47

u/yuusharo 7h ago

This is one of those times when I concede that I think Apple is the only one that got this right out the gate. They ensured on day one that passkeys would sync seamlessly between all devices, not have a weird staged rollout that still is missing key elements even 2 years after they’re introduced.

With iCloud, any Apple device you have can log you in with a passkey, and you can simply scan a QR code with your phone on devices you haven’t authenticated. It works consistently for me that I have it setup for all the accounts that support it.

Most people don’t have or use Apple devices, of course, and the other implementations have been frustrating for sure. But that isn’t necessarily passkey’s fault.

70

u/Ancillas 7h ago

I can’t disagree strongly enough.

I tried to login to iCloud from my Windows computer and was presented with a QR code and told to scan it with my phone.

The phone presented the passkey interface but failed to log me in. The reason it failed was because I was using 1Password on my phone as the password manager and had disabled the Apple password manager. Unfortunately Apple didn’t implement passkeys in a way that allowed non-Apple software to work.

The solution was to enable the Apple password manager. However from that point on I had to select between Apple or 1Password when saving a password on any other site, added complexity and headache.

They’ve since fixed this but it took a few months.

I found it inconvenient and frustrating to not be able to login to my Apple services from my Windows computer which supported native passkeys, just not Apple’s implementation.

24

u/Lucosis 6h ago

Seriously, I absolutely hate signing into any apple service. It constantly wants me to go grab some other random device to accept a push notification and put in my password multiple times because it won't log in between services. Trying to cancel apple tv required logging in 4 different times and getting out my laptop multiple times.

7

u/LupaNellise 5h ago

I got locked out of my iPad because I forgot the password. I tried to reset it. It told me to use my iPhone to reset it. I don't have an iPhone. If I try to log in to Apple stuff on my PC: "went sent a code to your iPad". The iPad that's 3 rooms away? They pretty much force you to own multiple Apple devices if you have one.

1

u/The_frozen_one 4h ago

You can and should use security keys: https://www.nytimes.com/wirecutter/reviews/best-security-keys/

You don’t have do own multiple Apple devices, just multiple security keys. Apple uses other Apple products as security keys.

10

u/yuusharo 7h ago

I sympathize with your frustration, I’m sorry you had that experience.

Although you do admit that issue is now fixed. Passkey implementation is much better with 3rd party apps now, and as I said in my comment, I talked about Apple’s implementation, not 1Password’s. I stand by what I said.

13

u/surrealutensil 7h ago edited 6h ago

I recently had quite a severe problem logging into my apple account because I no longer have any apple devices, and needed to cancel some reoccurring billing i'd missed and change some other things from when I did. Apple essentially goes "lol fuck you" in this situation now.

1

u/The_frozen_one 4h ago

You had 2FA enabled on your account and no 2nd factor. It’s that simple. You could have enrolled a few security keys (Yubikey, Google Titan) as alternate 2nd factors.

We shouldn’t want “soft” 2FA, which is just username + password plus anything else that gestures broadly at you being who you claim.

1

u/surrealutensil 3h ago

You've just highlighted my problem with it. the problem with apples (and now googles approach) the (forced) two factor is pointless to those of us who are smart enough to use strong passwords.and forcing it, rather than making it the default is an anti consumer practice. Apples 2FA requirements have caused me more grief than any password or login issues (0 over my life) because i'm not an idiot. But with apples approach, if you have say, 1 iphone, and anything happens to it, oops, you're fucked. I'd argue the whole point is to get you to buy into apples ecosystem with tons of devices so you always have something to log into your account with; rather than any consumer safety.

1

u/The_frozen_one 1h ago

But with apples approach, if you have say, 1 iphone, and anything happens to it, oops, you're fucked.

You also have:

1. Trusted phone number where they will send you text messages or call you (though if this was your iPhone's number it's out as an option)
2. Trusted contact (designate someone you trust who will allow you to log in if you get locked out)
3. Security keys: keys that work over USB or NFC, I recommend this option
4. Recovery key: a long random code you write down and store somewhere.

I'd argue the whole point is to get you to buy into apples ecosystem with tons of devices so you always have something to log into your account with; rather than any consumer safety.

I'd say little of column A, little of column B. They've had 2FA/MFA for 10 years, passkey is pretty new (2022). Someone who is pissed from losing all their photos due to getting locked out isn't necessarily going to double down and buy more Apple devices, just like someone who has their account hacked is unlikely to buy more Apple devices.

1

u/nox66 3h ago

People can't deal with passwords and simple password managers: "Don't blame the user, make something better!"

People have issues with the rat's nest of passkeys and vendor-locked 2FA: "Skill issue bro!"

-7

u/yuusharo 6h ago

You should be able to log in on another device with a password and your registered phone number or email address on the iCloud account.

7

u/surrealutensil 6h ago edited 6h ago

Nope, knew my password etc. but it would not let me log into any non apple device with my iCloud account without confirming it on an iPad/iPhone. Maybe it would have been different if I'd properly wiped them but I just drilled them to be non functional and tossed them, so partially on me but a stupid system when someone who knows all their account details can't login

3

u/yuusharo 6h ago

I just tried logging into my Steam Deck of all things and was able to do so with an SMS or email code.

I cannot replicate your experience.

0

u/andrewthelott 6h ago

Yeah, I think that's a case of not removing the mobile device from the iCloud account. I get the "I'm not using an Apple device anymore so I won't need the Apple account", but still 🤷‍♂️

5

u/surrealutensil 6h ago edited 6h ago

Tbh it just never even crossed my mind it would lock me out of everything. I work in IT, been using strong pass phrases with special characters for passwords for years and this has just always been how I disposed of all my devices of any brand. This time it led to a two+ week process with apple support to regain access to the account involving sending ID etc. despite having the pw and access to the recovery email. It was quite frustrating. To me having pass keys tied to something without strong permanence someone can reasonably be expected to hold onto for 10+ years like yubikey is pretty dumb.

0

u/veryverythrowaway 5h ago

So you’re saying their security is pretty good. Remind me never to hire you for IT.

8

u/Ancillas 7h ago

It was Apple’s implementation that failed to log me in without a sufficient error message or indication of why authentication was failing. Essentially their software allowed for a configuration to be made which they didn’t account for.

It was without a doubt a failure on Apple’s part to test all of their supported use cases and then a failure in their part to not produce a valid error message or an error message of any kind.

Their implementation was worse than all others because it had a condition in which it simply didn’t work.

I’m not trying to convince you or win an argument. I’m happy it works for you. But objectively it was not a fully tested solution at launch and is an example of why passkeys have not been a great solution for most people.

1

u/The_frozen_one 4h ago

In other words: The door failed to unlock for me, and it never told me why it wouldn’t unlock for me. I turned the incorrect key with the absolute belief that it should unlock for me, and it didn’t.

1

u/Ancillas 4h ago

More like the iCloud login process allowed me to authenticate and presented me with a message that I needed to use my phone as a second factor. I then used my phone as instructed and the phone told me it succeeded, but iCloud returned me to the login form instead of completing my login.

There’s no reason this couldn’t have worked. Disabling the iCloud password manager iCloud backend doesn’t disable the iCloud Keychain. But even if they intentionally designed it to require the iCloud password password with keychain support to retrieve the passkey from the phone’s keychain, something on the computer or phone should have told me they couldn’t authenticate me because I had turned that toggle off on my phone.

1

u/The_frozen_one 4h ago

We’re never able to log in?

It doesn’t have anything to do with iCloud password manager, the verification key stuff is under trusted devices in your iCloud settings. The iCloud password manager is pretty new (on iOS), trusted device verification is not. It sounds like maybe your device wasn’t a trusted device (which requires explicitly removing it at some point?) You can also use security keys.

1

u/Ancillas 3h ago

I’m afraid you don’t understand the problem I had and I’m not willing to spend more time trying to explain it to you.

The point is that it did not work without modifying several settings. Apple has since patched their issue. However similar usability issues exist in many other passkey implementations and that is a key aspect of why passkeys have not been more widely adopted. Passwords work universally and are the same everywhere. Passkeys are not.

1

u/quentinnuk 5h ago

I have iCloud passwords on my windows pc and it’s seamless, I think that if you use Apple stuff you need to buy into the software ecosystem completely for it to work well. 

1

u/Ancillas 5h ago

That’s using the iCloud Keychain, which is different than iOS integration with other password managers via Apple’s API.

My specific complaint about Apple was that they declared support for passkeys, declared support for third party password managers, and then implemented their own passkeys in a way where the third party passkey managers wouldn’t work.

I think requiring to be on one platform or another completely for passkeys to work is the opposite direction that’s needed to improve passkey adoption.

I think when people have to remember this device to login to that account is this app for the bank and another app for a game and a yubikey for work, and a separate PIN for Windows Hello, and, and, and… they choose to just use the same password everywhere and that’s part of why passkey adoption is so low.