If the person is moderately security savvy I explain passkeys as a combination of three things - a unique site-specific password, something you have, and something you know/are. Wrapped up in a convenient (ok, not always) UI/UX.
If the person isn't security savvy enough to know why those three things are important I tell them it's a phishing resistant password that's more convenient than 2FA. — Charles On Fri, 1 Aug 2025 at 09:35, Sriram Karra via Silklist < [email protected]> wrote: > Thanks for the engagement and sharing your thoughts! > > *@udhay* I agree the communication problem is real. Given the scope and > ambition of passkeys, various questions like *"What are they", "How do I > use them", "What do they give me", "How do they work under the hood", "I > already use security keys; how are these any better" *all need to be > answered, and at different levels for different cohorts of users. But yes, > definitely no one should have to hear about or understand PKI to understand > what passkeys can do for them. > > But allow me to push back on one of your assertions: > > *Udhay > From a purely operational (and not theoretical) perspective, > passkeys are multiple things. They are credentials that live either in your > password manager (in which case they are portable) or in your phone, or > perhaps your FIDO2 key (in which cases they are not).* > > From a purely operational perspective, how is that different from saying > "*passwords > are multiple things because you can save it to Apple Notes **or commit it > to memory** (in which cases they are portable), or write it down in a > physical notebook (in which case they are not)?"* > > A passkey is just a credential. And users have agency over where to store > them; they can be stored on general purpose computing devices (phones, > tables, laptops, desktops), or on special purpose devices (security keys). > Where you choose to store the passkey bestows additional security and > usability properties, just like having your password committed to memory, > written down in a notebook in your house, or saved away in a bank deposit > box allow different affordances but don't change what a password actually > is. > > Specifically on the PIN/Fingerprint confusion, I've found the following > variant works with a less technical audience. WDYT? > > *Once you save a passkey for your Amazon or Google account (say) to your > iPhone, subsequently signing in to that account on that phone will be much > easier, and basically happens in two steps; (a) you prove that you are the > phone's owner - by demonstrating you can unlock the phone using your PIN or > face id, and then (b) the phone's OS will securely sign you into your > Amazon/Google account using the passkey on the phone. What's more, once you > save a passkey to your iPhone, it will be shared with all your other Apple > devices automatically, and signing in to that Google account works again in > those two easy steps. This saves you from having to create or remember > wonky passwords for every site you have an account on. * > > > *@martin* thanks for sharing your experience and circumstances. At this > stage of the technology some important end user usability details are > dependent on platform-specific implementation details. Among the major > operating systems, Windows' passkeys support is lagging along many > dimensions. I'm told things should get better in the next 18-24 months. If > you could, and haven't already, I'd recommend you to upgrade to Windows 11. > > It is my belief that once we're through this initial phase, passkeys will > work especially well for users with challenges like you mention in your > note. Imagine a world where you don't need to memorize or type in crazy > combinations of letters and weird characters anywhere online, but just > invoke a passkey the same way you unlock your personal devices tens of > times every day already. > > *@timbray* That's a good article; thanks for sharing. Some of the > challenges outlined there are real (inconsistencies in UI/UX, multiple > systems "wanting to help" etc). The only minor push back I have is that the > author uses the (admittedly poor) passkey experience from his niche > security-savvy setup to conclude the tech is too confusing for regular > users. Everyday users of the internet don't use 1password, or buy Yubikeys. > Security keys are great, but they're a niche. Passkeys, OTOH, have achieved > multiple orders of magnitude more adoption in less than an order of > magnitude of time. > > Oh, I would also recommend this two part series from the EFF. It's almost > 2 years old now, but is objective, tightly composed, and essentially > correct. > > Part 1: https://www.eff.org/deeplinks/2023/10/what-passkey > Part 2: https://www.eff.org/deeplinks/2023/10/passkeys-and-privacy > > *@charles* Yay. Go passkeys! > > *@peter* Have a read of the links shared in this thread, and also the > support documentation of top web services you may be using. Amazon, Google, > Intuit, Paypal, WhatsApp, and many more all have good support. Also happy > to directly answer any questions you have. > > -Karra > > > On Tue, Jul 29, 2025 at 11:44 PM Sriram Karra <[email protected]> wrote: > >> (resending to the "right" list address) >> >> In my day job I work on supporting passkeys as a way to access online >> services. Passkeys are designed as an easier and more secure alternative to >> passwords. They have been around for a few years now and I hope many of you >> have encountered them in the wild. >> >> Passkeys are intended to be usable by nearly everyone online. And I like >> to ask my networks about their experiences, as an unscientific dipstick >> measure of common perception. >> >> So dear Silk listers, I'm curious to hear *your personal* experiences >> with, and your original thoughts about, this new tech. It could be either >> from your own online journeys, or while acting as tech support for your >> family and friends. >> >> -Karra >> > -- > Silklist mailing list > [email protected] > https://mailman.panix.com/listinfo.cgi/silklist >
-- Silklist mailing list [email protected] https://mailman.panix.com/listinfo.cgi/silklist
