Rendered at 07:38:55 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
f30e3dfed1c9 1 days ago [-]
I've been avoiding them and intend to keep doing so as long as possible. I've had passwords handled perfectly well for almost 20 years. I do not see passkeys as having any particular benefits to me and do not want to manage them.
UncleMeat 17 hours ago [-]
I have an HSA managed by HealthEquity for work. Recently they forced us all onto passkeys.
About 80% of my login attempts now randomly fail with a “you are not authorized to see this page” error. What a system.
chrisjj 1 days ago [-]
> having people enter a password to log in is a dying authorization flow - it’s too easy to crack databases, ... passkey ties it to your device
Your portable nickable device, right?
I'll rather a password tied to my brain, thanks.
f30e3dfed1c9 1 days ago [-]
Exactly. "Passkey ties it to your device" sounds like a huge step backwards to me. Tech companies seem to have no idea how much I hate my phone.
f30e3dfed1c9 1 days ago [-]
FWIW, I had a conversation with an AI about passkeys. Seems to me like there are real potential benefits to (1) companies that implement them, (2) people with bad password practices, and (3) people who use one or two devices, like a laptop and a phone, or a tablet and phone.
I suspect the lion's share of benefits here go to (1) and I could not possibly care less about that.
I recognize that (2) is a huge group of people, but I'm not in it.
For people in (3), it might work pretty well especially if both are from the same company. For example, if you only ever use an iPad and an iPhone, passkeys might work out pretty well. But I'm not in that group, either.
I'm gonna keep ignoring them as long as possible.
mooreds 19 hours ago [-]
Yeah, I don't think passwords are ever going away (and said it on this podcast[0]).
But for the large group of people in group 2, I'm a big fan of unphishable credentials. If we can figure out the account recovery problem. (Big if!)
FWIW, I think the article "Passkeys: they're not perfect but they're getting better" at the NCSC web site is a pretty fair assessment of the current state of things.
I certainly understand and appreciate the benefits of key-based authentication: been using ssh keys for decades, wouldn't go back to password auth in that context for anything.
But I don't really see passkeys in the much wider context of web authentication for the broadest possible audience has having all the kinks worked out yet.
About 80% of my login attempts now randomly fail with a “you are not authorized to see this page” error. What a system.
Your portable nickable device, right?
I'll rather a password tied to my brain, thanks.
I suspect the lion's share of benefits here go to (1) and I could not possibly care less about that.
I recognize that (2) is a huge group of people, but I'm not in it.
For people in (3), it might work pretty well especially if both are from the same company. For example, if you only ever use an iPad and an iPhone, passkeys might work out pretty well. But I'm not in that group, either.
I'm gonna keep ignoring them as long as possible.
But for the large group of people in group 2, I'm a big fan of unphishable credentials. If we can figure out the account recovery problem. (Big if!)
0: https://changelog.com/friends/78
I certainly understand and appreciate the benefits of key-based authentication: been using ssh keys for decades, wouldn't go back to password auth in that context for anything.
But I don't really see passkeys in the much wider context of web authentication for the broadest possible audience has having all the kinks worked out yet.