We’re building an interactive resource to demystify passkeys for both the general public and more technical users.
We’re aggregating questions to ensure our FAQ and interactive guides cover "how do I use this?" type questions from non-technical users as well as the real-world edge cases that more technical people care about.
Some prompts:
• What questions do you get from friends and family?
• What are the biggest hurdles you've faced when using them?
• What are your technical "how does this actually work"-type questions?
We’d love your input. Any and all feedback is welcome!
> The essay has a condescending attitude towards the normie computer user who can't possibly be expected to know, but it's precisely the normie computer user who would never get the stupid idea of "cleaning up" their passkeys in the first place -- that's something only a nerd with a neurotic attitude to their computer would do.
Thanks for the feedback. That certainly wasn't the intention. It was more about the average user not remembering specific details about their passkeys. Which I do stand by. If you have some suggested text to help clarify that, happy to update the post.
You can use any credential manager you choose. It is an open ecosystem. If you don't want to use a cloud service, don't. You can self-host many credential managers. There are also many solutions that just use a local database.
I'm the guy you're talking about. Always easy to crap on people when you selectively quote what they said. The core pieces you left out are:
> I don't quite understand why requiring file protection/encryption can't be a temporary minimum bar here.
> or at a minimum require file protection/encryption.
If you think helping users to be safe online (which includes putting basic safeguards in place, like not leaving hundreds of unencrypted private keys on someone's desktop or downloads folder in plain text) isn't an important part of designing solutions for global scale, then we think about things very differently.
Not really. The attestation model defined for workforce (enterprise) credential managers/authenticators doesn't really work in practice for consumer credential managers.
A passkey is a discoverable credential (aka resident key) in spec terminology. But the type of credential has no relationship to attestation (which is not used in the consumer passkey ecosystem).
Not sure how stating that my (an individual) opinions on a topic are evolving is interpreted as "threatened the KeypassXC developers".
If you've been following along, you'll have seen that I am actually one of the biggest advocates of the open passkey ecosystem, and have been working really hard to make sure all credential managers have a level playing field.
Always happy to chat directly if you have concerns!
This is one of the core use cases for why FIDO Cross-Device Authentication was created. To be able to use a passkey to sign in on a shared device, a device you don't control, or a device where you just need temporary access to something.
Not exactly. For example, the default credential manager on Android is Google Password Manager, which works on Windows, macOS, iOS, and Ubuntu. There are also dozens of other third party choices.
I used the technical name for the capability, but you've likely run into it before.
If there is no passkey on the local device, a QR code will appear which you can scan with your phone or tablet, and use the passkey for the account from that device. It just kind of happens, typically without the user having to do anything special.
I will say though, corporate devices can be a bit of a wildcard as they are usually configured and locked down for a specific purpose. But the cross-device flow is generally not blocked by organizations.
Unclear how this quoted comment relates to what I was replying to (which was about exporting / backing up your credentials).
But I'll respond.
> Will I always be able to use any credential manager of my choice? Any naturally also includes software that I might have written myself. And would you be in support of an ecosystem where RPs might block my implementation based on my AAGUID?
If a website were to block your custom software's AAGUID for some reason, you can change your AAGUID.
AAGUIDs in the consumer passkey ecosystem are used to name your credential manager in account settings so you remember where you saved your passkey.
You're quoting the first post of a long discussion, where the importance of protecting your data on disk was highlighted, and a proposal was made that at minimum, the default should be encrypting the backup with a user selected secret or key.
> But I want to use Apple Passwords.
You're choosing to use an app that doesn't meet your needs, when there are numerous apps out there that do meet your needs. I'm not sure how anyone is supposed to solve that for you.
We’re aggregating questions to ensure our FAQ and interactive guides cover "how do I use this?" type questions from non-technical users as well as the real-world edge cases that more technical people care about.
Some prompts:
• What questions do you get from friends and family?
• What are the biggest hurdles you've faced when using them?
• What are your technical "how does this actually work"-type questions?
We’d love your input. Any and all feedback is welcome!
Please submit your questions via this form: https://forms.gle/wmaydkzmUp2eKfJG7