Exactly my experience. The mental model is easy once you understand that it’s just a key on your device/app.
It’s just really hard to wrap around your head that this is the actual implementation with so many drawbacks given most people have 2+ devices, and different OSes to provide it.
I won’t use them.. although I’d have loved to use them.
When they worm they work, but I can’t trust them completely, so what’s the point? There’s no difference with a password, except that the sign-in process can be streamlined when everything works
I suppose they refer to a more detailed mental model. For example, I know that it's a key in my device, but I don't have a detailed enough model to know if it will work if transferred to another device or stored in the cloud, or what I'm supposed to do at a cybercafe/hotel/airport/borrowed computer. So my mental model is not good enough. With passwords, the answers to questions like that are obvious.
That’s the problem. I don’t think that’s part of the spec.
I’m also not sure, and given that there’s no mention of transferring, backing up etc, I assume they’ll be lost forever.
I won’t take that risk. And if they require my email/password/2fa to recover, the. What’s the point.
I wanted to love them so much, but I can’t. I won’t burn myself again like with getting a new phone and loosing all your 2FA, because someone thought it’d be a good idea to make them device bound on most apps.
> There’s no difference with a password, except that the sign-in process can be streamlined when everything works
There is one other major difference behind the scenes: With passkeys, the service you’re logging into never has enough information to authenticate as you, so leaks of the server-side credential info are almost (hopefully completely) useless to an attacker.
If you think there's no difference between a password and a passkey, that kind of tells me you don't really know a lot about passkeys, so it makes sense you'd think they're just worse-implemented passwords.
The only difference is that you sign the authentication.
I think Facebook does the same thing when logging in with a password.
It’s been crudely done for ages by sending over a hashed version of you password when submitting a form.
Not the exact thing, but still.
What is the problem they’re trying to solve? I’m not sure to be honest. Is it leaked passwords/keys? No difference there, as all passwords are unique anyway with a password manager.
Is it ease of use? I hoped so too.. but nope.
Is it anonymity? I hopes so too, but just like “hide-my-email”, apps will detect it, and require all other missing info such as your real email, name etc.
The only difference is that you sign the authentication, except all the other differences like the server doesn't keep a secret that can be stolen, it can't be phished, you can't reuse it, you can't mistype it, you can't store it improperly.
It’s just really hard to wrap around your head that this is the actual implementation with so many drawbacks given most people have 2+ devices, and different OSes to provide it.
I won’t use them.. although I’d have loved to use them.
When they worm they work, but I can’t trust them completely, so what’s the point? There’s no difference with a password, except that the sign-in process can be streamlined when everything works