> Allow sites and apps to upgrade existing accounts to use passkeys
Is "upgrade" the right word here?
I think it's becoming a term that is supposed to mean "make things better" but is now used to let a business force things you don't want/need/like on you.
In terms of passkeys, it would seem to take something portable you remember like a password and convert it to google password manager lockin.
The "not a fan of passkeys" link toward the bottom is a great read [1].
It mentions: As far as Apple is concerned, I would be satisfied if passkeys could be saved in a local, non-iCloud keychain, as normal keychain items with support for export and import. Ideally, the export format would be cross-platform, and I don't see why it couldn't be cross-platform, given that passkeys are just public-private key pairs tied to a domain. In that case, I would be happy to eliminate web passwords, since I already use randomly-generated, keychain-managed web passwords that can't be memorized (by me). Unless and until Apple provides such a solution, though, I remain extremely skeptical of passkeys and feel inclined to fight back against the notion of replacing and eliminating passwords.
Alternative password vaults (like 1Password) do support cross-platform passkeys. On iOS it works just like a native passkey prompt once you disable iCloud Keychain. And it works great in browser extensions on desktop
I do sort of like the concept of passkeys, especially being able to throw them into my password manager. However a lot of sites I've encountered that implement them have decided that presenting a passkey can basically bypass MFA. I get that you'd have the passkey ideally protected by some MFA or biometric anyways, but I still like to have both forms of auth separated as much as possible.
Holy shit, this could actually cause people to get permanently locked out of their accounts, depending on how the website is configured. Imagine not knowing your login credentials are stored in Place A and then you delete Place A, unwittingly deleting your only login along with it.
This is already a worrisome possibility with security keys -- if you have Windows Hello enabled, the dialog you get when adding a security key to an account might sometimes be to add it to your TPM, but it's not clear that's what Windows is asking so you might put your creds on your CPU while thinking that they're going on the Yubikey; imagine what happens then when you upgrade your computer?
Users need to know where their logins are stored. Making these things "transparent to the user" in the name of ease of use (treating users like toddlers) is the wrong approach. I realize the average user doesn't understand the technical side here, but that just means we need to do better as devs and designers, not throw in the towel and make decisions for the user.
You are against progress. /s
Google gonna make all of your nightmares come true
Google gonna put all of her fears into you
Google gonna keep you right here under her wing ...
It sounds like you're using the iCloud Passwords extension for Firefox? I think when it launched it didn't have a setting for it, but now the suppression of built-in Firefox password management is configurable in the settings for the extension.
If you're talking about something else, I'm not sure, but I might be able to help.
> Allow sites and apps to upgrade existing accounts to use passkeys
Is "upgrade" the right word here?
I think it's becoming a term that is supposed to mean "make things better" but is now used to let a business force things you don't want/need/like on you.
In terms of passkeys, it would seem to take something portable you remember like a password and convert it to google password manager lockin.
The "not a fan of passkeys" link toward the bottom is a great read [1].
It mentions: As far as Apple is concerned, I would be satisfied if passkeys could be saved in a local, non-iCloud keychain, as normal keychain items with support for export and import. Ideally, the export format would be cross-platform, and I don't see why it couldn't be cross-platform, given that passkeys are just public-private key pairs tied to a domain. In that case, I would be happy to eliminate web passwords, since I already use randomly-generated, keychain-managed web passwords that can't be memorized (by me). Unless and until Apple provides such a solution, though, I remain extremely skeptical of passkeys and feel inclined to fight back against the notion of replacing and eliminating passwords.
[1]: https://lapcatsoftware.com/articles/2023/5/1.html
Would it be possible/viable for a third party to release such a piece of software? Does one already exist?
Alternative password vaults (like 1Password) do support cross-platform passkeys. On iOS it works just like a native passkey prompt once you disable iCloud Keychain. And it works great in browser extensions on desktop
I do sort of like the concept of passkeys, especially being able to throw them into my password manager. However a lot of sites I've encountered that implement them have decided that presenting a passkey can basically bypass MFA. I get that you'd have the passkey ideally protected by some MFA or biometric anyways, but I still like to have both forms of auth separated as much as possible.
Holy shit, this could actually cause people to get permanently locked out of their accounts, depending on how the website is configured. Imagine not knowing your login credentials are stored in Place A and then you delete Place A, unwittingly deleting your only login along with it.
This is already a worrisome possibility with security keys -- if you have Windows Hello enabled, the dialog you get when adding a security key to an account might sometimes be to add it to your TPM, but it's not clear that's what Windows is asking so you might put your creds on your CPU while thinking that they're going on the Yubikey; imagine what happens then when you upgrade your computer?
Users need to know where their logins are stored. Making these things "transparent to the user" in the name of ease of use (treating users like toddlers) is the wrong approach. I realize the average user doesn't understand the technical side here, but that just means we need to do better as devs and designers, not throw in the towel and make decisions for the user.
You are against progress. /s Google gonna make all of your nightmares come true Google gonna put all of her fears into you Google gonna keep you right here under her wing ...
I use Firefox for passwords and my employer wants me to use passkeys which requires an authenticator app.
Now, the passkeys require me to set default password app a stye authenticator,so i can't use Firefox passwords elsewhere.
My ideal solution would be to have an option to go to Firefox for passwords while passkeys go to the authenticator app.
Second best would be Firefox could store passkeys locally on device
Has anyone been able to make both the passkey autu and Firefox (or any other) work together
It sounds like you're using the iCloud Passwords extension for Firefox? I think when it launched it didn't have a setting for it, but now the suppression of built-in Firefox password management is configurable in the settings for the extension.
If you're talking about something else, I'm not sure, but I might be able to help.
1password works great for passkeys even on mobile iOS
Maybe this would be somewhat sane if it's only handling automatically generated passwords that have never been viewed in the UI. But I doubt that.