> There are a number of topics on the horizon, however, with FIDO2, CTAP, and WebAuthn, we are asking websites to trust password managers a lot more. While password managers have long existed, usage is far from universal. But with FIDO2, by design, users have to use a password manager. We are also suggesting that with passkeys, websites might not need to use a second authentication factor. Two-factor authentication has become commonplace, but that’s because the first factor (the password) was such rubbish. With passkeys, that’s no longer the case.
Getting people to give up their 2fa dogma is going to be a huge, annoying debate. In some sense security experts were too successful in instilling the importance of a second factor, but maybe not the reason why it was important (because its too hard to make secure, unique passwords).
> The initial launch of passkeys didn’t have any provision for third-party password managers. On iOS and macOS, you had to use iCloud Keychain, and on Android you had to use Google Password Manager. That was expedient but never the intended end state, and with iOS 17 and Android 14, third-party password managers can save and provide passkeys.
Password managers are already starting to show progress on this front. I've been using the 1password passkey beta on desktop for a while now. I'm really looking forward to having those passkeys on my iOS and Android devices as well.
> We also need to think about the problem of users transitioning between ecosystems. People switch from Android to iOS and vice versa, and they should be able to bring their passkeys along with them.
In my limited experience, they're comparable to a password manager. A little more pleasant, because the password manager sometimes has a password but can't find it. That happened to me last week.
A big airline has many web sites and the password manager didn't realise that it could use a particular password to log me into a site it had never seen before. Of course password managers have to be careful about that kind of thing. Can't just reveal a password to an unknown site.
That said, the password part was small. Passkeys would be a LITTLE more pleasant, again in my limited experience. The login problem was small compared to the pain of dealing with the web site after I'd logged in ;)
They're comparable to using a password manager that has to run on the same device and autofill password fields. That makes them a pain for me, as using those sorts of password managers don't fit my use cases.
Getting people to give up their 2fa dogma is going to be a huge, annoying debate. In some sense security experts were too successful in instilling the importance of a second factor, but maybe not the reason why it was important (because its too hard to make secure, unique passwords).
> The initial launch of passkeys didn’t have any provision for third-party password managers. On iOS and macOS, you had to use iCloud Keychain, and on Android you had to use Google Password Manager. That was expedient but never the intended end state, and with iOS 17 and Android 14, third-party password managers can save and provide passkeys.
Password managers are already starting to show progress on this front. I've been using the 1password passkey beta on desktop for a while now. I'm really looking forward to having those passkeys on my iOS and Android devices as well.
> We also need to think about the problem of users transitioning between ecosystems. People switch from Android to iOS and vice versa, and they should be able to bring their passkeys along with them.