> Knowledge-based access is inherently problematic: if you don’t police passwords, most people will be compromised because they use weak and/or shared passwords.
I don't like it that the solution is to usurp control from the user and gate authentication through what will, in my opinion, ultimately be a small number of big tech companies. We'll eventually be dependent on having an Android phone, an iPhone, a Microsoft account, or similar. It'll be a world of "trust me bro" credential managers and you'll have to hope you never get banned by the big tech companies because it'll have a life altering impact if that means losing access to all of your accounts.
The reality is that big tech has proven we can trust them because we're nothing more than 1 of a billion customers as far as they're concerned.
> Passkeys avoid all of that, but you need backups either in the form of a Yubikey or a recovery code in your wallet.
Passkeys create a huge burden in the context of managing devices and recovery codes.
To start with, I'm not a fan of recovery codes. I have so many accounts that it's almost impossible to keep track of all the recovery codes. I have to organize them well enough that anyone who would happen to get access to my file cabinet would own my life.
To mitigate that, I need a system for tracking which recovery codes I have in my file cabinet and I need a plan for rotating / revoking them if anyone gains access to them. Even worse, printed recovery codes are observable without altering the owner (aka me). Someone could photocopy all my recovery codes and I wouldn't know I've lost control of them.
As for devices, I use Yubikeys for my high-value accounts and managing them is a huge pain in the ass. I have 5 sitting beside me. One is old, two are v4, two are v5. I didn't keep a list of all the accounts I used them for from day 1, so now I have to keep all of them. Forever. Just in case.
The only way Passkeys will solve those problems is by taking complete control of authentication and treating it like a managed service. You'll be giving up control of your ability to prove your identity and, eventually, you're going to be paying a subscription fee for it.
In my opinion it's almost a guarantee that Passkeys are going to be used as leverage against users, not to benefit them. The sad thing is that once 99% of oblivious users are fooled, the rest of us are going to get the choice of using them or being shut out of everything.
I don't like it that the solution is to usurp control from the user and gate authentication through what will, in my opinion, ultimately be a small number of big tech companies. We'll eventually be dependent on having an Android phone, an iPhone, a Microsoft account, or similar. It'll be a world of "trust me bro" credential managers and you'll have to hope you never get banned by the big tech companies because it'll have a life altering impact if that means losing access to all of your accounts.
The reality is that big tech has proven we can trust them because we're nothing more than 1 of a billion customers as far as they're concerned.
> Passkeys avoid all of that, but you need backups either in the form of a Yubikey or a recovery code in your wallet.
Passkeys create a huge burden in the context of managing devices and recovery codes.
To start with, I'm not a fan of recovery codes. I have so many accounts that it's almost impossible to keep track of all the recovery codes. I have to organize them well enough that anyone who would happen to get access to my file cabinet would own my life.
To mitigate that, I need a system for tracking which recovery codes I have in my file cabinet and I need a plan for rotating / revoking them if anyone gains access to them. Even worse, printed recovery codes are observable without altering the owner (aka me). Someone could photocopy all my recovery codes and I wouldn't know I've lost control of them.
As for devices, I use Yubikeys for my high-value accounts and managing them is a huge pain in the ass. I have 5 sitting beside me. One is old, two are v4, two are v5. I didn't keep a list of all the accounts I used them for from day 1, so now I have to keep all of them. Forever. Just in case.
The only way Passkeys will solve those problems is by taking complete control of authentication and treating it like a managed service. You'll be giving up control of your ability to prove your identity and, eventually, you're going to be paying a subscription fee for it.
In my opinion it's almost a guarantee that Passkeys are going to be used as leverage against users, not to benefit them. The sad thing is that once 99% of oblivious users are fooled, the rest of us are going to get the choice of using them or being shut out of everything.