Passkeys Suck

Only a short time ago, you could use a hardware USB key and securely and swiftly login to many services. The alternative 2FA option was still a TOTP authenticator app - just like it is today - but, for supported services, my typical login flow was:

1. Use password manager to (auto)fill credentials
2. Click the login button
3. Touch my security key
4. Magic!

I made a poor decision in my authenticator app initially, and it had no search or filtering (or encryption, I guess) - leaving me with hundreds of codes with no control over their naming conventions. And for a very long time it was horribly laggy with large collections when generating codes all at the same time. Using the security key was a breath of fresh air.

I have since discovered and switched to Aegis Authenticator, which solves much of the frustration from the original app.

But security keys were extremely efficient when you had to authenticate many times a day (say as an MSP engineer, web-developer, or free-lancer.)

The Magic Is Efficiency

With the implementation of passkeys, they've (vaguely gestures around) stolen my magic - and now my login process looks like this:

1. Use password manager to (auto)fill credentials
2. Click the login button
3. Tell my password manager not to use passkeys so I can get the browser passkey prompt, often requiring me to "Ask every time" to use multiple passkeys and/or a hardware security key in conjunction.
4. Select the browser prompt for the correct passkey (usually my USB security key), but sometimes having to recall where it was stored or created from if not in my password manager.
5. PIN/Biometrics/Passcode and/or Touch my security key
6. Annoying!

Management Tools Need Work

For some-time, I could not figure out how to change or remove a passkey I had enabled on a webpage I frequent. There were no options for me to change it, to remove it, or otherwise add more.

For months, whenever I was logging into this site from any device that didn't have my device-created passkey, I had to go out of my way to switch the login process to use the 2FA app instead. The website didn't (and still doesn't) support using multiple device passkeys which means I'm stuck with the alternate (longer) login flow when not on the original device.

I did finally find the passkey on the device I had created it on and was able to delete it. Took me longer than I had liked to find where it was managed.

But to be portable (or to use shared logins like utilities and other such items with my wife), we have these options:

• Using a mobile device as the passkey device (i.e., your phone's secure element)
• Using a password manager to save/share the passkey
• Using a physical passkey device (USB/NFC/etc security key)

For remote oriented workforce environments or family-sharing accounts with no "teams" option (finance, utilities, etc.) the only option to be collaborative is using a password manager or similar tooling.

Everything In One Spot

For those situations (family, work) where passkeys might need to be shared, we suddenly are forced to use a sharing mechanism like a password manager.

So now our password manager has passwords, also it can do TOTP 2FA, and now it has our passkeys unless its a device-specific or personal passkey? We're asking a lot of our password manager.

I don't currently use my password manager to store my 2FA, so now that my passkey is my 2FA, I don't want to store it there either. Leaving me with very few options for actually managing the passkeys across multiple devices and/or logins.

Let's say my vault was leaked and somebody was able to decrypt it - before it was just my passwords, but now its my passwords and passkeys. Everything you need in one spot to completely take over accounts.

Maturity Matters

I'm hoping this is a maturity issue - i.e., we just need more people to adopt so the tooling gets better. Big tech doesn't appear to be letting us not use passkeys, so looks like we're in for a few rough years until the tools to manage these passkeys improve dramatically.

As a developer, I haven't began to implement passkey support into my applications - mostly because I don't have any reference implementation that works nicely. Said a different way: I can't find an example that I like that I would want to put my users through.

Every site I have a passkey on does it differently...

Do you know where to go - at any given time - to find the passkey for a given site? Did the introduction of passkeys and the changes to physical security key prompts make you mad?

Join me in my frustration!

That's it, just a(nother) rant. Passkeys still suck.