begin to see how a casual user might be getting confused.) I don’t want the password manager to be involved in this case, so I dismiss the window.
> Next up, a window appears from macOS asking me if I would like to use TouchID to “sign in” (to what? – I am already signed in to the website) and to save a passkey. Again, note the different terminology. When I dismiss that window, it is time for the browser to have a go, offering me four ways to save a passkey, including finally the option to store it on the hardware token. I insert the USB key and proceed.
> I think we can all agree that this is a confusing experience, with three different systems fighting to be the One True Place To Store Passkeys, along with the inconsistency of terminology (passkeys or security keys) and use cases (password replacement or strong second factor?)
> It’s like every piece of software wants to “help” but there is noone looking at the system-level behavior where these different bits of software interact with each other and the end user. I’ve encouraged my wife (a social scientist not a computer scientist) to adopt a password manager and 2FA, and she’s very willing to follow my lead, but the confusion of terminology and bewildering arrays of options frequently (and understandably) leads to complete frustration on her part.
While I understand they want to transparently replace passwords with passkeys for websites that support it, what happens with passwords for websites that don't support passkeys?
Also, if someone sleeps over this, they will just lose their passwords to random websites and have to go through account recovery flows?
The app has been warning about this for a while now. This might catch someone out of guard if they only use the app once a year for something bureaucratic, but I doubt a credential like that will be stored in Microsoft's authenticator app.
I had this warning show up in the iOS Authenticator app like last week or something and it guides you through changing your iOS settings to instead use Edge as a password manager. As Edge is my browser of choice on my Windows PC and I already had it installed on iOS, this was a very minor inconvenience for me.
It's worth mentioning that even though I almost exclusively use Safari as a web browser on my iOS device, when filling in passwords on websites it seamlessly allows you to use any iOS configured password manager including Edge.
It's definitely a little weird that you now require Edge to also be installed for essentially the same functionally and Microsoft might be doing it to try push people to install Edge.
I'm glad I don't use Microsoft crap but use everything self hosted so I can decide for myself what I want.
That description makes little sense, and at least they could honor my paid business subscription (and back it up to there if they don’t trust iCloud).
You can just install Edge. From what I can tell, you don't even need to browse using Edge to use passwords.
If you don't use Microsoft Authenticator, nothing changes. If you do, probably because IT makes you, you've already seen the warnings about this.
Also, Apple requires at least one AppleID password, that I need to keep entering at random intervals - usually when I update any device, but sometimes randomly when I buy stuff on App Store.
Also I still need a Mac user password, which is a different password, of course.
Why “of course”? No one is stopping you from using the same password there. Also, you can optionally turn on the option to be able to reset your Mac’s password with your Apple Account password.
(There is also an Apple Recovery password, but that's for encrypted recovery, a different thing, but that is very hidden and experimental.)
Now with passkeys, it seems we are just throwing all those arguments overboard and are saying 1 factor (something you have, e.g. hardware device) is enough. I've not read anywhere a good argument why.
Sometimes people have been arguing that the passkey should still be locked into e.g. another password manager with password, but that doesn't seem to be the case with most implementations, am I missing something?
Definitely stick to keeping passwords and passkeys in a password manager for portability. KeepassXC and Bitwarden (which can be self-hosted) work best for this in my opinion.
But other than that I agree. Especially now that these synchronise with iCloud, BitWarden, etc seems a no brainer you can just steal these and access everyone’s accounts in many cases with no extra 2nd factor.
This confuses me too.
That greatly reduces your risk if/when credentials gets leaked from the site in question. Public keys are meant to be public, and worthless by themselves.
As for your private key, that usually ends up in a secure enclave or similar HSM, which in turn is protected by a pin code and face or fingerprints.
The private key then becomes "something you know", and your biometrics are "something you have".
And yes, nitpicking :)
That said, I don’t like them. I don’t really understand what happens when I run into edge cases, and that makes me nervous. That’s also true for 2FA in many cases.
So far my only passkey is for Amazon, I felt tricked into it, which I’m not happy about, though my password also still works. I’m opposed to this about as much as forced 2FA. I understand the security aspect, it Gmail randomly started to use their mobile app for 2FA, and now I’m afraid if I delete the app from my phone I’ll be locked out of my account, with the potential for excessive hoop jumping to get it back.
I read an article a while ago with the ultimately conclusion that passkeys don’t offer a major benefit to people who already use long, complex, unique passwords in a password manager. If this is the case, it seems this whole push is designed for people with terrible password habits, who definitely don’t understand what’s going on with passkeys, and I expect will find out once they hit an edge case and end up in a bad spot.
That was my initial reaction too. I think the assumption is that the second factor is what-ever you use to unlock your device (a “something you know” if that is a password/pasphrase or “something you are” if that is biometrics).
I'm not convinced any of it is as more secure than user+pass as is being claimed. passkeys being device/AU dependent adds a bit of hardship to someone trying to hack your account, but people seem to be suggesting sharing passkeys between devices/AUs using their pasword managers which nullifies that effect?
...But this article headline is insanely misleading by not mentioning it's being migrated to Edge. To the point where I'd call it a smear crafted for maximum clickbait shock value. Nothing is being wiped, it's just being moved to a different app. Sure, there's good reasons to not like that app (it's the Internet Explorer sequel after all), but the story here is not as extreme as implied.
Username/password is much easier to grok (for developers and users) and while it absolutely has downsides, as a user, I can fully protect myself with username/password (unique password per site).
Passkeys might allow for fewer _user_ footguns but I worry there more _developer_ footguns. Also as a “power user”, I don’t want to deal with passkeys when I’m trying to automate something or scape my own data out of a website. It’s just another complication and I worry that anything edge-case-y (even approved methods) will break or have complications if you use passkeys (think app-specific-passwords when 2FA rolled out for gmail access).
Because of this I consistently decline passkey usage until such a time that I feel it’s better understood by the people implementing it.
All the Microsoft accounts in my Microsoft Authenticator broke when I restored onto the new iPhone. Absolute nightmare. None of the non-Microsoft accounts stored in the same Authenticator app broke.
No, Microsoft, I don't trust you to manage passkeys for me.
simonw•8h ago
There is an app in the iPhone App Store called "Microsoft Authenticator" - is that what this story is about or is there a Windows feature with a confusingly identical name?
munchler•7h ago
abawany•5h ago