I have been working with computers since 82, on the Internet since 88, on the web since 92 and in the IT industry since 97.
I have yet to see any solid, significant evidence that passkeys are materially more secure than a random 32-character password + TOTP 2FA.
If a site or app refuses to let me create my own login and forces me to use a provider, I’m not going to be a customer under any circumstances.
If a site or app refuses to let me use a password+TOTP combination (as in, it forces passkeys), I am similarly out.
That’s not to say I don’t use passkeys. I have them on my Microsoft accounts, for one. But that is only after I have fully set up the account, and that the account plays very nice with the Microsoft Authenticator app, even going so far as to do challenge-response auth in coordination with the app, and plumping TOTP up to 8 characters.
Will I switch to passkeys elsewhere? Not for some time to come. My passwords make use of the entire two-byte UTF-8 character set, in that less than ½ of all characters typically generated can be found on a U.S. keyboard. So long as websites don’t restrict password length to moronically short values, a 32-character password with 2,048 possibilities for every character ought to be reasonably difficult to crack.
And then, of course, comes TOTP 2FA.
> I have yet to see any solid, significant evidence that passkeys are materially more secure than a random 32-character password + TOTP 2FA.
I think the main selling point of passkeys is their ability to prevent phishing.
A 32-character password + TOTP can still be entered on a phishing website, e.g. if you happen to follow a fabricated link. With passkeys, this is not possible by design.
> A 32-character password + TOTP can still be entered on a phishing website, e.g. if you happen to follow a fabricated link.
…How? The password manager only permits exact links. If the URL does not have the UTF-8-identical characters to the correct url - at which time, IT IS the correct URL - it will simply not populate the username and password fields.
> I have yet to see any solid, significant evidence that passkeys are materially more secure than a random 32-character password + TOTP 2FA.
Not more secure, but some sites mandate email/SMS 2FA, don't support TOTP, and have added passkey support.
For these sites, using passkeys is materially more convenient than copying 2FA codes from email/SMS.
> some sites mandate email/SMS 2FA
Which should be made illegal on a national/international level.
The only possible reason for that is sheer laziness or malicious ignorance. Full stop, end of story
And I also include eMailed login links and eMailed 2FA in with that determination. Any secure login attribute that gets transmitted over eMail or SMS should be illegal. Password reset links, only. And vendor-locked/vendor-specific apps as the only 2FA path should also be illegal. TOTP should be a fully open system, letting anyone use any legitimate provider or app.
Yeah, let’s just say I have some pretty strong opinions.