On Fri, Aug 1, 2025 at 8:05 AM Sriram Karra <[email protected]> wrote:
*@udhay* I agree the communication problem is real. Given the scope and > ambition of passkeys, various questions like *"What are they", "How do I > use them", "What do they give me", "How do they work under the hood", "I > already use security keys; how are these any better" *all need to be > answered, and at different levels for different cohorts of users. But yes, > definitely no one should have to hear about or understand PKI to understand > what passkeys can do for them. > There are also various implementation issues, as the article <https://systemsapproach.org/2024/10/14/can-passkeys-replace-passwords/> Tim shared alluded to. E.g, with my google account, after adding a passkey, for some reason the pre-existing hardware token based 2FA (yubikey) stopped working. I haven't bothered to spend time debugging this yet but it's an irritant. If you can help with this, drop me a DM. > But allow me to push back on one of your assertions: > > *Udhay > From a purely operational (and not theoretical) perspective, > passkeys are multiple things. They are credentials that live either in your > password manager (in which case they are portable) or in your phone, or > perhaps your FIDO2 key (in which cases they are not).* > > From a purely operational perspective, how is that different from saying > "*passwords > are multiple things because you can save it to Apple Notes **or commit it > to memory** (in which cases they are portable), or write it down in a > physical notebook (in which case they are not)?"* > > A passkey is just a credential. And users have agency over where to store > them; they can be stored on general purpose computing devices (phones, > tables, laptops, desktops), or on special purpose devices (security keys). > Where you choose to store the passkey bestows additional security and > usability properties, just like having your password committed to memory, > written down in a notebook in your house, or saved away in a bank deposit > box allow different affordances but don't change what a password actually > is. > Fair enough, as far as it goes - although I will add the nitpick that in the above example, one can write the same password down in a different piece of paper, but can't do that with a passkey bound to a device or hardware key. :) Udhay
-- Silklist mailing list [email protected] https://mailman.panix.com/listinfo.cgi/silklist
