Magic links have rough edges, Passkeys have black holes.
> On this blog I speak only for myself as someone experienced in usable security and website authentication.
This caveat near the top speaks to my point, if you're a developer and you understand what an SSH key is, you'll take to Passkeys no problem. But if you aren't, there are many foot guns abound and vendor lock-in you won't notice until it bites you.
I work for an auth company, I use a Yubikey and Passkeys all the time, in a business context where there is an IT admin to go to when there is a problem, I think Passkeys will do great. They'll really improve the average security posture of an organization.
But I would dread having to try and recover a Passkey with Google, who would I even talk to? I just had to explain what a VPN was to my parents, I would not be excited to try and explain to them how Passkeys work.
> But I would dread having to try and recover a Passkey with Google, who would I even talk to?
That's not what this blog post is about. This blog post is not about using a passkey to login to your email.
This blog post is about using a passkey to login to a website (404 Media) that currently supports login via "magic links," i.e. instead of passwords, they always send you a "forgot my password" link, which you click on in your email.
If you currently login to 404 Media with a magic link, and then decide to login to 404 Media via passkey, and you lose your passkey, you can just get a new magic link sent you via email and reset your passkey, or, if you want, you could just skip the passkeys and go back to always using magic links.
Using passkeys to login to your email itself is a whole different ball of wax. Gmail does not have a simple "forgot my password" email that it sends. (That would be pointless if Gmail is your only email address!)
The "forgot my password" flow for Google/Gmail can involve a bunch of factors, including backup email addresses, backup recovery codes, recovery contacts, SMS, push notification to other apps you've logged into. Google doesn't document all of the factors they consider, and neither do any of the other major email providers.
I get it: it would be scary to login to Google via passkey if Google is your passkey manager, especially because there's no way to export a passkey from one passkey manager to another. Can you trust Google's recovery system?
That's a hard problem for Google, but it's a trivial problem for 404 Media. They just send you a magic link, and rely on Google to keep your email secure.
And, let's face it, most of us run sites that are much more like 404 Media than they are like Google.
> I use a Yubikey and Passkeys all the time, in a business context where there is an IT admin to go to when there is a problem, I think Passkeys will do great. They'll really improve the average security posture of an organization.
The average user of a service will be worse off for passkeys. Something as innocent and common as losing a phone could result in complete account lockout.
Magic links offer the best compromise between security posture, effort to implement for developers, and easiness for users. It's not the perfect solution, but its the best at the moment across all dimensions.
>Something as innocent and common as losing a phone could result in complete account lockout.
This is the biggest misconception I see repeated about passkeys constantly. Account recovery flows generally do not change at all. Passkeys replace passwords, they change nothing at all about account recovery. If you forget/lose your password or your passkey, you go through the reset flow and create a new one.
If you lose your phone and you only have your phone to access your email, then you also have lost access to your password if you're using a strong password and a password manager.
Or do you remember a 20+ random character string for each site and thus do not need a password manager?
My email and password manager are actually the two unique passwords I do remember (the rest are in my password manager). So losing my phone does not mean I lose access to them. I _have_ actually lost all my electronic devices in a house fire, so this is from experience.
2FA does make this more complicated and in my case my password manager did not have 2FA, but TOTP with backup codes does let you store those backup codes somewhere else, while none of the passkey implementations I have seen (Fastmail, Amazon and Toggl) have an equivalent to the backup codes for TOTP. The fact that they still support password auth is probably their failsafe here, but this assumes that password auth continues to exist, which is contrary to to the goals of passkeys.
>I _have_ actually lost all my electronic devices in a house fire, so this is from experience.
I can't speak to other passkey managers, but both Google and Apple have pretty thorough account recovery flows that work even if you lose 100% of your devices.
Google regularly asks me for annoying things even when I have all my credentials. What’s their account recovery flow? I’m not sure I trust it to be good.
I just had to go through it for a friend who had forgotten their Google password. It was good. Tbh it would be more surprising if it was bad since they have millions of users. So the amount of people who go through that flow every day is probably very high in terms of absolutes numbers, even if it’s only a small percentage of users. And Google is known to do a shitload of A/B testing anytime they tweak their UI/UX.
So yeah I think it would be way more surprising to me if this particular flow was bad. If anything it’s likely to be one of their _best_ flows, given their scale and how critical of a flow it is.
And given that they love to track users to serve them ads, it’s also very much in their (capitalist) interest to make sure users don’t get locked out of their accounts.
If I lose my phone I don’t lose my passwords to begin with, because I have my most important account passwords written down somewhere, including the one for the email account used for recovery flows. Strings are an open system after all. TOTPs are slightly more involved but even a layperson can save an image of the original QR code, in addition to recovery codes.
The misconception here is your setting up a strawman.
Password managers like Bitwarden allow you to store passkeys too. Ofc, that only works for services that let you create & use your own passkey, rather than force you to use one managed by them.
Is the strawman that passkey are only available via one device, your phone? Because Google and Apple sync passkeys to devices logged into their respective accounts, so assuming you own a laptop or ipad/tablet, or have an old phone, your passkeys are also available on that device.
Except if you're relying on "an old phone" as your backup device, you'll find you don't have access because you haven't powered it on to sync passkeys, and Google expired your login anyway as you haven't used it on that device in months.
This is not true for Google at least. I have been locked out of a secondary google account because they thought it was suspicious that I logged in from a new IP address after 6 months of disuse. I have the password, I have the TOTP codes, I have the recovery email (in fact I even have the email for that account, as it forwards to my primary account), but login is just not allowed until I accept a push notification on a destroyed device.
For some reason, my primary account was not subject to the same probablistic lockout, maybe because it had a more constant record of use, or maybe because it was a GApps account.
I once used Google’s account recovery flow on an old dormant (for maybe three years?) account. Did everything asked and reached a state where they wouldn’t ask me to do anything else to demonstrate ownership but I’m still suspicious or something like that. Fortunately I had nothing important there. Pro tip: operate as if Google doesn’t have a recovery flow at all.
> But I would dread having to try and recover a Passkey with Google, who would I even talk to
same as trying to recover a password: You go through the account recovery workflow.
My opinion on passkey is that they are a wonderful tool to speed up the authentication process with sites in some cases (which turns out to be most cases). Rather than typing your password (hopefully on the correct site...) and then sometimes confirming with a magic link or a 2FA code, all you do is use your platform native's authentication conformation method (face recognition, fingerprint, PIN code, whatever) and you're done. This works independently of which site you're on.
Just as with password managers: If you use the OS built-in solution, you're locked into a specific platform (though I admit that with passwords it's at least possible to move them manually, albeit super painful if the passwords are secure), so if you're using multiple platforms concurrently use a password manager that supports all your platforms - most if not all password managers these days support passkeys.
For all breakages related to passkeys, the same applies as with passwords: You use the account recovery flow (which often is the weakest link on any site).
As such, passkeys feel like a wonderful shortcut with even slightly improved security (you can't present a passkey to the wrong site) in the default case.
Except you don't just have the vendor lock-in of your password manager, you also have the vendor lock-in of a web browser too. Or you are forced to use a password manager that works as a web browser extension instead of a standalone application. This is so much worse than OTP, which already was incredibly user unfriendly, because at least with OTP you still had the freedom to type or paste the secret from wherever you wanted to get it generated.
FWIW people don’t actually understand how passwords work either (password hashing etc.), and I am not sure it’s important for most people to understand how passkeys actually work. Also, majority of people reuse the same (extremely weak) password, or they go through an account recovery flow every time they login anywhere. This is why you saw the “magic link” pattern take off in the first place — users were already going through essentially the same flow before. Now at least they can sign in with biometric authentication on a regular basis, using passkeys. And if they do get locked out of their account for some reason, they go through the account recovery flow — same as they did when using their password before.
But at least they won’t get phished anymore! That’s a huge win.
> people don’t actually understand how passwords work either (password hashing etc.)
Those are implementation details that they need not to care about. Password hashing is about mitigating the consequences of you the account provider screwing up. I know, technology and finance are special, in that the more a service provider fucks up, the more it is your fault somehow (see: "identity theft") - but most people didn't get that memo.
Difference is, passwords break like normal things people are used to. Passkeys break like some alien technology from fifth dimension, there is no reference to everyday experience for the one thing people need to understand, which is how to not mishandle auth on their end, and how to recover when they invariably do mishandle it.
Problem with auth methods is the protocol fatigue for the average user. And that even includes some tech savvy people. I have been in the process of teaching my family to use password managers. I subscribed to 1Password family, added everyone and then added the app to their devices, setup their Face IDs/Touch IDs, set the app as default password manager on their devices, added it to their browsers, etc, just to make it as simple as possible for them to just be safe.
They’re still having a hard time grasping the concept of 1 password per site. Or that password do not need to be memorable or the name of their pet plus their birth date. So they fight it.
Often they call me saying some service is broken, emails aren’t working, etc, and I ask for their password and they show me a list of account passwords in their notepad app, bc they were trying to replicate 1 password in their minds, because they absolutely do not trust what they do not understand.
I for one do not like magic links, prefer regular otp, especially because I can add it to my 1Password. I don’t like magic links because it adds an extra step of opening my email app, clicking a link and opening a new tab. It breaks my flow, so I tend to avoid services with magic links unless it’s only for account recovery.
Passkeys, I have skimmed the implementation, and flows, but I can’t get over the lock in and lock out potential.
So going back to fatigue, if my relatives are still in the password manager training phase, I’m definitely not going to confuse them with magic links, much less with passkeys. I will wait, and wait, and wait, until this all settles down and we have a gold standard, and everyone falls in line. Average users do not need the latest, “safe enough” is enough for them.
a text file on the desktop for sites like these are better than any alternative to be honest. at least they aren't reusing their bank password everywhere.
Passkeys are going to be a complete failure, because a) vendor lock-in. I can easily move a password around; it's just a string. As far as I understand it, major passkey implementations are basically non-portable.
And b) I don't understand them. If I don't understand them what chance does the average non-nerd have? I probably could understand them, if I bothered to look into the details of how they work, but I really don't want to have to do that and normal people won't either. Nobody needs to do research to understand passwords or email login links (at least at a basic level).
I predict they will be abandoned in 10 years.
I wonder if a better solution is just to accept email-is-authority and make the magic link flow more seamless. Imagine if you could link your email client and your web browser closely together so that every site that offered a magic link "just worked". You click a button, it emails you, your email client silently notifies the web browser and deletes the email, and then you get logged in.
Google could easily do that automatically with Gmail and Chrome. The only downside I can see is that email is still a bit slower than password authentication.
Major implementers are definitely over-complicating things; making perfect the enemy of the good in a way that's hindering adoption. They want to make phishing impossible, not just "really hard", and doing that requires portability features to be ridiculously over-complicated and somewhat at odds with user freedom. In my opinion they should give up on that for now and just let users export a plaintext database the same way they can with any other password manager.
Regarding b) it's extremely simple. Passkeys are private keys (like SSH), stored in a password manager, accessed via JavaScript.
Agreed. Highly portable passkeys get you 90% of the way to where we want to be. I'm looking at implementing passkey support for my authentication library and considering only supporting major password managers because they have solid interaperability between ecosystems.
And a is why they are being pushed so hard. I'm so sick and tired of this. Why is it that every time there's a new piece of tech or something gets updated it's 1) often categorically worse and 2) seems like its designed in such a way that the goal is eventually to charge a monthly fee?
I'm fed up. I'm not using passkeys because I trust no one to not take advantage them eventually. Not even my beloved bitwarden.
I shared the concern around vendor lock-in initially, and I still do to some extent… but this can be quite easily mitigated by registering multiple passkeys for each account. Where I use them, I have at least two of {iCloud Keychain, hardware FIDO2 key, Google Password Manager}.
CTAP2 works nicely over Bluetooth and NFC so you can usually use these credentials even on machines which don’t integrate with your keychain of course. I actually find them extremely convenient and they’re obviously more secure than passwords across a broad range of common attacks.
As with passwords, they will be misused by vendors and clueless users alike, and it’s up to us to (a) use them correctly for ourselves (maintaining redundancy) and (b) encourage our less tech-fluent friends and family to do the same.
All around though, I think they’re a considerable win for convenience and security.
> Imagine if you could link your email client and your web browser closely together so that every site that offered a magic link "just worked". You click a button, it emails you, your email client silently notifies the web browser and deletes the email, and then you get logged in.
How the hell do you think that’s better? Passkeys are absolutely portable, many of the password managers on the market allow you to export them.
What happens if google suddenly decides to deactivate your account?
I think magic links and passkeys are awful for websites. I have refused to give services money because their only login system is a magic link, passkey or using a 3rd party login. For example, I got some free credits for clipdrop.co, I like their service, even setup the API and got everything working, but when it was time to buy some real credits and give them money, their login system was so awful I just found an alternative with a path of least resistance.
Another company I wanted to give lots of money too was fal.ai, but you can only login through github, which I didn't want to do. I even emailed them asking about alternatives but they couldn't even bother to reply. So my money was spent else where.
I don't have my email login on my computer so for every tragic link I get that means I would either have to find a way to get the link from my phone to the computer or login to my email from the computer just to click that stupid link.
You know what faster, more efficient and better in every way? Using an user and password.
I should not have to suffer because some nitwits can't remember their passwords, we should not subsidize mediocrity because we will get more mediocrity.
I thought about this a few years ago. It made more sense back when WebAuthn was a thing but Passkeys weren't; when you had to just accept that buying a new phone meant losing all your WebAuthn keys. In that scenario, WebAuthn made sense as a UX improvement to the standard magic link auth flow, allowing users to use the faster, more convenient WebAuthn authentication method on devices they've already signed in on at least once but without having to rely on it as the primary means of authenticating.
Now that Passkeys are a thing they are much more viable as a primary authentication method since you can lose your phone or switch PCs and still have access to them. But as long as you're allowing pass(word|key) reset using email anyway, it certainly doesn't hurt to have magic links as an option.
When passkeys first came out I was quite excited. Now trying to use them with KeepassXC/Keepassium the experience is terrible.
First off, nearly two full years into this “standard” existing only around 1/5 to 1/4 of my accounts support it. And the support is a crap shoot. I am finding some accounts only allowing you to have a single passkey and others such as Amazon expect a certain format making Keepass unusable. I save the key but I guess the response is wrong as Amazon thinks it failed.
ssh keys are great. Amazing. Having those instead of passwords would be a huge upgrade. Most people need a simple key management ui and portable keys then they would be set. But it’s like Password managers and sites that don’t allow copy and paste all over again.
Works perfectly in 1Password. One-click sign-in is awesome! I don't understand the hate towards passkeys. Managing passwords for non-techies is infinitely worse in my experience.
I’m not disputing that passwords suck. It’s just that the experience with passkeys hasn’t matched the vision I’ve been sold when I first read about it.
I am sure a more mainstream solution such as Google/Apple/Microsoft/1Password’s password manager would be a better experience. But the portability and data sovereignty of using a self hosted open source password manager such as Keepass is a requirement I have and like I mentioned, the supermajority of my online accounts have zero passkey support even 2 years in.
> I’m going to assume that you know what passkeys are and that you’ve used them with your Google, PayPal, or TikTok account, or some other online account.
That's the biggest mistake that passkey advocates make: assuming that if you've used passkeys, you know what passkeys are. Or that you can watch a short video explanation describing the benefits of passkeys, and then you "know what a passkey is."
Here's what a passkey is:
Passkeys are randomly generated passwords that are required to be managed by a password manager. All the major password managers support them, including Apple, Google, Microsoft, Mozilla, and 1Password.
Passkeys can be public/private keypairs, or they can just be secret passwords. Webauthn is designed by committee, so there's always more than one way to do it.
By requiring the passkey to be managed by a password manager, you get some anti-phishing protection. A passkey includes metadata, including the website domain that created it, and the password managers simply won't provide the passkey to the wrong domain. They provide no way for you to copy and paste the passkey into a website, as you can with a password; there's no social-engineering technique someone can use to get you to copy and paste your passkey to an enemy.
A passkey manager is morally required to do an extra factor of authentication (e.g. fingerprint, Face ID, hardware keys, etc.) when you login to a website, but the website has no way of knowing/proving whether that happened; they just get the password.
You reset your passkey the same way you reset your password, because passkeys are just passwords that have to be managed with a password manager. Some sites make it easy to reset your password, some make it hard. You know the drill; there's nothing new or different there.
If your site/app is comfortable with magic links, or a simple "forgot my password" email, then it would also make sense to let users add a passkey by clicking a link in an email.
If your site/app doesn't have a "forgot my password" flow, you don't need one for passkeys, either. (But, surely you have something in place…? Even Yubikeys/SSH/PGP private keys can be lost.)
If you're happy with your password manager, there's no real need to switch, but even very "sophisticated" password users have been known to fall prey to social-engineered phishing attacks.
Are you sure you're never going to copy-and-paste your password into the wrong hands? I don't trust myself that much.
Passkeys make it harder to switch password managers because the password managers are designed not to let you copy-and-paste a passkey, including from Google's Password Manager to Apple's Password Manager. I think all the password managers kinda like that lock in, and there's something good and bad about it.
Instead, password managers recommend that sites/apps allow each user to have multiple passkeys. Sites/apps may or may not actually allow that, but that's the only way to be sure a given user can login with both Google's password manager and Apple's password manager: give each password manager its own passkey for each site.
I think Ricky is completely right in this case that if you're a site like 404 Media using magic links today, passkeys are just better. As a user, if your passkey doesn't work or gets lost, you can just click "forgot my passkey" and get another magic link, and set up a new passkey.
Thanks for the write up, that's a really nice way to explain passkeys, better than most of the guides found online. It’s tough to convey just how big a leap passkeys can be to folks in the tech bubble, because they’re often disconnected from the everyday password headaches most people deal with.
For example, I was helping my mom pay a bill online the other day, and it turned into a circus of scribbled passwords in a notebook, adding minor tweaks to a common master password, having to rely on "forgot my password" emails just to also need to confirm via sms codes, too bad if you can’t access your phone. It was wild. Introducing passkeys into her workflow would totally remove these frictions.
Of course the way password managers are being treated like a new walled garden is not the best but this cannot be used to discredit what really looks like a valid solution to the problem of having to remember too many credentials.
I can feel comfortable with passkeys as an alternative (maybe even default) login method. But given the changes for attestation and what this enables, along with hostility towards portability from the spec authors, it means that I cannot ensure I have access to my passkeys going forward, so being the only auth method is problematic. That is often the current state, which is good, but the security goals of passkeys are then limited if passwords still exist, so I'm not confident that that will remain more than a transitional state.
I only use them on sites or services I do not take seriously or would never rely on for anything.
Not wanting a password doesn't absolve the software of securing user data, or users being informed of them effecting relaxing the need for security around their data.
For so many reasons that become apparent until years later, creating accounts with email+password is the best, on your own domain that can be moved between hosts, especially since there is little recourse with any identity providers.
I recently transferred almost 100 website credentials off of paper and into Bitwarden for my elderly parents, one of whom is developing dementia. During the work, I noticed that several websites (e.g., Amazon) and Bitwarden itself were very aggressively trying to lock me in to passkeys. I rejected every attempt except somehow Amazon still enrolled my dad's account.
There is no way that older people will ever understand passkeys. Corporations should immediately stop this foolish push to passkeys where often absolutely no explanation is made to the user of what they are or why anyone should care. My parents are sticking with unique 20-character passwords per site.
Don't even get me started on trying to explain mobile app 2FA to them...
In the last year or three, most sites have been making password authentication worse than it used to be. Some of the ways:
* Prompt for username & password in such a way that the browser's username&password-saving doesn't recognize. (I suspect the site is usually leaning on separate form field autocomplete to get an email address or other username.)
* Enter username in one DOM, submit, wait, and then they load a new page or change the DOM, to prompt for password.
* Burying/obscuring the username&password option, in favor of an array of buttons to log in from various big tech companies own authentication (or misused authorization), log in via email or SMS link, etc.
* Mandatory email/SMS 2FA, even for innocuous sites.
* Slow 2FA. Sit around waiting for it, pressing the mail-check button repeatedly, like I'm a type-A person (trying to close the elevator door before someone across the lobby gets close enough we have to wait).
* Then the 2FA email often has a bunch of worthless filler around it, so that I can't just glance at it in the small tiled window in the corner of my screen, but have to switch to the email program in a large tile, memorize or copy&paste it, and then switch back to the browser window. Which then often upsets the form field validation, or even loses the keyboard input focus it had before, just for that extra little negative UX touch.
* I kid you not, one company's gratuitous mandatory 2FA emails the other day consistently had some invisible unicode character next to the number, which invisible character was picked up in the double-click copy&paste, sent through the form submission, and then they rejected the string as invalid 2FA.
* The credit card company that insists on SMS 2FA (when I'm on desktop), and then sends an 8-digit code to my rather than a 6-digit like most other companies. Just in SMS, which is at a font size for text chats, not for perfectly transcribing numbers that are 8 digits without even separators like everyone else has used for most purposes forever.
* All the companies that have recently started emailing me every time I "sign in on a new computer", from the same IP address and browser fingerprint as usual. This is starting to become the norm, and it's not only annoying, but it also presumably desensitizes a lot of people to legitimate emails about security. (If anyone ever logs into one of my accounts, I'd probably never know, amidst the the piles of irresponsible false alarm alerts about this.) (This is another bad practice by people seemingly trying to 'do security' like the one where banks would email you from address domains other than their own, at the same time that they're emailing you to watch out for phishing, like it's your moral failing.)
* Some organizations are doing password expiration, on newly-developed sites.
* Somewhat hiding the login button/link for existing accounts, but there's a big bright button for creating a new account. (Actually, this is a long-time practice by a number of sites, not recent, but some sites still doing it.)
In most cases, I don't think it's dark patterns, to discourage people from logging out or clearing cookies, nor to make the more receptive to coming passkeys or to whatever side incentives (besides some users' preferences) the company might have for doing log-in-with-other-company.
I think it's probably a bunch of developers just integrating off-the-shelf frameworks, sometimes spending a lot of effort to try to understand the off-the-shelf thing's particular proprietary bureaucracy, with little time left for the UX, security, or anything else. And maybe mix in some enthusiastic sprint tasks to add in other ways of logging in, incidentally making the original way worse, since the original way is not within scope of the task. And, in some cases, it might be a bad compliance checklist, or bad interpretation of one.
Excellent post. I also hate all of these trends. Unfortunately a lot of them are in fact pushed deliberately as anti-abuse and/or security measures, where in both cases (just like passkeys) they primarily exist to make the company's job easier and not to improve the user experience.
For example in my current job there's a push to follow the trend of splitting username and password entry onto two separate pages. Ostensibly this is to make it easier to deal with SSO because then you can look up on the back end the user's configured authentication type and direct them to oauth flow or passkey challenge or whatever instead of password entry box. But the bonus side effect is that it also provides an additional layer of tracking so that you can monitor mouse movements, keydown behavior etc and use that to feed into a model that can detect scripted attacks then push a captcha in between or block the login flow altogether and send a security alert to the owner of the account etc. This is all in pursuit of protecting the user's account, but at the same time it makes everything more inconvenient and privacy-invading for real life legitimate users who just want to log in.
I suppose you could blame malicious actors for forcing the enshittification, but in many ways I feel like it's a failure of the service providers because they're building technical solutions that make it easier for them to detect abuse rather than thinking about what the users themselves might prefer. It's like all the bureaucracy that still exists nowadays around flying thanks to terror attacks that happened decades ago. The terrorists may be long dead, but their impact is still felt in how they have changed everyone's way of life! I'm not sure that's a win for the good guys.
> On this blog I speak only for myself as someone experienced in usable security and website authentication.
This caveat near the top speaks to my point, if you're a developer and you understand what an SSH key is, you'll take to Passkeys no problem. But if you aren't, there are many foot guns abound and vendor lock-in you won't notice until it bites you.
I work for an auth company, I use a Yubikey and Passkeys all the time, in a business context where there is an IT admin to go to when there is a problem, I think Passkeys will do great. They'll really improve the average security posture of an organization.
But I would dread having to try and recover a Passkey with Google, who would I even talk to? I just had to explain what a VPN was to my parents, I would not be excited to try and explain to them how Passkeys work.