Passkeys strike me as a solution to a problem that security professionals have—not users.
When I log into a site via Passkeys with Safari on macOS, it shows me a QR code that I have to scan with my phone.
This alone is a huge assumption. My dad can’t stand his phone and will not want to use the thing to login to websites.
Then there’s other problems: what happens if the phone is lost, the battery is dead, or the person doesn’t want to get up and get it? Are they denied access?
That doesn’t even get to what happens if the Passkeys are somehow lost, then I bet where back to something that looks like a username and password.
I know there’s other Passkey UX’s, but of all the implementations I’ve seen to date, they all seem to be built by people in tech for other people in tech. Consideration for non-technical users seems to be lacking.
The MacOS situation has been the most confusing. Neither Safari nor Chrome can use passkeys, which makes me think Apple either doesn't allow/support syncing them directly to the MacOS keychain, or the (windows hello-esque) APIs to access them are just not there.
What I’d expect from Apple is the Passkeys are stored in iCloud Keychain. To use it would ask for Touch ID authentication on that same device, then provide the key to the website after a successful auth.
The “go find your phone and take a picture of this QR code” seems like insanity, even if they’re trying to require two devices to authenticate.
Windows exposes APIs for "windows hello" - which is an easy way for apps to authenticate via usb authenticators or windows' built-in authenticator (when available via TPM). I imagine that, on macOS, such an API would allow apps to authenticate using any passkeys in iCloud Keychain directly, of course with an OS-based user presence requirement like entering system password or using touch ID.
When I log into a site via Passkeys with Safari on macOS, it shows me a QR code that I have to scan with my phone.
This alone is a huge assumption. My dad can’t stand his phone and will not want to use the thing to login to websites.
Then there’s other problems: what happens if the phone is lost, the battery is dead, or the person doesn’t want to get up and get it? Are they denied access?
That doesn’t even get to what happens if the Passkeys are somehow lost, then I bet where back to something that looks like a username and password.
I know there’s other Passkey UX’s, but of all the implementations I’ve seen to date, they all seem to be built by people in tech for other people in tech. Consideration for non-technical users seems to be lacking.