Really great article.
I also think there's still an enormous ignorance from passkey devs that lots of people want to occasionally log into personal services from locked down corporate machines, and the flow to deal this is at best terrible but more often non-existent, and developers with typically enhanced privileges just aren't able to conceive how difficult this is.
Logging in to a personal service from your locked down corporate machine with a passkey works like this:
1. Start to login to the site.
2. When it gets to the point that you would choose to use a passkey if you were logging in at home, there should be some option that lets you say you want to use a passkey on another device. You can use that to tell it you want to use a passkey that is on your phone.
3. It gives you a QR code to scan with the phone, and then you complete the login using the passkey manager on the phone.
This is one of the core use cases for why FIDO Cross-Device Authentication was created. To be able to use a passkey to sign in on a shared device, a device you don't control, or a device where you just need temporary access to something.
On the one hand, that seems really important and I'm happy to know it exists.
On the other hand, I thought I had fully researched how passkeys work and literally never came across it.
So it kind of just continues to support my concern that passkeys are just too complicated to understand. If I'm at another device I need to log into, I would have just assumed I couldn't.
There needs to be a simple mental model for users. I'm not saying passkeys can't underlie that, but I think the UX still just hasn't been fully figured out yet.
I used the technical name for the capability, but you've likely run into it before.
If there is no passkey on the local device, a QR code will appear which you can scan with your phone or tablet, and use the passkey for the account from that device. It just kind of happens, typically without the user having to do anything special.
I will say though, corporate devices can be a bit of a wildcard as they are usually configured and locked down for a specific purpose. But the cross-device flow is generally not blocked by organizations.
I don't use passkeys, so I haven't run into it. It seems like that screen would be gated behind entering an e-mail address or username that is already registered with a passkey on another device.
What I'm saying is, I thought I had the right mental model of how passkeys work, after researching them, and that mental model told me you wouldn't be able to log in on a different device without going through a whole procedure to set up a new passkey, which you wouldn't want to do for something temporary.
The mental complexity is just too much for me to trust that if I adopt them, they'll work when I need them. The fact that I got this thing wrong means there's probably other things I'm still getting wrong.
I understand passwords and password managers and even 2FA. I feel like I can plan how to use them right so it all works and I don't need to worry about not being able to access my accounts. I just don't have that confidence with passkeys.
> log into personal services from locked down corporate machines
This is usually a bad idea, and is sometimes expressly forbidden.
But. more generally, there must be a flow for accessing your account when the passkey is not available, and possibly cannot be recovered.
I'm limited in what applications I can install at work. I am not limited in what websites I can access on my lunch break (within reason).
This is one of the core use cases for why FIDO Cross-Device Authentication was created. To be able to use a passkey to sign in on a shared device, a device you don't control, or a device where you just need temporary access to something.
Just tried that.
Logged into Passkeys.io on my phone, and created a passkey.
Then tried to log in to it on my Windows desktop, using the "With my phone" option. First time around it failed to connect to my phone. Future times it connected, but told me that the phone had no appropriate passkeys on it. At which point I gave up.
Edit: I then tried on GitHub, and it worked perfectly! Okay, that's pretty awesome.
As someone who has enhanced privileges, I'm having problems thinking of what all the the issues here are.
Corporate installs disable all USB functionality, and remove the ability to sync profiles? Something like that?
If you’re not using bitwarden or equivalent they can’t be moved off a device you own at all, and even with it you’d need to download bitwarden which might be impossible