What causes bad passkey experiences

Ricky Mondello, who works on passkeys at Apple, on Mastodon: What causes bad passkey experiences

By listening to lots and lots of feedback, I’ve learned that if someone’s main experience with passkeys is with a password manager that doesn’t natively integrate into the OS it’s running on — instead, one that hijacks web browser API — they’re far, far more likely to think they’re not a great user experience.

Some browser extensions that replace the built-in OS experiences have done so much harm to how technologists view the technology.

I agree to an extent that bad implementations lead to bad user experiences that lead to people getting a negative impression of passkeys, but I think that's only part of the story. Mondello doesn’t cite examples they think are bad, so it’s hard to get a grasp on exactly what these bad experiences look like (I’ve inquired about examples, but didn't hear back). I personally use 1Password in the Chromium and Firefox browsers I use day to day on the Mac and Safari on iOS and iPadOS, and it’s pretty great in my book. Yes, it has its own UI for this on the Mac, but it’s not clear to me that 1Password is even able to use the system UI like it can in iPhones and iPads. Regardless of whether they can use the system UI on the Mac, the UI/UX is consistent with how 1Password does passwords, making it a pretty seamless transition as someone who has been used to using 1Password for years. Is 1Password one of the bad examples Mondello cites? I don’t know, but I suspect it is.

Consider this my semi-annual update on why I love passkeys in theory, but I completely get why they’re not taking off like crazy as we’d hoped.

People don't understand what a passkey is, and people don't trust what they don't understand

At a core level, I still don’t think people fundamentally understand what passkeys are. Passwords are tangible and something people can understand (and they’ve been using them for decades…familiarity is a hell of an asset in UX), but passkeys are ephemeral…they’re magic, but not in the good way computers can make things feel like magic, in the bad way where you feel like you’re giving up control. What practically is a passkey? Proponents will say it doesn’t matter and that’s a benefit, but it seems to me like it scares people away.

It's unclear to users who passkeys are any more convenient than using a password manager

I also think there’s a gap in communicating the usability benefits of signing in with passkeys. Demos always show “wow, you just authenticate with your face to log in” or “you don’t need to write out a long password when signing up”, but those are exactly consistent with what people have been doing with password managers for many years. The password is auto-generated when signing up and you sign in with Face/Touch ID when going back to sign into that site. The ideal workflow for using passwords and passkeys just doesn’t feel that different.

Years later, it seems we're no closer to a password-free world than we were before

I also think it’s an issue that no one that I know of has completely replaced passwords with passkeys. I know that’s the vision of passkeys, but it hasn’t happened yet. As such, I still have to create a password everywhere and I also have to make a passkey if I want one. This is a problem because it’s putting more work of me than I used to have and it’s completely negating the point of passkeys getting passwords out of the system. If a company stores my passwords insecurely and they get hacked, it doesn’t matter than I made a passkey as well, the attackers will still be able to get into my account.

There's also issues with the user experience, which changes from place to place, so let's take a look at a few. Here's Nintendo.com, which lets you create a passkey, which I have done.

This page is very busy and the password field is right there at the top, which I need to have for Nintendo anyway, so most people will probably just autofill that from their password manager anyway.

1Password (and presumably other password managers) can notice that you're on a login page that supports passkeys and will proactively present this at the top of the page, which lets me log in with a single click, which is nice and makes it easier.

Then I went to Stripe, which used to call passkeys "sign in with your device" but they seem to have moved to the standard "Sign in with passkey" nomenclature. I didn't have one yet, so I had to:

1. Log in with my password
2. Go to settings
3. Personal settings
4. Add passkey
5. Confirm a 2FA message
6. Confirm an emailed verification message
7. Create the passkey

That's so many steps, and it's a thing you only want the right person to be able to do, but man, I really had to want to make a passkey to make it through that gauntlet.

Target has a pretty good sign in form with passkeys getting relatively equal billing, and actually do save a click over the username/password flow since Target does the annoying thing where you enter your email, continue, and enter your password on a separate form.

Then there's Apple, which should be a shining example here, and the form is decent enough, but the problem comes when clicking the passkey button.

For reasons that make no sense to anyone, Apple only allows you to use Apple Passwords to create a passkey. This honestly feels like a prank, but yeah, I am unable to create a passkey with 1Password or any other password manager. This isn't a power services had in the password era, but apparently they have this power now, and that's insane to me. If this is Apple trying to set an example, it's a pretty user-hostile one.

Data portability is a problem

Ever since Passkeys were introduced, they were 100% locked to whatever password manager you happen to use. Got tired of Apple's passwords app and want to move to something like Bitwarden or 1Password? Screw you, your passkeys can't be moved. Supposedly, this is going to get better soon and there will be a solution, but it's not out yet, so I hope it is as useful as it is today to move between managers.

And this doesn't even bring up the concern some have had that you literally can not use passkeys without involving a third party to manage them for you. You must trust Apple or 1Password, or LastPass to keep all this for you. Oh, you'd prefer to manage passkeys yourself? Well screw you, you can't. I'm not saying this is an issue for everyone, but there are people like my parents who don't want to entrust their logins to someone else, so they keep their passwords in a secure spreadsheet document. Not to get too dark here, but they've also made sure I know how to get to the doc and open it for the inevitable day where I need to log into their accounts and handle things when they can't anymore. I'm sure there will be a way to do this in a passkey-only world (take their phone and pretend I'm them, I guess), but it's more abstract and harder to pill down, which doesn't resonate with less technical people.

Maybe next year is the year of passkeys…

Again, I'm a big fan in general of passkeys, and I do wish that they seemed to be more successful among normal people. I dream of living in a world where data breaches that leak user credentials are a thing of the past. I love the idea of never having to click a "forgot password" link ever again. I just don't see us any closer to either of those things being relics of the past. Instead, those problems still exist, but now we also have passkeys in the mix. Literally none of my accounts have gone all-in on passkeys, they all still have passwords and are all just as vulnerable to data breaches as they were before passkeys existed.

Maybe next year Linux will take over the desktop, Bluetooth will be great, and passkeys will live up to their potential.