Sorry to be so bitter about this, but at this point, "Amazon botches UX design for feature X" isn't news – "Amazon delivers useable UX" would be.
Passkeys are complicated enough, but even as somebody having spent hours looking into WebAuthN and setting up my own smartcard-based NFC authenticator, it took me a while to understand what's going on with Amazon's implementation.
- "If you want to add a passkey, use a different cloud service account (example: Apple ID or Google account). Each cloud service account can only have one passkey for Amazon." is what I see in Firefox, for example – what on earth does that mean? Firefox doesn't synchronize passkeys with either of these accounts. The issue is that they don't support platform authenticators on macOS. That error message does not make sense!
- Ok, I get it now, so Firefox does not support passkeys, hence the button is greyed out, fair enough. But, wait... 1Password does provide passkey support through their Firefox extension. It works on every other WebAuthN/passkey-supporting site. And 1Password's passkeys do work on Amazon using Chrome! Do they just sniff the user agent here and grey out the button on Firefox? What's going on?
- The only option to manage passkeys in my Amazon account is to... delete ALL of them. I guess adding a list of passkeys and the dates they were added, like almost every other service I know supports, was just too much to ask from Amazon.
- "If you didn't set up this passkey, please go to your account settings to delete the passkey.". – Oh, right, let me quickly go through the literal dozens of options in my Amazon account page. I get that Amazon does not want to train users to click links from emails (although that ship has arguably sailed, which is why we are getting WebAuthN in the first place: It's phishing-resistant!). But Is it too much to ask to simply reference the path there, i.e. "Your Account -> Login & security -> Passkey" in that message?
On the other hand, this is completely in line with my user experience on any Amazon site or product. I wonder if Amazon is even aware of the mere concept of UI/UX design as something other than a half-day task any backend engineer is just expected to do as part of the feature they're shipping.
> Each cloud service account can only have one passkey for Amazon
Assuming that this error message is correct and isn't just badly worded nonsense -- if the FIDO Alliance had any sense at all this would be barred from the spec and Amazon would have to either support correct behavior or skip getting certified and getting an official stamp of approval. I cannot believe that I'm being told by advocates that attestation for roaming providers won't be a problem when they can't even get websites to allow unlimited keys to be linked to an account.
"Websites wouldn't block an authenticator, they'd just be cutting off users", I am reassured while I watch Amazon sniff browser user agents so that it can block specific browsers from logging in. I'm glad that iOS is zeroing out authentication requests voluntarily, but if that error message is to be believed, that's apparently not good enough. It needs to be part of the spec.
> I'm glad that iOS is zeroing out authentication requests voluntarily
Do you mean attestation? If so, I believe that’s mostly out of the picture already, since it does not even make any sense anymore with “cloud-resident” passkeys.
It can’t be what Amazon uses in any case, since I can use 1Password on Chrome, but not Firefox.
> It can’t be what Amazon uses in any case, since I can use 1Password on Chrome, but not Firefox.
Correct, this is not attestation using the spec, but it is blocking off a device for logging into the service. To me, the relevance to attestation is that I'm just not confident that attestation "doesn't make any sense" for companies to pursue while I'm watching a service cut off a browser in a way that also doesn't make any sense for them to do.
I think if attestation doesn't make sense, it should be fine for the FIDO alliance to have as part of certification that any provider implementing the spec should be supported and that roaming passkey providers should all do what Apple is doing and refuse to identify themselves. That's kind of two separate things: roaming providers should refuse to identify themselves, and also services that are claiming to support passkeys should as part of spec implementation not be allowed to do things like cut off a login from a passkey provider either by relying on attestation or by implementing their own hacky solution and doing something like sniffing the user agent.
> Sorry to be so bitter about this, but at this point, "Amazon botches UX design for feature X" isn't news – "Amazon delivers useable UX" would be.
It's a bit like reading a blog on cocacola.com — "People disappointed by Pepsi, say they prefer other soft drinks". Passkey integration is this company's main (only?) product, and the submitter to HN is the company co-founder.
I appreciate that the blog post itself wasn't overly sales-y, but maybe it'd be good to have a [Advertorial] tag or something for when people want to promote their own product. That, or have OPs do a disclosure in a comment if they're submitting something through a personal account that's on behalf of their own company.
> Sorry to be so bitter about this, but at this point, "Amazon botches UX design for feature X" isn't news – "Amazon delivers useable UX" would be.
(Tangential) I keep saying this: if any other company without a business model as strong as Amazon was run like Amazon they'd be dead.
But for some reason execs see Amazon and think "if they can ship and utterly mediocre product and win, so can we"
My brother in Christ first build a distribution network that can deliver a million products to my place within 1 day, then you earn the right to ship an eyesore app.
Passkeys are complicated enough, but even as somebody having spent hours looking into WebAuthN and setting up my own smartcard-based NFC authenticator, it took me a while to understand what's going on with Amazon's implementation.
- "If you want to add a passkey, use a different cloud service account (example: Apple ID or Google account). Each cloud service account can only have one passkey for Amazon." is what I see in Firefox, for example – what on earth does that mean? Firefox doesn't synchronize passkeys with either of these accounts. The issue is that they don't support platform authenticators on macOS. That error message does not make sense!
- Ok, I get it now, so Firefox does not support passkeys, hence the button is greyed out, fair enough. But, wait... 1Password does provide passkey support through their Firefox extension. It works on every other WebAuthN/passkey-supporting site. And 1Password's passkeys do work on Amazon using Chrome! Do they just sniff the user agent here and grey out the button on Firefox? What's going on?
- The only option to manage passkeys in my Amazon account is to... delete ALL of them. I guess adding a list of passkeys and the dates they were added, like almost every other service I know supports, was just too much to ask from Amazon.
- "If you didn't set up this passkey, please go to your account settings to delete the passkey.". – Oh, right, let me quickly go through the literal dozens of options in my Amazon account page. I get that Amazon does not want to train users to click links from emails (although that ship has arguably sailed, which is why we are getting WebAuthN in the first place: It's phishing-resistant!). But Is it too much to ask to simply reference the path there, i.e. "Your Account -> Login & security -> Passkey" in that message?
On the other hand, this is completely in line with my user experience on any Amazon site or product. I wonder if Amazon is even aware of the mere concept of UI/UX design as something other than a half-day task any backend engineer is just expected to do as part of the feature they're shipping.