Passkeys is not security theatre, and also not a UX pain if you use a password manager. Turns out it’s nice to have a standardized API for submitting a credential to a website rather than relying on browser extensions to hopefully guess the input field is for a password. (Not to mention the multitude of sites that don’t properly handle text being autofilled)
There are exactly three nice things about passkeys.
1. It forces the use of keys with a reasonable amount of entropy, and the use of a password manager to access them.
2. They will not make it easy to use a key with the wrong site (also true of a good password manager).
3. Uses public/private keypair so key itself is never sent over the wire (even encrypted).
The real question is whether these properties are worth all the costs (enumerated in this article).
Passkeys is not security theatre, and also not a UX pain if you use a password manager. Turns out it’s nice to have a standardized API for submitting a credential to a website rather than relying on browser extensions to hopefully guess the input field is for a password. (Not to mention the multitude of sites that don’t properly handle text being autofilled)
There are exactly three nice things about passkeys.
1. It forces the use of keys with a reasonable amount of entropy, and the use of a password manager to access them. 2. They will not make it easy to use a key with the wrong site (also true of a good password manager). 3. Uses public/private keypair so key itself is never sent over the wire (even encrypted).
The real question is whether these properties are worth all the costs (enumerated in this article).
Not theatre, passkeys are a security risk if you need a specific device to access your information and there is no way to extract a passkey.
I use my OTP secret as my account password, best of both worlds for portability!
that's so insanely unexpected it might actually be secure
This is how I feel as well.