We had originally planned to go all-in on passkeys for ONCE/Campfire, and we built the early authentication system entirely around that. It was not a simple setup! Handling passkeys properly is surprisingly complicated on the backend, but we got it done. Unfortunately, the user experience kinda sucked, so we ended up ripping it all out...
Whenever I read an article about security (and read the comments, even here on Lemmy) I’m constantly frustrated and depressed by a couple of things.
Corporations making things shittier with the intention of locking customers in to their stupid proprietary ecosystem. And of course, they are always seeking more data harvesting. Security itself is way down the list of their priories, if it’s even there at all.
Users being lazy trend-followers who quickly sacrifice their security on the altar of convenience and whatever shiny new FOMO thing is offered up for “better security”.
It’s a very bad combination. Doing security right is a bit inconvenient (which users hate) and expensive (which corporations hate).
You would be less constantly frustrated and depressed if you learned a little bit about security, instead of getting upset about imagined problems with technology you don’t understand.
I’m not against passkeys. They have some real advantages. And I understand more than you think.
My comment is primarily about the preferred ecosystems that tend to come along with these newer solutions (like Apple’s iCloud or Google’s Password Manager) and how the corporations take advantage of user laziness and bandwagon jumping.
They may not force you to be exclusive with them, but they definitely want you to be. And over time they will likely make it more and more inconvenient not to be locked in with them.
For contrast, I use BitWarden for password management and Bitwarden Authenticator for TOTP (and I keep safe copies of TOTP secret keys elsewhere). This is a generic open-standards-first approach to things, with relatively easy recovery should you lose something. You can export your passwords. You have copies of your secret keys. You are in no way locked in to BitWarden forever.
Passkeys can also work within that type of operational framework! Like TOTP which normally uses RFC6238, Passkeys tend to use CTAP or WebAuthn. All of the above are open standards. And this is a good thing!
But do you really think Apple, Google, Microsoft, etc, want to play nice long term? Hopefully they will. But I have also run into evil nonsense like LastPass, which even though they also used open standards, their software would not allow you to do simple things like recover your own secret keys, export your data, etc. (Not to mention the embarrassing security breach they had and the wretched response, the main reasons to dump them).
While I am not directly comparing an idiot company like GoTo Tech with Apple et al, they all have the same types of big brain MBA types working for them who love to constantly brainstorm new ideas on how to screw the users over by taking features away and calling it a “software upgrade”.
So, passkeys as a security mechanism: sure, this gets my vote. But trusting the big corporations not to change the rules on us later…come on, get real. They love limiting or removing portability and recovery options whenever they can.
Bottom line: don’t assume passkeys are inherently good or bad. It’s simply a security standard that can work well if implemented correctly. Passkeys make logging in easier. But will they also make recovery / export / migration easier…? Because if it’s not easy, people won’t do it.