zerosleeps

Since 2010

Passwords have problems, but passkeys have more

David Heinemeier Hansson on hey.com.

Yeah I think he’s spot on with this. Passkeys solve a problem, but I’m not sure they solve the correct problem. The technology is bulletproof - we’ve been using public/private keys for decades - and when implemented properly is unquestionably more secure at the bits-and-bytes layer. But the problem with passwords is almost always human, and passkeys don’t really solve that.

As pointed out by John Gruber at Daring Fireball, passkeys only work if you use some kind of password manager. In my case that means I can only use passkeys when I’m using my own Mac or my own iPhone, which is a pretty big hurdle in some cases. And if you’re the kind of person who already uses a password manager then there’s a good chance that - like me - all your accounts already have long, unique, high-entropy passwords.

I suspect this explains why most services I’ve enabled passkeys for leave the traditional username/password login path enabled, meaning my accounts are still vulnerable to that kind of attack, so… what’s the point of the passkey?