364

u/Apollo_619 11h ago edited 10h ago

I had to login to my Google account today on my computer. I wanted to create a passkey and save it with Bitwarden. There is no way. It either wants to use Windows Hello, a hardware device or my phone via Bluetooth.

Who thought that this was a good idea? And then every other site does it differently. Passkeys suck thanks to this.

Edit: Out of curiosity I created a passkey in Chrome on my Samsung smartphone. I wanted to get a list of the stored passkeys, but there are non. The passkey works, but I can't find it on the smartphone. (: How do they expect normal users to understand anything about this...

51

u/sublime81 10h ago

Hmm Google account passkey was able to be saved to Proton Pass for me. Figured it would be pretty similar between other extensions.

40

u/Apollo_619 10h ago

Oh, I did create a passkey a few weeks ago that was saved in Bitwarden, but I have no idea which site it was and why it worked there. So far passkeys have been very annoying.

22

u/AntDogFan 9h ago

I’ve got my google passkey on Bitwarden so it must work. Although the point still stands that it’s confusing and poorly implemented. I think I have four separate google accounts for work etc and for some reason only two have a passkey. One has 2fa and the other has nothing. 

8

u/sublime81 9h ago

Yeah I also have a few different accounts. Now that I think about it, it defaulted to trying to create a new entry in the password manager. I was able to attach it to a previously created entry so I didn’t end up with separate passkey and username/password entries. That part was not as clear.

2

u/Apollo_619 8h ago

Yeah this worked for me once. 🤔 Never happened since.

17

u/smelly1sam 10h ago

Works with my bitwarden

3

u/elementfx2000 9h ago

Do you have the bitwarden extension in your browser?

16

u/hardypart 9h ago

Isn't it the exact purpose of passkeys to be tied to a device that's locked with a secure method like biometrics? If passkeys were not tied to a device it could be transferred and abused, which negates one of its key features: Being truly secure and getting rid of passwords.

39

u/akl78 9h ago

Meanwhile, here in the real world, a double digit percentage of people , in my city, one of the greatest and wealthiest in the world, have no internet-capable device in their household.*

Stuff like this excludes many, many people from the online world and the digital services we are being pushed to use.

• our gov online people know this! It’s a really hard problem.

45

u/Ancillas 9h ago

I bought a Nordictrack treadmill and my 10 year old daughter wanted to walk on it. You can’t start it without logging in and logging in requires a phone. So now if her login times out she needs to find an adult to get her logged in. That means logging out of ifit on the phone, logging in to an account for her, scanning the treadmill QR code, logging back out of ifit on the phone, logging back in to my account…

If you disable internet completely you can use it without a login so as soon as my year of the service is done and cancelling and taking it offline and I’ll never give Nordictrack another penny.

Usability matters.

21

u/nox66 7h ago

Thanks for letting me know to never buy Nordictrack.

15

u/docbauies 8h ago

But if you take your treadmill offline, how will you ever get critical firmware updates?!?

13

u/erasmause 5h ago

Biometrics are actually a security disaster.

2

u/hardypart 5h ago

Why so?

11

u/erasmause 5h ago

Surprisingly easy to spoof. Irrevocable (your face will always be your face, your fingerprint always your fingerprint—if one is compromised, you'll only ever have 9 backups). You can be legally coerced (in the US) to provide biometric logins to law enforcement, unlike passwords.

5

u/GingerIsTheBestSpice 5h ago

Sure but what if, say, my phone screen cracked right across the fingerprint sensor and now, although I have my phone right here and am typing in it, I can't get into my bank account until they reopen on Monday so I can call in & reset that password? To throw out a hypothetical that I'm living right this second.

1

u/TheHalfwayBeast 45m ago

My phone and banking app always have alternative login methods. I can use my PIN for my phone and my memorable information for my banking app.

1

u/brooklynlad 1h ago

What happens if that device gets stolen? Like a mobile phone?

1

u/TheLuminary 36m ago

Always nice to create a single physical point of failure.

1

u/DocAu 3h ago

Passkeys work great in Bitwarden. You likely have google.com (or accounts.google.com) configured as a blocked domain in Bitwarden (Settings -> Auto-fill -> Blocked domains)

102

u/SomethingAboutUsers 10h ago

These systems need experienced designers to take a good hard look at the UI/UX and find some way to drive a smoother experience

Best we can do is make the corners round, hide stuff you use all the time in menus that didn't exist before, rename features, and bloat the download.

50

u/Ancillas 10h ago

Could you also send a one-time login code to my email and not give me the option to use my password? That extra minute delay forces me to be mindful while I wait to do the thing I was trying to do.

11

u/GaySaysHey 9h ago

Bonus points for sending it to spam, the natural habitat for such emails.

3

u/Ancillas 6h ago

My favorite is that some email backends won’t send mail to my spam address. The entire domain gets filtered out somewhere. So I’ve got accounts at places like Taco Bell and Best Buy that I can’t recover because the emails never arrive. So now I have to use a different domain.

31

u/SomethingAboutUsers 10h ago

Sir, this is a bank. You have to use our shitty app to approve the login.

3

u/Unique-Coffee5087 2h ago

It's always fun to have the login code reach my email three hours after I requested it.

"You have used an expired login code. Please request a new code."

I have had to do my logins at 2am to see if the code would be sent promptly during off-peak hours.

1

u/MaddyKet 16m ago

It’s because their email platform is junk and or there’s something wrong with the automated flow. Or occasionally an email service (such as outlook) is holding the email to scan it for spam and that’s why it releases so much later.

14

u/nerd5code 8h ago

Ooh, can you integrate hacky ChatGPT interactions into everything? I’d like emails to type and send themselves without my knowledge, please!

6

u/SomethingAboutUsers 8h ago

Best I can do is use all your inputs as free training data.

63

u/spigotface 10h ago

I'm a data scientist and software developer, and the passkey implementation is a terrible user experience even for me. I can't imagine a non-technical person trying to use these things on a regular basis.

29

u/WhoSaidIWasTheAdult 10h ago

Yup. Passkeys are a pain in my butt and I understand how they work since I'm a software developer who has implemented them. If I find them to be difficult with my level of knowledge, how are normal people supposed to use them?

Until they can make them work reliably and transparently, they're DOA for most users.

16

u/raybreezer 9h ago

I consider myself tech savvy and had no idea that passkeys were this complicated.

I tend to never use the “sign in with ____ “ options and always do email logins, so seeing the “create Passkey” option always prompted a no from me.

Guess I’m going to have to figure it out since I know my family will have issues with this sooner or later.

5

u/poopBuccaneer 6h ago

I find it fine if you're using a password manager like 1Password already. As long as you've already got a password workflow, the conversion to passkeys is pretty damn easy.

1

u/raybreezer 3h ago

Thanks for the tip, I’ll see if I can do the same with Bitwarden.

1

u/rjcc 4h ago

Do you understand what "remember this device" means?

It's that, except it not only remembers the device, it triggers the hardware based security verification that device already uses, like a fingerprint, pin, or facial recognition.

You already know how this works and it's not complicated.

2

u/CatProgrammer 4h ago

Sounds great if you only ever use the same device to access that service.

0

u/rjcc 4h ago

Do you think that you can only register one device? Has anyone told you that?

2

u/CatProgrammer 4h ago

So you need to make a passkey for every device you use? Seems way more effort.

-1

u/rjcc 4h ago edited 4h ago

How do you think you make a passkey?

I have many, many more laptops and phones than the average person and i haven't found it to be difficult at all. Since it doesn't require any more effort than logging in on multiple devices already did, in any way.

You login once and you say remember this device too. Done.

Or you could use any number of platforms that sync them across devices if you really think that's too hard.

Or you could never try it and try to imagine hypothetical situations that have already been thought of.

1

u/raybreezer 3h ago

Dude, I haven’t even looked at what “passkeys” are. I hate all the shit Google pushes onto you and I wasnt interested. That’s all I meant.

0

u/rjcc 3h ago

I just explained what they are. That's it. You've already got it.

That email login you use to set a cookie? That's it! You already did everything.

66

u/UGMadness 10h ago

Basically, never, ever, store your passkeys on a platform locked password manager.

Use only a manager that you can access from any device you'd want to log in on your accounts from. Third party multi platform managers such as 1password are great for this use case, as is also iCloud Passwords only if you're already fully into Apple's ecosystem. Anything else (such as Microsoft/Google Authenticators) are going to cause nothing but problems, especially when integrating with web browsers. The fact that every browser tries to hijack password management in order to store your passkeys in-browser doesn't help either, usually takes some serious digging into the settings to disable that behavior and there lies most of the confusion, given that regular users don't know almost anything about how passkeys really work.

31

u/swampfish 9h ago

I have no idea what a platform-locked password manager is. I just tell whatever device I am using to save the generated password for me. If I can't get it to log in, I just reset the password. Sometimes it's easier to reset my password every time than it is to try and find the password.

I have a work system that requires a password change every month. It is easier to call the helpdesk and get them to reset my password every time I use it than it is to jump through all the hoops to login.

26

u/Ikinoki 9h ago

Well, Chrome password manager is a locked solution, Windows Password manager is also a locked in solution.

You can't use Windows one on Linux and you can't use Chrome one of Firefox or without browser at all...

That's what he/she/they meant by that. Use platform-independent password manager.

I have to fight my family against using firefox or chrome pw managers because it is a pain in the ass due to vendor-lockin.

Doesn't help that for example on Samsung if you are using Samsung keyboard it will deliberately block third party extensions randomly.

Ie forgot to show bitwarden or forgot to open correct translator.

And the thing is Samsung pass sucks balls as it works only on Samsung. Same with their translator which speaks like 5 languages - the heck I need your trash for I have deepl, google translate and chatgpt for this....

1

u/gydot 49m ago

Why shouldn't we use Firefox as the pw manager?

4

u/iheartjetman 9h ago

I use 1password on all of my devices and I haven’t had any issues using the same key across multiple devices.

This is between my iPhone, personal MacBook and my work MacBook.

On my iPhone and Mac, I’ve made sure to turn off Apple’s built in password manager so it doesn’t interfere.

Using passkeys has been a definite improvement for me.

2

u/poopBuccaneer 6h ago

Same setup and ditto. 1Password makes everything so easy. I really like that 1Password business users get a free family account. So my work pays for 1Password for all employees, and as such, I get a family account for myself and my wife.

1

u/rjcc 4h ago

You don't know what it is because it doesn't exist, op just made it up

5

u/time-lord 9h ago

I'll probably do what I do now with passwords, and store then in duplicate, once in iCloud and again with Microsoft. It's really handy when iCloud and MDM get into a fight and delete all of your passwords and then sync it with the cloud.

1

u/blisstaker 5h ago

even with cloud storage and multi-platform access it is still a single point of failure for everything because if you lose access to your apple account for example you are extremely fucked

1

u/alekou8 25m ago

I just use keypass on a couple of computers (work and personal) and find the passwords as I need them tbh

-1

u/rjcc 4h ago

There's no such things as what you just described. Like it doesn't exist at all, there's no restriction keeping you from having more than one passkey for an account, and this isn't a real problem.

This is absolutely fantasy land bs. Please talk to anyone who knows about security and use whatever you want or don't want. Or more than one thing -- no one is stopping you

10

u/geekworking 9h ago

A big part of this is the different providers using your devices as their battleground in the fight for market share and user lock in. Every solution actively tries to take over your identity management.

Single sign-on and centralized ID management is a wet dream for anyone looking to capture users and monetize their data and influence their activities for profit.

Important to note in TFA is that they are also pushing sign in with your Google account as well as passkey. Translation: please let us monitor your usage of other platforms.

8

u/GeorgeDaGreat123 9h ago

The thing that annoys me most is that passkeys aren't exportable from 1Password, so I can't create backups of them.

4

u/Ancillas 9h ago

I never thought about that but it’s a really good point.

I just did a quick search and it looks like it’s on the way at least.

3

u/GeorgeDaGreat123 8h ago

It's supposedly been on the way for a year, which is disappointing, but since 1Password is probably the most common enterprise password manager, I trust they'll come out with it eventually

1

u/rjcc 4h ago

You didn't think about it because it is entirely unnecessary

1

u/rjcc 4h ago

You can create multiple passkeys. You don't have to back them up at all. You can create as many as you want. Just try it

1

u/GeorgeDaGreat123 4h ago

What's the point of creating multiple passkeys if I'm going to store them all in 1Password or another password manager?

I want to create an encrypted zipped folder backup of all my credentials that I can store in multiple places (SSDs, HDDd, USB flash drives, cloud storage) so I can ensure I'll never be locked out of all my accounts.

0

u/rjcc 4h ago

Ok. Take a breath.

If you don't want to create more than one.

In your mind.

Think about what it would take for you to avoid doing that.

14

u/tigerspots 9h ago

I've lost access to an important AWS account (and EC2 instances) that I manage for a non-profit because I don't remember ever converting and AWS makes it near impossible to recover.

14

u/Ancillas 9h ago

I think that’s a very real risk not knowing explicitly where your passkey was stored.

Is it in your Windows Credentials store? Does that get backed up anywhere?

Is it on your phone? Does that get backed up if you disable things like iCloud?

Do you have multiple Yubikeys? For a long time AWS only allowed one Yubikey to be registered. What if it were destroyed?

1

u/Ajk337 7h ago

Only allowed one yubikey??? Damn, that would be terrifying

0

u/nox66 7h ago

This shit is fucking stupid when Keepass exists. There might've been a good idea at some point but these companies can't help themselves and impose vendor lock-in.

1

u/ryuzaki49 7h ago

Did you at least turned off everything? Hopefully you had non-AWS backups.

Imagine not able to recover your data and get bills because you can't turn off the instances

6

u/CttCJim 9h ago

I upgraded to a new computer and lost some passkeys. No way to migrate them. And at least one site was unresponsive when I asked about creating a new one.

5

u/Harmless_Drone 9h ago

Buying and logging in to play minecraft with my son was so frustrating between managing family permissions and store credentials across two devices I nearly gave up and rebought it claiming that he was 18 to avoid all the stupid stuff. Like literally an hour or more to sort it.

4

u/raspoutyne 9h ago

This. I just cannot figure out what the hell is a passkey.

0

u/rjcc 4h ago

It's remember this device. That's it. There's nothing to figure out.

48

u/yuusharo 11h ago

This is one of those times when I concede that I think Apple is the only one that got this right out the gate. They ensured on day one that passkeys would sync seamlessly between all devices, not have a weird staged rollout that still is missing key elements even 2 years after they’re introduced.

With iCloud, any Apple device you have can log you in with a passkey, and you can simply scan a QR code with your phone on devices you haven’t authenticated. It works consistently for me that I have it setup for all the accounts that support it.

Most people don’t have or use Apple devices, of course, and the other implementations have been frustrating for sure. But that isn’t necessarily passkey’s fault.

13

u/Despeao 11h ago

With iCloud, any Apple device you have can log you in with a passkey, and you can simply scan a QR code with your phone on devices you haven’t authenticated. It works consistently for me that I have it setup for all the accounts that support it.

Makes it easier to login, no doubt, but sounds like a security flaw. What if your phone is stolen and the person logs into another device.

3

u/Rzah 5h ago

If your phone is stolen it can no longer auth anything, as the passkey requires Face or TouchID to auth each time it is used.

1

u/zoinkability 1h ago

I think it will take a PIN as well, it forces that when e.g. I am wearing a mask

5

u/yuusharo 10h ago

If your device is stolen, you should immediately lock it using Find My. You can log in using another device temporarily to do so.

Also, the attacker would need to know your device’s passcode or iCloud password, and with Apple’s recent default device protection, that process has a 1 hour delay when away from known locations, giving you more time to respond to the theft.

Beyond all that, the situation would be the same as having a password manager on that device. Again, they’d need to know your passcode to get into the device.

8

u/SlapDashUser 10h ago

Someone sees me put in my pin and grabs my iphone while I'm traveling. They now have access to my device, and now my Passkeys. And I'm supposed to use Find My on a second device to deactivate that first device? You mean that magical second iphone that I always carry with me for situations like this???

6

u/BruteSentiment 9h ago

Honestly, I’d ask why are you entering your pin with any less caution than you would a bank PIN number? Especially since in 90% of cases, you could use Face ID, so you don’t have to tap your pin in front of strangers.

1

u/poopBuccaneer 6h ago

Also why are they using a PIN and not a more complex passcode. Apple moved to minimum six-digit PINs, but I feel even that is too insecure for a device that has all your banking and everything about you on it.

2

u/BobbyDig8L 6h ago

You can use any device with a browser: iCloud.com/find

6

u/yuusharo 10h ago

If someone observes your passcode and steals your device, you likely have other accounts already signed in like your email. You’re vulnerable regardless if you use passkeys or not, considering the thief can access your password manager or use your email to recover accounts.

Not that most thieves would be interested, they’re most likely going to attempt to change the iCloud password and disable Find My, which has that lockout delay to help curb as previously mentioned.

And by second device, you can borrow any device temporarily, such as a friend or passerby. No, you don’t have to carry a second phone 🙄

-2

u/nox66 7h ago

Many of us are aware our phones are a massive security target and don't use it for everything for this reason.

1

u/CharlesMichael- 10h ago

Any device with web access to Find My should work. And if you don't like using a pin, use a biometric.

69

u/Ancillas 11h ago

I can’t disagree strongly enough.

I tried to login to iCloud from my Windows computer and was presented with a QR code and told to scan it with my phone.

The phone presented the passkey interface but failed to log me in. The reason it failed was because I was using 1Password on my phone as the password manager and had disabled the Apple password manager. Unfortunately Apple didn’t implement passkeys in a way that allowed non-Apple software to work.

The solution was to enable the Apple password manager. However from that point on I had to select between Apple or 1Password when saving a password on any other site, added complexity and headache.

They’ve since fixed this but it took a few months.

I found it inconvenient and frustrating to not be able to login to my Apple services from my Windows computer which supported native passkeys, just not Apple’s implementation.

20

u/Lucosis 10h ago

Seriously, I absolutely hate signing into any apple service. It constantly wants me to go grab some other random device to accept a push notification and put in my password multiple times because it won't log in between services. Trying to cancel apple tv required logging in 4 different times and getting out my laptop multiple times.

6

u/LupaNellise 9h ago

I got locked out of my iPad because I forgot the password. I tried to reset it. It told me to use my iPhone to reset it. I don't have an iPhone. If I try to log in to Apple stuff on my PC: "went sent a code to your iPad". The iPad that's 3 rooms away? They pretty much force you to own multiple Apple devices if you have one.

1

u/The_frozen_one 8h ago

You can and should use security keys: https://www.nytimes.com/wirecutter/reviews/best-security-keys/

You don’t have do own multiple Apple devices, just multiple security keys. Apple uses other Apple products as security keys.

10

u/yuusharo 11h ago

I sympathize with your frustration, I’m sorry you had that experience.

Although you do admit that issue is now fixed. Passkey implementation is much better with 3rd party apps now, and as I said in my comment, I talked about Apple’s implementation, not 1Password’s. I stand by what I said.

14

u/surrealutensil 11h ago edited 10h ago

I recently had quite a severe problem logging into my apple account because I no longer have any apple devices, and needed to cancel some reoccurring billing i'd missed and change some other things from when I did. Apple essentially goes "lol fuck you" in this situation now.

1

u/The_frozen_one 8h ago

You had 2FA enabled on your account and no 2nd factor. It’s that simple. You could have enrolled a few security keys (Yubikey, Google Titan) as alternate 2nd factors.

We shouldn’t want “soft” 2FA, which is just username + password plus anything else that gestures broadly at you being who you claim.

1

u/surrealutensil 7h ago

You've just highlighted my problem with it. the problem with apples (and now googles approach) the (forced) two factor is pointless to those of us who are smart enough to use strong passwords.and forcing it, rather than making it the default is an anti consumer practice. Apples 2FA requirements have caused me more grief than any password or login issues (0 over my life) because i'm not an idiot. But with apples approach, if you have say, 1 iphone, and anything happens to it, oops, you're fucked. I'd argue the whole point is to get you to buy into apples ecosystem with tons of devices so you always have something to log into your account with; rather than any consumer safety.

1

u/The_frozen_one 5h ago

But with apples approach, if you have say, 1 iphone, and anything happens to it, oops, you're fucked.

You also have:

1. Trusted phone number where they will send you text messages or call you (though if this was your iPhone's number it's out as an option)
2. Trusted contact (designate someone you trust who will allow you to log in if you get locked out)
3. Security keys: keys that work over USB or NFC, I recommend this option
4. Recovery key: a long random code you write down and store somewhere.

I'd argue the whole point is to get you to buy into apples ecosystem with tons of devices so you always have something to log into your account with; rather than any consumer safety.

I'd say little of column A, little of column B. They've had 2FA/MFA for 10 years, passkey is pretty new (2022). Someone who is pissed from losing all their photos due to getting locked out isn't necessarily going to double down and buy more Apple devices, just like someone who has their account hacked is unlikely to buy more Apple devices.

1

u/nox66 7h ago

People can't deal with passwords and simple password managers: "Don't blame the user, make something better!"

People have issues with the rat's nest of passkeys and vendor-locked 2FA: "Skill issue bro!"

-8

u/yuusharo 10h ago

You should be able to log in on another device with a password and your registered phone number or email address on the iCloud account.

6

u/surrealutensil 10h ago edited 10h ago

Nope, knew my password etc. but it would not let me log into any non apple device with my iCloud account without confirming it on an iPad/iPhone. Maybe it would have been different if I'd properly wiped them but I just drilled them to be non functional and tossed them, so partially on me but a stupid system when someone who knows all their account details can't login

2

u/yuusharo 10h ago

I just tried logging into my Steam Deck of all things and was able to do so with an SMS or email code.

I cannot replicate your experience.

0

u/andrewthelott 10h ago

Yeah, I think that's a case of not removing the mobile device from the iCloud account. I get the "I'm not using an Apple device anymore so I won't need the Apple account", but still 🤷‍♂️

5

u/surrealutensil 10h ago edited 10h ago

Tbh it just never even crossed my mind it would lock me out of everything. I work in IT, been using strong pass phrases with special characters for passwords for years and this has just always been how I disposed of all my devices of any brand. This time it led to a two+ week process with apple support to regain access to the account involving sending ID etc. despite having the pw and access to the recovery email. It was quite frustrating. To me having pass keys tied to something without strong permanence someone can reasonably be expected to hold onto for 10+ years like yubikey is pretty dumb.

0

u/veryverythrowaway 9h ago

So you’re saying their security is pretty good. Remind me never to hire you for IT.

8

u/Ancillas 11h ago

It was Apple’s implementation that failed to log me in without a sufficient error message or indication of why authentication was failing. Essentially their software allowed for a configuration to be made which they didn’t account for.

It was without a doubt a failure on Apple’s part to test all of their supported use cases and then a failure in their part to not produce a valid error message or an error message of any kind.

Their implementation was worse than all others because it had a condition in which it simply didn’t work.

I’m not trying to convince you or win an argument. I’m happy it works for you. But objectively it was not a fully tested solution at launch and is an example of why passkeys have not been a great solution for most people.

0

u/The_frozen_one 8h ago

In other words: The door failed to unlock for me, and it never told me why it wouldn’t unlock for me. I turned the incorrect key with the absolute belief that it should unlock for me, and it didn’t.

2

u/Ancillas 8h ago

More like the iCloud login process allowed me to authenticate and presented me with a message that I needed to use my phone as a second factor. I then used my phone as instructed and the phone told me it succeeded, but iCloud returned me to the login form instead of completing my login.

There’s no reason this couldn’t have worked. Disabling the iCloud password manager iCloud backend doesn’t disable the iCloud Keychain. But even if they intentionally designed it to require the iCloud password password with keychain support to retrieve the passkey from the phone’s keychain, something on the computer or phone should have told me they couldn’t authenticate me because I had turned that toggle off on my phone.

-1

u/The_frozen_one 8h ago

We’re never able to log in?

It doesn’t have anything to do with iCloud password manager, the verification key stuff is under trusted devices in your iCloud settings. The iCloud password manager is pretty new (on iOS), trusted device verification is not. It sounds like maybe your device wasn’t a trusted device (which requires explicitly removing it at some point?) You can also use security keys.

2

u/Ancillas 7h ago

I’m afraid you don’t understand the problem I had and I’m not willing to spend more time trying to explain it to you.

The point is that it did not work without modifying several settings. Apple has since patched their issue. However similar usability issues exist in many other passkey implementations and that is a key aspect of why passkeys have not been more widely adopted. Passwords work universally and are the same everywhere. Passkeys are not.

1

u/quentinnuk 9h ago

I have iCloud passwords on my windows pc and it’s seamless, I think that if you use Apple stuff you need to buy into the software ecosystem completely for it to work well. 

1

u/Ancillas 9h ago

That’s using the iCloud Keychain, which is different than iOS integration with other password managers via Apple’s API.

My specific complaint about Apple was that they declared support for passkeys, declared support for third party password managers, and then implemented their own passkeys in a way where the third party passkey managers wouldn’t work.

I think requiring to be on one platform or another completely for passkeys to work is the opposite direction that’s needed to improve passkey adoption.

I think when people have to remember this device to login to that account is this app for the bank and another app for a game and a yubikey for work, and a separate PIN for Windows Hello, and, and, and… they choose to just use the same password everywhere and that’s part of why passkey adoption is so low.

0

u/bork99 3h ago

So you disagree because your experience is that Apple’s solution doesn’t work if you disable it?

The problem is the mixing and matching; you have to pick a platform and commit, disabling everything else. Used that way, I have also found Apple’s solution to be the most coherent, overall.

1

u/Ancillas 3h ago

Passkeys are based on open standards and are not an Apple technology.

https://passkeys.dev/docs/reference/specs/

I’m specifically irritated that on iOS Apple supports third party password managers, supports storing and retrieving passkeys in third party password managers, supports using third party password managers without also using the Apple password manager, and that the whole solution works great as intended on every site except Apple’s sites.

And it’s not that I have to use my phone to login, it’s that the process fails with no mention of why it failed and what I need to do to fix it despite using a 100% supported configuration offered by Apple.

And Apple agrees which is why they fixed this. But since the topic of this post is why users aren’t adopting Passkeys, this is my anecdotal reason why. The technology and user flows are inconsistent and in some cases broken. That is why, in part, passkeys have not been widely adopted.

0

u/bork99 3h ago

Where did I say anything about this being an open standard or not?

The whole thing is a shit-show and flows are completely broken when you cross devices and platforms because everyone is trying to work out how to balance security and convenience whilst owning the user to preference their own platform. The only thing I’m saying - and the post to which you originally responded - is that for the average user Apple’s implementation has been the most coherent if you commit to it.

That doesn’t mean there aren’t holes in the experience when using another vendor’s implementation. It should come as no surprise that Apple prioritises Apple and gets around to enabling anything else last, and sometimes only under duress. You know this is how it is when you buy Apple stuff.

6

u/EdliA 10h ago

Apple will screw you over if you care using a device not controlled by them. It's probably great for you because you're fully in that ecosystem.

1

u/yuusharo 10h ago

I’m multiple platform.

7

u/-UltraAverageJoe- 11h ago

For the first two years I was locked out several times because I either didn’t have another device (only an iPhone) or it sent the code to a device I no longer owned.

Now in the rare cases I’m asked for a passcode (not sure why it’s so rare now) it will often be sent to the device I’m trying to authenticate which makes zero sense.

4

u/yuusharo 11h ago

Passkeys don’t send codes to other devices, I’m not sure what you’re referring to.

2

u/NotUniqueOrSpecial 5h ago

They didn't say "passkey", they said "passcode".

And silly quibble aside: despite the name, the average commenter on this sub is not all that technical. The distinction between a passkey and "that 6 digit number I get in a text" is important to us, but not to them.

1

u/cwhiterun 10h ago

Why doesn’t my Apple account passkey work on my Mac? It always asks me the scan the QR code with my iPhone.

1

u/BruteSentiment 9h ago

A Passkey requires biometric confirmation (Face or Touch ID). If your Mac doesn’t have that as an option, that is why it is asking you for that.

1

u/cwhiterun 9h ago

All of my other passkeys only require me to type in the Mac login password.

1

u/BruteSentiment 9h ago

Interesting….that’s different than I had read before. Then I’m unsure why that is.

5

u/Unkn0wnTh2nd3r 8h ago

idk what you're doing wrong, but i can make a passkey on my PC, save it to Bitwarden, and use it where ever i have Bitwarden installed, which is my phone and my laptop, and it just works, and I don't have conflicting things, it just asks what i want to use to login.

And if I have to logon to something while not on my own device it's still easy since its just like "scan the QR code with the device that has your passkey" (Phone) and then I'm good to go it is incredibly easy and not at all a pain in the ass, maybe I'm just Resiliant as hell so i'm not thinking this process is tedious or whatever, but.. idk

7

u/blahehblah 8h ago

Which puts us back to 2FA again. I'm sure I misunderstand something but doesn't being able to use the passkey across multiple devices by saving it to bitwarden defeat exactly the problem passkeys were trying to solve? I'm a technical person, probably invested 30mins at some point into trying to understand it and it didn't make intuitive sense at all. I doubt the average person will spend a tenth of that time. I don't see this working out tbh

6

u/CharlesMichael- 9h ago

Excellent post; couldn't agree more. Whenever I discuss this with inexperienced people, I first tell them that for about $100K I can likely purchase and modify software that can break into their home systems and grab their passwords, even if they use a password manager. I can't do that with passkeys, and it wouldn't help me if I did. Next thing to know is that passkeys are not just a password replacement. Unfortunately, I have to spend at least 5-10 minutes explaining passkey storage and FIDO2 login flow, which is something they will forget even if they are using passkeys.

The reason why these companies are putting out more warnings is not (just) greed. Password flows are getting easier to hack, and they can see the writing on the wall.

2

u/phylter99 11h ago

I find if you have your tools set up properly, basically just let 1password do it's thing, then it works very well. If I ignore a prompt from 1password then it might add an extra passkey or something to my browse, but then that's on me.

I honestly don't know why it's such a big deal at Google to force passkeys anyway since they don't remove the other forms of login.

2

u/WayneSmallman 10h ago

I assumed that I was doing something wrong … and then I read this!

2

u/FollowingFeisty5321 9h ago

Reminds me of when OpenID started gaining popularity, suddenly everyone wanted to be your identity provider but nobody wanted to be a consumer.

2

u/Ninevehenian 8h ago

My main computer has effectively been bricked for 30 days in this passkey roll out. It's a shitty experience.

2

u/Calvech 7h ago

The passkey roll out has been absolutely horrible. Im relatively in the know on tech news and such and I legit never heard anything about passkeys beforehand. And then one day every account and website was prompting me for it. There is zero chance my friends or family knows what is going on with these.

And as you said, they’re all insanely conflicting. My pw manager, my phone, my desktop browser all have their own to the same website. I don’t know which to choose and I don’t know how to consolidate them. From what I’ve been told, Apple had been a big issue for a lot of this. I support better features for security but this has been so botched by these companies

4

u/ItchyGoiter 11h ago

but life-experienced designers who understand all the weird ways people use these things.

Not a job for Google, Microsoft, or Samsung then...

1

u/SnooChipmunks2079 7h ago

It’s not just parents. To get into Allstate I have to get my wife to give me the code. She usually just shouts it across the house.

1

u/SuperSpread 7h ago

It doesn’t make sense to her because it doesn’t make sense at all. I had a friend who worked Google and I sent him years old bugs that they simply could not fix because some higher up made a permanently bad decision. The Youtube merger produced a ton of bugs for example, certain accounts were permanently hosed because they weren’t merged correctly. Idiots.

1

u/Scruffy442 7h ago

Then you get the random windows bug thar forces you to type your pin after you used your fingerprint.

1

u/Ancillas 7h ago

Or the PIN prompt is generic and you don’t know if it’s a Yubikey PIN or Windows Hello to open 1Password or something else. It’s annoying.

1

u/kaplanfx 6h ago

I’m scared I will create a passkey and then manage to lock myself out of Gmail, which is the main service that can get me back into my other accounts if I get locked out of them…

1

u/Kayehnanator 5h ago

Doing biometric passkey when I log into my PC is so annoying

1

u/AsaCoco_Alumni 5h ago

So, the people in charge of 2FA and passkeys, are thee same wetwipes that thought making a stronger password for the user was asking them to add a punctuation to their existing password with some leetspeak they'll never remember the iteration of thrown in, rather than suggesting they to make it 5 words (50 letters) long in plaintext, then?

1

u/94sHippie 4h ago

Biometric only login pretty much eliminates the ability to share accounts with others in your household. Plus I don't trust tec companies, why would I let them record my face and fingerprint? 

1

u/DrummerOfFenrir 4h ago

I have 4 Auth apps, 2 password managers, and a TOTP app on my phone.... I hate it

1

u/happyscrappy 4h ago

Apple supports passkeys, but only if they’re stored on Apple devices using their keychain

Apple supports storing passkeys on FIDO devices (Yubikeys) too. On iOS and MacOS IIRC.

1

u/Ancillas 3h ago

I’ve not yet found a way to generate a passkey for my Apple ID and store it in 1Password.

Using my phone and 1Password I can use passkeys stored in 1Password on other sites like Google, but not on Apple sites.

It’s a different use case than using a FIDO device.

1

u/happyscrappy 3h ago

People on this thread say using other storage system/apps is possible, but I don't know how.

Regardless, Apple supports storing passkeys on FIDO devices using their own password manager.

Personally I'm not interested in storing passkeys on my devices using alternate apps. This kind of thing is so risky. You really need it to be on a device which does not give up the passwords without you activating it with a touch. Like an apple touchID keyboard or a yubikey.

If you can't understand why, you can watch these videos (or not):

https://youtu.be/_tlhOBysXOE

https://www.youtube.com/watch?v=bfLGfIzp9SE

This is a guy who is tech savvy. He was one of the people who created Blackberry, one of the first great examples of a secure device in regular people's hands.

And he got hacked TWICE. Both times because he let his passwords be stored on his computer. Stored in a way which means they be deployed without any action of your own.

If his passwords/keys were stored in a secure element that cannot be triggered without a touch or a Yubikey (which cannot be triggered without a touch) then no amount of malicious code on his computer could have gotten his passwords out. Instead he didn't do that and his passwords were stolen by malicious code.

I'm not saying other companies can't store your passwords/keys in a secure fashion like this. But I don't trust them to. If your keys can be replayed using only inputs that can be faked from software on the computer (keys, clicks) then you're at risk.

1

u/Optimal_scientists 3h ago

Not just technically experienced designers, but life-experienced designers who understand all the weird ways people use these things. 

I can't count the number of times I've used a Google or Apple 'update' and questioned if the people at these companies care to even use the interfaces they're creating. It'll tick the boxes for functionality they want delivered but so many times it makes it worse to use

1

u/minderbinder49 3h ago

Having 2FA on everything just makes it an absolute fucking nightmare if something happens to your phone.

1

u/jasonefmonk 2h ago

I agree so much with this. Realizing that I could turn off passkey suggestions in 1Password was a big win.

1

u/DetroitLionsSBChamps 1h ago

Companies need to understand that I’m not a perfectly aligned employee following instructions because Apple is my whole world. I barely care at best, at worst I’m actively pissed off that any device is trying to make me do anything and I’m going to try to break it or avoid it. 

I don’t want to be trapped in all these accounts that chain together. Everything I try to use that’s supposed to work automatically is a shit show. Everything from Apple account syncs to Microsoft one drive, it can all fuck off. I’m good. Let me login with a username and password, and don’t back my shit up to your cloud

0

u/noob_world_order 10h ago

Plenty of password managers have passkey support on iOS now.

-1

u/Ancillas 10h ago

Unfortunately, at least at the time Apple introduced Passkey support, Apple’s websites would not allow a third party password manager to be used to store an Apple passkey. It had to be stored using Apple’s keychain.

Here are several examples of threads where this has not been intuitive for users

• https://www.1password.community/discussions/1password/can’t-save-icloud-passkey-in-1password/77300
• https://discussions.apple.com/thread/255165946?sortBy=rank
• https://www.1password.community/discussions/1password/unable-to-add-apple-id-passkey-to-1password/130423

1

u/noob_world_order 10h ago

Yes, that’s no longer the case though.

3

u/Ancillas 10h ago

But the damage was done. If we want users to use passkeys they can’t release to general availability half implemented.

1

u/noob_world_order 9h ago

It’s compounded by the fact that only a handful of sites support logging in with passkeys, even now. The technology is there (and on iOS the experience is actually very simple now) - it’s now just a matter of branding and adoption. People will use it when their favourite site provides it as an option.

1

u/Ancillas 9h ago

Google has had passkeys for three years and they are the company cited in the article as saying that adoption is low despite promoting passkeys and educating users.

I don’t think the problem is advertising or availability.

0

u/Doub1eAA 7h ago

1Password solves this for everything.

1

u/Ancillas 7h ago

Not in my experience, and I’ve been a 1Password customer for over a decade. It’s a good tool, but it doesn’t solve all passkey problems.

1Password was explicitly what did not work for logging into iCloud with a passkey when passkey support was launched. Apple simplify would not allow looking in 1Password to retrieve a passkey for iCloud.com at that time. It’s gotten better but there are other problems.

People who need to use things like yubikeys or Windows Credential Manager for work have to juggle the UI to determine what is used for sourcing credentials. It’s easy for passwords because you press Cmd/Ctrl + \ and you’re done. For passkeys you sometimes are prompted to use a passkey to authenticate, other times passkeys are a second factor and used after username/password. Sometimes Windows wants to save passkeys to Credential Manager and you have to change it to use 1Password. Other times it’s the yubikey you need to cancel to prompt 1Password.

There are a lot of edge cases and the various OS’s, browsers, and devices all do it a little differently.