I’ve been arguing that passwords are horrible for the best part of a decade now, and was an enthusiastic early adopter of the far better approach of passkeys.
Passkeys were supposed to achieve the holy grail of an approach which is both more secure than passwords and so easy to use that everyone would adopt them. But a new piece outlines four problems with the technology …
Passkeys are more secure than passwords
Passwords have a number of security issues:
- Websites may know them, even if they are supposedly encrypted
- Non-techies tend to re-use passwords, so data breaches are hugely problematic
- Passwords are vulnerable to phishing attacks
Passkeys solve all of this. Instead of being challenged for our username and password when we login, we are invited to use a passkey. With this system, the website or app asks our device to authenticate us, using Face ID or Touch ID. The device tells the website who we are, and that it has confirmed our identity.
The web server trusts your device to authenticate you in exactly the same way that payment terminals trust your iPhone or Apple Watch for Apple Pay transactions – because it knows your have been authenticated locally using biometrics.
In theory, passkeys are way simpler
When we create an account, we should be offered the option of using a passkey, and all we have to do is agree. Our device authenticates us, and the service creates our account. To login next time, we just use Face ID or Touch ID and we’re in.
But there are four big problems
If you use only Apple devices, and use Safari as your web browser on all of them, then passkeys get close to being that simple. iCloud synchronization means that an account created on one Apple device will be accessible on all your others.
But as Arstechnica points out, there are a lot of situations where the reality is rather different from the promise, starting with inconsistent user experiences.
The experience of logging into PayPal with a passkey on Windows will be different from logging into the same site on iOS or even logging into it with Edge on Android. And forget about trying to use a passkey to log into PayPal on Firefox. The payment site doesn’t support that browser on any OS.
Worse, passkeys are tied to specific browsers.
Another example is when I create a passkey for my LinkedIn account on Firefox. Because I use a wide assortment of browsers on platforms, I have chosen to sync the passkey using my 1Password password manager. In theory, that choice allows me to automatically use this passkey anywhere I have access to my 1Password account, something that isn’t possible otherwise. But it’s not as simple as all that. When I look at the passkey in LinkedIn settings, it shows as being created for Firefox on Mac OS X 10, even though it works on all the browsers and OSes I’m using.
Top comment by Grayson Mixon
The company I work for introduced passkeys as an option months ago. That’s when I created my first one. When I saw how easy it was, I set them up on every service that I use that supports them. The passkey lives on my phone, and I scan a QR code on other machines to login on that machine. It’s not difficult. And now they are disabling passwords as an option. It will be passkeys only in 2025.
A third issue is that companies like Google and Apple may come close to forcing you to use their own passkey management systems, even when you have a different preference, and sometimes when you already have a passkey set up.
I just want to open LinkedIn using the passkey that’s being synced by 1Password to all my devices. Somehow, the mysterious entity responsible for this message (it’s Google in this case) has hijacked the process in an attempt to convince me to use its platform.
Also, consider the experience on WebAuthn.io, a site that demonstrates how the standard works under different scenarios. When a user wants to enroll a physical security key to log in on macOS, they receive a dialog that steers them toward using a passkey instead and to sync it through iCloud.
Finally, there’s the fact that while the whole point of passkeys is to ditch the security holes created by passwords, almost every service forces you to create a password login too.
Of the hundreds of sites supporting passkeys, there isn’t one I know of that allows users to ditch their password completely. The password is still mandatory […] Threat actors will devise hacks and social engineering attacks that exploit this shortcoming. Then we’re right back where we were before.
The full piece is well worth reading.
Photo by TheRegisti on Unsplash
FTC: We use income earning auto affiliate links. More.
Comments