The keywords were supposed to be secure and simple; here's how they fail.

I've been arguing that passwords are terrible for half a decade now, and I was an early adopter of the much better password approach.

Passkeys should have reached the Holy Grail of an approach that is both more secure than passwords and as easy to use as anyone can use them. But a new report lists four problems with the technology...

Passkeys are more secure than passwords.

Passwords present several security issues:

• Eleven people can know them, even if they're supposed to be encrypted
• We don't recommend non-experts to reuse passwords, which makes data leaks a major problem.
• Passwords are vulnerable to phishing attacks.

The "Passkeys" keyword solves all these problems. Instead of being asked for our username and password during login, we're invited to use a password. With this system, the website or app asks our device to authenticate on our behalf, using Face ID or Touch ID. The device informs the website who we are and that our identity has been confirmed.

The web server trusts you to authenticate in the same way that payment terminals trust your iPhone or Apple Watch for Apple Pay transactions - because it knows you were authenticated locally using biometrics.

In theory, passwords are much simpler.

When we create an account, we should be offered the option to use a passkey, and all we need to do is agree. Our device authenticates on our behalf, and the service creates our account. To log in next time, we simply use Face ID or Touch ID and we're there.

But there are four major problems

If you only use Apple devices and use Safari as your web browser on all of them, then passkeys come close to being this simple. iCloud synchronization means that an account created on an Apple device will be accessible on all of yours.

But as Ars Technica notes, there are many situations where reality is rather different from the promises, starting with an inconsistent user experience.

The experience of logging into PayPal with a passkey on Windows will be different from logging into the same site on iOS or using Edge on Android. And forget about using a passkey to log into PayPal on Firefox. The payment website doesn't support this browser on any operating system.

More seriously, passkeys are linked to specific browsers.

Another example is when I create a password for my LinkedIn account on Firefox. As I use a wide range of browsers on different platforms, I've chosen 1Password to synchronize it across all my devices. For some reason, the mysterious entity responsible for this message (Google in this case) has usurped the process to try and make me use its platform.

Also consider the experience on WebAuthn.io, a site that shows how the standard works in different situations. When a user wants to enroll a physical security key to log into macOS, they receive a dialog inviting them to use a passkey instead and synchronize it via iCloud.

Finally, there's the fact that while the goal of passwords is to replace the security flaws created by passwords, almost every service forces you to create another password login as well.

Among hundreds of sites supporting passwords, I don't know of one that allows users to completely discard their password. The password remains mandatory [...]. Malicious actors will develop brute force and social engineering attacks exploiting this weakness. And we'll be exactly where we were before.

The whole thing is well-deserved to read.

Photo by TheRegisti on Unsplas