Passkey fail

William Brown:

However Chrome simply never implemented it leading to it being removed. And it was removed because Chrome never implemented it. As a result, if Chrome doesn’t like something in the specification they can just veto it without consequence.

I hate waiting on browser support. About a year or two ago, I transitioned my family to use hardware keys to sign in to services, and it was truly fucking awful. Back when I started using hardware keys, Safari on iOS had zero support for FIDO keys (so before iOS 13 or 14?) and when they finally added it they only added support for NFC keys or something like that, which meant keys that relied on Bluetooth and USB connections wouldn’t work at all, unless you got Google’s helper app and did some weird pairing song-and-dance.

It feels like that, but all over again for Passkeys. Bitwarden supports it, but only on desktop browser extensions. (Did I mention that none of the client apps, aside from the browser extension, support hardware keys in 2024? Forcing you to enroll another 2FA just to sign in to those apps, that weakens overall account security?) If I can’t store it in a password manager, I can’t get cross-device sync, and I do not want to dig out a single device every time I want to authenticate to a given service.

Both Chrome and Safari will try to force you into using either hybrid (caBLE) where you scan a QR code with your phone to authenticate - you have to click through menus to use a security key. caBLE is not even a good experience, taking more than 60 seconds work in most cases. The UI is beyond obnoxious at this point. Sometimes I think the password game has a better ux.

The more egregious offender is Android, which won’t even activate your security key if the website sends the set of options that are needed for Passkeys. This means the IDP gets to choose what device you enroll without your input. And of course, all the developer examples only show you the options to activate “Google Passkeys stored in Google Password Manager”. After all, why would you want to use anything else?

Yeah, why wouldn’t I want to store my passkey in my iCloud account? Oh, because I actually own devices that aren’t made in Cupertino and aren’t allowed to talk to Apple’s servers. And on Android it’s Google trying to hoover up the passkeys.

At this point, passkeys are just SSO with extra steps.

Related Posts

comments