William writing at Firstyear's blog-a-log: Passkeys: A Shattered Dream

Passkeys are now seen as a way to capture users and audiences into a platform. What better way to encourage long term entrapment of users then by locking all their credentials into your platform, and even better, credentials that can't be extracted or exported in any capacity.

Both Chrome and Safari will try to force you into using either hybrid (caBLE) where you scan a QR code with your phone to authenticate - you have to click through menus to use a security key. caBLE is not even a good experience, taking more than 60 seconds work in most cases. The UI is beyond obnoxious at this point. Sometimes I think the password game has a better ux.

This sadly resonates with me quite a bit. Taking Apple’s passkey implementation as an example, it usually works well if you’re using 100% Safari and Apple devices signed into your iCloud account, but as soon as you step a single toe out of the perfect use case, it turns into a nightmare of authentication. As soon as a website throws up the QR code that I need to scan with my phone I want to scream.

1. See QR code
2. Find phone
3. Unlock phone
4. Open camera app
5. Scan QR code
6. Wait 10-30 seconds
7. Choose passkey
8. Authenticate with Face ID
9. Wait another random amount of time

At this point, sometimes it works, sometimes it doesn’t and you need to try again. I’m not saying where the blame lies in these situations where it fails, just that it does way more often than I’ve ever experienced with usernames and passwords.

So yeah, the best passkeys experience is better than the normal password experience, but it quickly gets way worse.

At this point I think that Passkeys will fail in the hands of the general consumer population. We missed our golden chance to eliminate passwords through a desire to capture markets and promote hype.

Corporate interests have overruled good user experience once again. Just like ad-blockers, I predict that Passkeys will only be used by a small subset of the technical population, and consumers will generally reject them.

I’m sure people who work on passkeys will say it’s technically challenging, but there are definitely points of lock in I feel using passkeys myself. I use 1Password and I have about 20 passkeys saved there. I’ve considered switching to Proton Pass, but there is no way to migrate passkeys from one service to another, so I’d lose my authentication to 20 sites if I did that. And this isn’t a 1Password thing, there’s no service that allows for importing or exporting passkeys as far as I know. Also, I do use iCloud Keychain for one passkey: the one for my Apple ID because Apple doesn’t allow you to create a passkey using anything else. Cool.

This really bums me out because I was super high on passkeys when I first learned about them a few years ago. A decent number of places support them, but I’d love to know what their adoption rate is at the places that have added support for them. My worry is that adoption from users is very low and passkeys will end up like hardware keys: something more secure than a password, but so much less convenient that most people never bother.