Passkeys are basically a protocol upgrade for password managers. A limitation is that you have to use a password manager, but the protocol is more secure.
If you have a password manager you like, maybe it’s for the best?
Maybe use more than one password manager, just in case.
I have been using a password manager for 16 years, and as much as I always want to use autofill, there are still situations where I need to either copy/paste the password, or reveal the password and type it in.
I don’t think we’re at a point where I can 100% trust that the password manager will be able to handle every situation I run into from now until forever, and that’s what passkeys are asking for. I don’t see it.
And what happens when I need to login to a device I don’t own, or don’t have/want my personal password manager on?
For example, I can’t (and won’t) load my personal password manager on my work computer, but there is 1 site I use my personal account for and had to login when I got a new work laptop a few months ago. Another example is I still bum TurboTax off my dad, since he gets the version where he can do a bunch of returns. To download my data from the bank I need to login on my dad’s computer, and I’m pretty sure even if it was mine the password manager isn’t going to work with TurboTax. Another example I had was needing to login to a site to download and print something on a computer in a business center at a hotel… not something I ever want to make a habit of, but I was in a bind. I could go on.
These things come up. I think the idea that a person will only ever need to login on their own computer is unrealistic. That might be the case 99.9% of the time, but not 100%. That 0.1% does need to be accounted for.
The usual workflow in practice when logging in to an “other” (hotel/work computer) computer is that you will be prompted to complete the authentication using a device with your passkeys (like your phone). The CTAP protocol they mentioned effectively turns your phone into a security key.
Using your phone with passkeys you scan the QR code shown by the website, then CTAP magic happens and you’re authenticated.
The great thing about this is that no reusable credentials are ever revealed to the dodgy computer.
"The other component of FIDO2, Client to Authenticator Protocol (CTAP), is complementary to WebAuthn. It enables an external authenticator, such as a security key or a mobile phone, to work with browsers that support WebAuthn, and also to serve as an authenticator to desktop applications and web services."
"CTAP2 and WebAuthn define an abstraction layer that creates an ecosystem for strongly authenticated credentials. Any interoperable client (such as a native app or browser) running on a given “client device” can use a standardized method to interact with any interoperable authenticator – which could mean a platform authenticator that is built into the client device or a roaming authenticator that is connected to the client device through USB, BLE, or NFC."
What happens is that you can’t do it. Maybe that’s a feature? Passkeys prevent you from logging in using a dodgy hotel computer. It’s protecting you from yourself. I’m not sure that’s appropriate for every account, but there are probably some accounts where it makes sense.
But I expect that businesses will probably like it better than consumers. They probably don’t want their employees logging in using dodgy hotel computers.
I will agree a hotel computer is dodgy. I did try and give it a once over in the OS, and checked for any obvious hardware keyloggers before doing anything. I also changed my password as soon as I was done. The alternative, if I remember correctly, was not making it home. With a password I can evaluate a situation and take a calculated risk to solve a problem. If I had passkeys, I would have been out of luck. Maybe I could have spent hours with some customer service agents to try and figure it out, hopefully before the flight left. If a passkey left someone stranded in another country, any idealistic views they might have would quickly be replaced by frustration and anger.
The other 2 examples I gave were not random public computers. They were either in my control or the control of trusted family members. I still want solutions to those situations that passkeys can’t answer (as far as I know).
There are similar issues with 2FA. I was traveling a few years back and broke my phone. It’s the only time I’ve ever broken a phone. All the info for my flight and my tickets were on the phone. I was able to get to an Apple Store and get a replacement. When I went to set it up I got a 2FA prompt (it was enabled for me without me opting in sometime earlier). The only reason I was actually able to set it up was because I brought an iPad with me, which was just dumb luck. I often only have my phone. On my most recent trip I created a recovery key, wrote it down, and put it in a money belt I wore everyday. I’m really not sure what other option I’d have to recover if my devices were broken/lost/stolen. Of course having the key on me carries its own risk. Yes it was hidden and on my person, but I also felt the need to add a bit of randomness to it, incase someone did somehow get it, somehow figured out what the paper with a bunch of seemingly random letters was, and tried to use it. But this isn’t a normal thing people do, they’re just going to be screwed if something happens. When security starts locking out the owner because it’s too unclear, too complex, or too device restrictive, it can hurt more than it helps.
I understand the issues with passwords and why people want to get rid of them, but this feels like a happy path solution that doesn’t account for edge cases, which is a problem. There will always be edge cases and they can’t be ignored for something as foundational as authentication.
I'm wary of not having backups, too. For passkeys to be more than a niche solution, I think the answer for travellers will be not having just your phone, in case it breaks. This is a hardware-based solution so there needs to be extra hardware.
I have a Yubikey on my keychain and usually have a tablet as well, but it will need to be something more common.
To speculate, credit cards have RFID chips in them now, so maybe there is a possibility to identify yourself well enough to buy a phone and restore backups?
Meanwhile, if you use Google and Apple password managers, they do have systems to get your password manager back on a new device. For Apple, it seems you need to remember your AppleID password and for Google, the pattern you use to unlock your phone.
If you have a password manager you like, maybe it’s for the best?
Maybe use more than one password manager, just in case.