The biggest mistake that the passkeys movement did is try to make it sound more marketable at the cost of oversimplification.
First up, these aren’t really “no password” mechanisms. They’re closer to ssh certificates. You need to authenticate through some other mechanism and then agree to do the equivalent of creating and installing ssh certificates on your device.
The ssh certificates get synchronized across your devices securely by your cloud provider. But they can never serve as the primary authentication mechanism - that will still have to be a traditional authentication mechanism.
It’s mildly infuriating that someone decided to take this simple idea and confuse the fuck out of everyone by positioning it as some alternative to a password based authentication mechanism. Obviously everyone is going to come and ask a ton of questions about how a mechanism without any passwords should work. And then the responses further confuse everyone because they don’t want to admit “no actually you still need passwords”
Their point was that at some step along the way, you do need to use a password.
Case in point, creating a new google account as a 13yo. If you don’t have a password and you lose your one device, you lose everything. This isn’t hypothetical; it just happened to a family friend.
Not sure why the discussion got booted to the bottom of the thread. Looks like it’s a lesson not to label your comment a rant.
As far as I understand, this is not a viable mechanism.
Consider a shared computer in a university laboratory or at a public library. Or maybe an iPad that is shared by a family.
As a service provider, you usually can not assume that someone using your service will log in with a dedicated device or with a device that has their primary google or apple accounts setup on it. (Some rare exceptions might exist).
I don’t think anyone wants to deal with customer support problems of “oh, I’m stuck in a different country when on a holiday and my phone got stolen, can you please recreate this key exchange process for me on this untrusted device logged in from public wifi at a coffee shop?”
Like with ssh certificates, you create more problems than you solve if you use passkeys as the primary authentication mechanism.
To answer your question, yes it would be primary authentication if you used it that way. But no sane person would. Hopefully.
But do you need passwords? The way things are setup now you do, the password is the recovery mechanism. If the recovery mechanism was instead something like "photo of face next to government ID" then Google could stop using passwords next week.
> But they can never serve as the primary authentication mechanism - that will still have to be a traditional authentication mechanism.
> If the recovery mechanism was instead something like "photo of face next to government ID" then Google could stop using passwords next week.
Think about the failure mechanisms. What government ID? Why might the face change? Etc. Even if these sound like outliers, at scale essentially anything will happen.
Maybe they could have used more marketable terms like "1-time password", or "barely a password", or "mini-password" (to denote minimal expected usage of your password), etc.?
It reflects that the mechanism is a way to securely store some identity related information. It is not a mechanism to establish that identity.
The value proposition is still obvious: You need to establish your identity once, and then you can securely save it and share it across devices and avoid having to reestablish your identity every time.
It also removes the “password” confusion entirely. Establishing identity could be through a fingerprint or verifying a government issued Id card in person etc.
The name also correctly reflects what it is doing while still sounding marketable to non technical users. The mental model that a non technical user will build more closely reflects what is actually happening - which is always helpful to build a good user experience.
The biggest mistake that the passkeys movement did is try to make it sound more marketable at the cost of oversimplification.
First up, these aren’t really “no password” mechanisms. They’re closer to ssh certificates. You need to authenticate through some other mechanism and then agree to do the equivalent of creating and installing ssh certificates on your device.
The ssh certificates get synchronized across your devices securely by your cloud provider. But they can never serve as the primary authentication mechanism - that will still have to be a traditional authentication mechanism.
It’s mildly infuriating that someone decided to take this simple idea and confuse the fuck out of everyone by positioning it as some alternative to a password based authentication mechanism. Obviously everyone is going to come and ask a ton of questions about how a mechanism without any passwords should work. And then the responses further confuse everyone because they don’t want to admit “no actually you still need passwords”
/rant