> I think this is exactly what _most_ people want.
Like seven people replied to say this, but they're all missing the trick.
Most people want this because they're guided to want it. If you show people the convenience but not the risk, of course they want something with an advantage and no apparent disadvantage. But the disadvantage exists, it's just not immediately obvious.
Then some corporate machine learning algorithm decides that it's your day to have a bad year, or the screws only get tightened after you're already locked in, and the regret comes some time after the decision is made.
Whereas the nerds who can see the inside of the machine are aware that this sort of thing happens and their response is no thank you. A starkly different preference from the people paying the most attention is a troubling sign. It's the early stages of this:
The thing that gets me is that people then defend the practice because it's likely to be successful. Lots of unsophisticated people are going to put all their eggs in one basket and then have a bad time, which is a result we should be trying to prevent, not defend the people causing it because they're likely to turn a profit. Companies making money on information asymmetries and the misfortune of others is a flaw we should be looking for ways to optimize out.
> Most people want this because they're guided to want it. If you show people the convenience but not the risk
I think that what is convenient to you, or to fellow engineers, is not what is convenient to the mass public or non-technical people. Very simple solutions, which are often platform-specific, tend to be a lot easier in many cases -- not necessarily all cases, but when something is built-in to a device or OS, this does remove some burdens from users.
No part of that is intrinsic. Example: Everybody is constantly using Internet Protocol, a standard implemented by vendors the world over, many of which having never encountered one another and yet their devices and programs can still interact with each other. From the perspective of the ordinary user it "just works", but it is in no way vendor or platform-specific.
Indeed, this generally works better than vendor-specific technologies as soon as you encounter the real world where different people have different stuff. Safari works just fine with Linux webservers because they're interacting using open standards. Then you want to get your Mac to work with Active Directory and it's a frustrating mess because it's not open standards and neither vendor wants to facilitate the use of the other's proprietary technology.
It's putting password management into the same basket as the device.
Suppose your Apple ID gets compromised. The attacker is a jerk and decides to remote erase your device. Then they use your account for black hat stuff and get it permanently banned, or just erase everything on iCloud too.
If the password manager was a different service then you'd still have the password for that service and could get in and recover your accounts on everything else. If it isn't, where's your stuff? The device and the cloud backups are both gone because they were both tied to the same compromised account.
Or you just break your phone and then realize you don't know your password. You can reset your password with your email, so now you just need your email password, which is iCloud, which is the same password. Uh oh.
Whereas if your eggs aren't all in the same basket, you can get a foothold somewhere. If you use a third party email service and haven't forgotten that password, you can still get your email on another device. If your password manager backs up to a third party service or your very own Raspberry Pi, you have access using a different set of credentials than the ones you forgot.
I think you might be making some assumptions about how this stuff works without looking into it.
- A lot (most?) people’s Apple Account name is actually their main email address (e.g. Gmail), so they would still control their email address even if their Apple Account was compromised.
- You can still recover your Apple Account and iCloud Keychain without any devices (e.g. if phone broke like in your scenario).
- Your passkeys stored in iCloud Keychain are still protected even if your Apple Account has been compromised.
> A lot (most?) people’s Apple Account name is actually their main email address (e.g. Gmail), so they would still control their email address even if their Apple Account was compromised.
But this is an example of not putting all your eggs in one basket. An all-in Apple customer is using Apple as their main email.
> You can still recover your Apple Account and iCloud Keychain without any devices
This assumes that you remember your password, and that the attacker has not changed your password, and that the account has not been permanently disabled for abuse.
> Your passkeys stored in iCloud Keychain are still protected even if your Apple Account has been compromised.
"Protected" means someone needs more than just the iCloud account to get access to them, not that you can re-download them if you lose access to your iCloud account.
It also depends on how your account was compromised. For example, if a thief observes you entering your unlock code and then steals your phone, they have the device they need to access all your passwords too.
> - A lot (most?) people’s Apple Account name is actually their main email address (e.g. Gmail), so they would still control their email address even if their Apple Account was compromised.
But the login for the Gmail address is a passkey that's on the Apple account...
> - You can still recover your Apple Account and iCloud Keychain without any devices (e.g. if phone broke like in your scenario).
So what's the point of passkeys if you can get access to them without passkeys?
> - Your passkeys stored in iCloud Keychain are still protected even if your Apple Account has been compromised.
How can something be protected when the thing that controls access to it has been compromised?
> But the login for the Gmail address is a passkey that's on the Apple account...
A passkey is just a replacement for a password. Google (and other apps/websites) have account recovery processes for users who get locked out of their accounts. The way you get back into your Google account doesn’t change much just because you’re signing in with a passkey vs. a password.
Account recovery is a problem that service providers have to solve (and do solve) regardless of whether a user authenticates to their account with a password or a passkey.
> So what's the point of passkeys if you can get access to them without passkeys?
Some huge benefits are:
1. They are highly phishing resistant. Unlike passwords and popular forms of 2FA (TOTP and SMS), users can’t be tricked into sending their credential to a fake/malicious server. A passkey is bound to the server domain at the time the credential is created, and your OS/browser will simply not send it to the wrong place.
2. There is no credential for attackers to steal from servers in the case of server breach. This is because only a public key is stored on the server, instead of password hashes (or worse, plaintext, if the app/website developers don’t know what they’re doing).
3. Passkeys are guaranteed to be unique and secure. The same cannot be said for passwords. Even a password manager cannot guarantee that every single credential stored in the password manager is both unique and secure. And password complexity requirements often make it a painful game of trial and error to create a secure password, even when using a password manager.
4. Because of annoying password complexity requirements, the process of creating a new password can be annoying and take up to a minute or two of fiddling around, even when using a password manager. With a passkey, the process takes as long as Face ID or Touch ID (or equivalent on other platforms) every time. Every single credential creation and authentication is a fantastic user experience (both fast and easy).
I suggest watching Apple’s WWDC videos. There you will find a very very in-depth answer to this question.
All of the points I’ve made above (and more) are covered in the linked videos.
If you won’t watch any of the above then you should at least read the FAQ on passkeys on the FIDO website here, which should answer many of your questions:
Specifically, carefully read the following sections titled “Synchronization security” and “Recovery security”. The short answer is that gaining access to the user’s iCloud Keychain contents requires more than just having access to the Apple Account.
Ok so let's assume passkeys are a form of saved generated password.
> 1. They are highly phishing resistant. Unlike passwords and popular forms of 2FA (TOTP and SMS), users can’t be tricked into sending their credential to a fake/malicious server. A passkey is bound to the server domain at the time the credential is created, and your OS/browser will simply not send it to the wrong place.
So why does my browser or password manager send saved normal passwords to a different domain than the one they were saved for? This is not a limitation of passwords but of the software that encourages saving passwords. It didn't need switching to machine only passwords to fix.
> 2. There is no credential for attackers to steal from servers in the case of server breach. This is because only a public key is stored on the server, instead of password hashes (or worse, plaintext, if the app/website developers don’t know what they’re doing).
What has stopped developers from using irreversible transformations on stored passwords in the past? The math was there.
> 3. Passkeys are guaranteed to be unique and secure. The same cannot be said for passwords. Even a password manager cannot guarantee that every single credential stored in the password manager is both unique and secure. And password complexity requirements often make it a painful game of trial and error to create a secure password, even when using a password manager.
If it's generated by software, any software should be able to assure uniqueness. This is again a failure of saved passwords / password managers.
> 4. Because of annoying password complexity requirements, the process of creating a new password can be annoying and take up to a minute or two of fiddling around, even when using a password manager. With a passkey, the process takes as long as Face ID or Touch ID (or equivalent on other platforms) every time. Every single credential creation and authentication is a fantastic user experience (both fast and easy).
Yes and here we get to the elephant in the room.
You become dependent on an easily stolen or destroyed device for authentication. It is a fantastic user experience until you're a plane flight away from home, your phone gets stolen. Your passkeys are safe in the secure enclave. Too bad you can't access them any more. How do you get home? You don't have any other devices to prove your identity, if you even have backup devices, they're at home. The flight options are in an app that you don't have the passkeys any more for. Your flight may get canceled or rescheduled and you have no way of knowing. If you didn't bring any physical credit cards or backup cash, you can't even eat.
Passkeys are all fine in your average techie environment, but can be a disaster outside it.
> So why does my browser or password manager send saved normal passwords to a different domain than the one they were saved for? This is not a limitation of passwords but of the software that encourages saving passwords. It didn't need switching to machine only passwords to fix.
Any kind of authentication method that relies on a string that can possibly be manually typed into a box by an end-user can never be made to be highly resistant to phishing.
> What has stopped developers from using irreversible transformations on stored passwords in the past? The math was there.
I don’t understand what point you’re making here. Are you saying “why didn’t people create a different standard than WebAuthn?” or are you saying “strong password hashing methods exist, so why do so many websites use bad ones”? Or are you saying something else?
> You become dependent on an easily stolen or destroyed device for authentication.
No, you don’t, because passkeys on Apple platforms are stored in iCloud Keychain, which syncs across all your devices with end-to-end encryption. They’re not solely on your phone.
> It is a fantastic user experience until you're a plane flight away from home, your phone gets stolen. Your passkeys are safe in the secure enclave.
They are stored in iCloud Keychain, not the Secure Enclave. And you can recover access to your iCloud Keychain is even if you lose your phone, and even if you lose all of your devices.
> The flight options are in an app that you don't have the passkeys any more for.
You could just go through the account recovery flow for the airline app to regain access to your account. Whether you use a password or a passkey as your primary credential for logging in has very little to do with account recovery logging into an airline app. The app needs to continue to handle users who get locked out of their airline account for a variety of reasons.
> You could just go through the account recovery flow for the airline app to regain access to your account.
On which device? You can't use a public pc (or a local friend's) because you'd need to get your new passkeys on it and that's not safe.
Buy a new laptop/phone on the spot?
I'm going to make up a new conspiracy theory that says this push for passkeys is there to sell more devices, because shared devices aren't safe any more.
What about any or all among of their contacts, messages, docs, notes, schedules, photos, apps, app contents...?
> How screwed are they if everything was in iCloud, vs they were using 1Password/{own,next}Cloud/Evernote/Meta/Dropbox/web apps...?
That would be a more appropriate picture.
> How screwed are they
Not much. Annoyed maybe but as long as they have access to their email and phone number they can reset their passwords.
What about the other way around? If a person broke their Android phone and a friend convinces them to move to Apple? You could argue that then they may have everything in Google and that they could log in on an Apple device with their Google account and use Chrome and Gmail and whatnot, but then they'd be storing everything in Google.
What if Google sunsets a product? Or Google unilaterally decides to close their account overnight with no human in reach for support?
I'm all for interoperability. I do get the risks at hand. But the hodgepodge of separate solutions forming a duct-tape held system is hardly usable for the "mere mortal", let alone integrating the together in reliable ways.
People want technology to disappear so they can go on with their lives and do stuff that matters to them (which integrating platform-independent third party solutions is not). So "all eggs in same basket" is an extremely valuable feature for most.
> as long as they have access to their email and phone number they can reset their passwords.
At best they spend hours and hours up to days resetting the passwords for all the account they ever had. Looking at my password list, there's 700 or them, it would take me a week of my life, if I ever get to do it at all.
At worst they actually can't access their email and it's the end (or a week or two of back and forth sending official documents to get it back ?)
> Google
As a first point: they don't have to go all Google. They can have a Google account solely for their phone, and have everything elsewhere. That's a nobrainer as long as they have a solid password manager. You call it hodgepodge, but that's just what we've doing for the last centuries.
The issue of a service unilaterally killing an account isn't limited to Google. Apple will also kill your account if they assume you misbehave, and you might get someone on the phone, while not getting any resolution.
Do we hear it more about Google ? sure. But Google is also in the biggest service provider on earth at this point.
"The people want the thing that they want because they are wrong"
I never understood how this argument even makes sense. It sounds a whole lot like you're upset that most normal people don't care about and don't want what you want.
It's more of: people want things obviously bad for them because of abusive salesmanship techniques, which exploit information asymmetry and opportunity cost (i.e. that people can't be bothered to do deep research on every one of the thousands things they buy). This includes effective marketing, that is typically deceptive and stops short of direct lies (sometimes not even that).
I feel like I explained it above. People often want things because they don't have all the information and people who are uninformed, especially when they're intentionally uninformed, make poor decisions.
And maybe there are some people who, faced with the risk of losing all their stuff, conclude that maybe all their stuff isn't that important to them and they don't have time for this YOLO! But there are even more people who never even consider the risk, and it seems like somebody should be looking out for them instead of people just saying "shut up nerd, normal people don't care about whatever you're worried about." Uh yeah, that's the problem, they're not made aware of it until it bites them on the ass and anybody who tries to express the concern on their behalf is told to keep their foot away from the hose of the money vacuum.
This is the bell curve meme. People just want the things that work for them, people that know what they are doing want things that work easily and know their way around a little better too.
You're overblowing the harmfulness, I'm not even sure what the argument is.
There are hundreds of examples throughout history of people being marketed something horribly harmful to themselves and defending their need for it even after being explicitly shown the downsides. Oftentimes, instead of fixing the individual people society chooses to punish the businesses that abuse this lever.
Same shit with the Microsoft Netscape trial, really. People didn't want alternatives because Microsoft went absurdly far out of their way to stop fair competition on their platform. Now we're seeing the same shtick, again, on a different platform.
Guided to want it. Sure. Everyone else, all those other folks with other lives, opinions and preferences, they are brain washed by my enemies. Come on, man :)
I just wanted Passwords to be its own app because the Settings applet(?) is obnoxious to interact with in some scenarios. My passwords are already all in there.
Now, I use a Windows laptop too and would love for Apple to make the Passwords thing work there too. It probably won't :)
People are driven away from open standards to vendors like Apple because so much open stuff just sucks so goddamn bad. So will Apple one day fuck me over? Perhaps, but in the meantime their shit just works and I am going to use it because I don’t have time to spend hours troubleshooting why manufacturer A doesn’t work with free publisher B when free driver C is loaded.
The general mechanism for free software to be developed is for the individual users to make modifications. Not all of them, of course, but the ones who know how to. Someone sees something wrong, fixes it.
Apple interferes with this. If you don't like an app on your iPhone, even if it's open source, you can't just make a minor change because for that you have to pay $100/year and buy a Mac and all of this friction that discourages people from doing it. And then upstream doesn't get the little change (times a thousand individual users with an itch to scratch), and the one-time contributor doesn't become a repeat contributor either.
Not only that, you can't distribute a half-finished app to the public -- even if it's free -- because it wouldn't pass review. But then you can't get any users who might help you to finish it. So the state of open source software on the iPhone is a shambles, because Apple neutered the primary mechanism for free-as-in-speech software to become any good on their platform.
Compare this to Linux on a PC where simple things are about as likely to "just work" as they are on a Mac, more likely to do so than on Windows, and weird and complicated things work better than on either of them because even though they're not always easy they're very nearly always possible.
Which is the perpetual sham of "it just works". Simple things are simple everywhere because they're common and well-supported. Complicated things are often difficult, but some platforms make them prohibitively difficult or simply disallowed, and people confuse this with "easy" because you don't remember spending time to make something work when you can't. But that's not actually an advantage, because you're not obligated to spend time on something that doesn't immediately work, but the option to choose to is valuable when sometimes it's worth it.
> Not only that, you can't distribute a half-finished app to the public -- even if it's free -- because it wouldn't pass review.
Ahhh so you want the public to do your QA for you and don’t mind interfering with their productivity when the first iterations of your software are a buggy mess? I am ok with Apple trying to keep the pests out of their garden, or providing a lockable gate like TestFlight where I can go into a testing situation with my eyes wide open and risks well understood. Your open source devs are not always great at disclosing the fact that their software is half baked and people install expecting a robust app and finding instead…a load of crap
> Ahhh so you want the public to do your QA for you and don’t mind interfering with their productivity when the first iterations of your software are a buggy mess?
"Open source" means developed by the public. The public isn't just doing the QA, they're doing the entire thing from the first line of code. Which is exactly the problem with Apple's interference -- they want you to have a finished app before you can share it with all the people who might have been willing to help you build it.
> TestFlight
And we're back to intentionally putting up barriers to exactly what open source needs to succeed.
Maybe 1% of users are programmers, and 1% of those might be contributors. But that's fine if you have a million users -- less than 0.1% of the world population -- because you could have a hundred contributors, which is enough to get something done. Which in turn allows you to improve and then get ten million users etc.
Testflight caps the number of users at 10,000. Now you've got 1 contributor instead of 100 and when that's not enough you're sunk. Meanwhile the "beta" is forced to expire after 90 days which creates friction for the users and makes them more likely to abandon you.
> Your open source devs are not always great at disclosing the fact that their software is half baked
People will figure this out pretty quickly when they try to use it. But then that's the point -- you try to use it, it sucks, but you can fix it yourself. The intention is to have this happen and then the app improves for everyone.
> People will figure this out pretty quickly when they try to use it.
Then you find that it’s uninstallable and you now have a fooked computer where you have to wipe your whole goddamned system to be rid of the POS you just installed. Hopefully you imaged your system right before you DL’d and installed the offending app…so you’ll only lose a few hours instead of a full day this time for your effort. However, you can feel good that you helped “develop” an open source software that almost no one will ever use like the good little netizen you are.
Yeah, no thanks. I’ll take my walled garden and it’s vetted and well behaved apps all day long.
Not sure of your reality, but my apple ecosystem just works. I spend nearly zero time fiddling with my rig just to get to a point of productivity but see Linux using peers in a constant state of tweaking trying to achieve and failing of what I have by just opening a box.
A lot of Linux users like fiddling with things, and then purposely choose the things they'll have to fiddle with. This is not actually required. You can buy a device from e.g. System76 and then use the preinstalled OS or something conservative like Debian Stable. It "just works".
The people compiling everything from source and messing with kernel modules are doing it because that's their hobby.
Well that's all fun and games until you start putting off paying Internet bill for two weeks because it turns out that you misconfigured your password app and it actually didn't save your password to the utility service provider and you realize you have no internet one day and you have a school assignment ugh and maybe your credit score gets 0.5% lower and yeah it's all very much your fault. "But you can just be more careful! Handle stuff like this as it arises!" Yeah, sure, just like during Communist times you could easily get more than one pound of coffee per half a year if you're just careful and note when it's available in stores as a drop-in
I believe this whole Apple vs Linux debate is perfectly analogous to the West vs East Germany debate, to the point that almost all intuitions/arguments for the latter are perfectly reusable in the former
> Well that's all fun and games until you start putting off paying Internet bill for two weeks because it turns out that you misconfigured your password app and it actually didn't save your password to the utility service provider
As opposed to the centralized service that will kindly misconfigure it for you, or just discontinue it out from under you, or ban you because of a false positive, or ban you because of a true positive because you unwittingly violated their broad and ambiguous terms but you're still just as screwed.
> I believe this whole Apple vs Linux debate is perfectly analogous to the West vs East Germany debate, to the point that almost all intuitions/arguments for the latter are perfectly reusable in the former
The fallacy of Soviet Communism was the fallacy of central planning. The Party decides what's good for you and The Party is infallible so if you try to resist you'll be punished. Freedom of choice is heresy. Divergence is verboten.
Does that sound to you like the typical Linux user, or like Apple?
Ive watched people who swear that Apple "just works" struggle when it doesnt.
The difference is just that because of the halo effect they dont blame Apple for the shit that doesnt work. If there is a 3rd party tangentially involved they blame them instead.
The difference (in my experience) is if it works with Apple, it "just works". If it doesn't work, it will never work.
It's a binary and you generally know the answer straight away.
Some people dislike it because they enjoy looking for answers and the freedom to change how things work. Others like it because they don't want to spend their time searching and mucking about with configurations.
That was a bit part of my move to Mac from Windows back 24 years ago. It was such a pain trying to get all the bits and pieces working together and with the Mac, yes it was more expensive (although honestly, not that much more expensive) but stuff just worked out of the box and I didn’t have regular crashes. I’m sure things have improved in Wintel land since 2000–2001, but my Apple experience has been remarkably stress-free.
More expensive up front but in my experience the hardware lasts longer and is usable for longer. I just recently retired a 15 year old MBP due to a battery swell. I’d still probably have it on my desk and occasionally using it if i wasn’t concerned about it exploding and burning my house down.
This point of view essentially reduces to the same place libertarians are at: Institutions are bad, Apple is bad, Google is bad, we should refuse to support institutions, or maybe even institutions should not exist, depending on how severe the FOSSism is.
And look, I don't feel that libertarians (or, let's kill the analogy, FOSSers) are always wrong. Of course they're right about some things; they're just wrong about so much more than they're right about, its like a 90/10 split, its not close. I think the cognitive dissonance is something similar to chesterton's fence: FOSSers don't respect the massive profit-motivated and closed-source companies and systems which, at best, make pockets of productive, awesome open source possible; but more realistically and worse those pockets are just the software version of "buy a Subaru because we donate money to cancer research", they're free labor/recruiting/tax writeoff/community goodwill campaigns by gigacorps, and its all just profit at the end of the day.
Nerds who can see the inside of the machine and are aware that this sort of thing happens is literally just stating in different terms the stereotype type-As assign to nerds: that they don't understand anything but the technology [1].
Apple and Google aren't institutions. They're for-profit corporations with a long track records of behaving like amoral artificial minds that they are. In this sense, corporations are beasts - society can benefit from putting them to work, but they will also occasionally maul someone because that's what they do.
You should read this piece in the NYT titled “The Tyranny of Convenience” [1]. It asserts that your entire worldview is essentially flawed. En masse, people do what is most convenient, which is completely orthogonal to what is right / wrong / best / worst. For instance, it’s an empirical fact that eating healthy and getting exercise is better than eating poorly and living a sedentary life. Yet, most people live sedentary lives.
But this is precisely the problem. If you want the right thing to happen, you can't allow the wrong thing to be more convenient. "The wrong thing is more convenient so STFU" is the flawed worldview, because it's what causes the wrong thing to continue happening.
Now consider what happens if people do the opposite. Instead of defending convenience as an end unto itself as Moloch would have it, you create friction against bad choices. Complain about them, refuse to assist your allies in making a mistake. Do things that make bad options less convenient and redirect people to better choices.
People will still do what's convenient, but now the more convenient thing is the better thing.
> Now consider what happens if people do the opposite. Instead of defending convenience as an end unto itself as Moloch would have it, you create friction against bad choices. Complain about them, refuse to assist your allies in making a mistake. Do things that make bad options less convenient and redirect people to better choices.
What about making "the right option" better instead of making the "the wrong option" worse?
These things are related. If people don't use the right option then it's starved of resources with which to improve.
Of course, you can also improve the right option independently of that, e.g. by making contributions. But now we're back to "Apple interferes with this by making it harder to tinker."
The flaw in your logic is that you’re taking too myopic a view. In your world “making something worse” is somehow divorced from the tyranny of convenience, but in reality it’s not. Changing society is itself inconvenient, and therefore unlikely to happen unless leaving society as-is is less convenient.
Like seven people replied to say this, but they're all missing the trick.
Most people want this because they're guided to want it. If you show people the convenience but not the risk, of course they want something with an advantage and no apparent disadvantage. But the disadvantage exists, it's just not immediately obvious.
Then some corporate machine learning algorithm decides that it's your day to have a bad year, or the screws only get tightened after you're already locked in, and the regret comes some time after the decision is made.
Whereas the nerds who can see the inside of the machine are aware that this sort of thing happens and their response is no thank you. A starkly different preference from the people paying the most attention is a troubling sign. It's the early stages of this:
https://xkcd.com/743/
The thing that gets me is that people then defend the practice because it's likely to be successful. Lots of unsophisticated people are going to put all their eggs in one basket and then have a bad time, which is a result we should be trying to prevent, not defend the people causing it because they're likely to turn a profit. Companies making money on information asymmetries and the misfortune of others is a flaw we should be looking for ways to optimize out.