Original source (on modern site) | Article images: [1]
rc.xyz NFT gallery / Unsplash
Passwordless logins promised to free us from passwords, but then Google and Apple ruined it for everyone.
WhatsApp users can now log in to the messaging service without having to type or to ever remember a password by using a passkey. Passkeys do away with passwords altogether and instead use your device itself to authenticate you. It's an amazing, clever system that fixes all the problems of passwords, with few downsides. So what's the problem? Well, both Apple and Google have implemented passkeys as yet another way to lock in their users.
"Since then, Passkeys are now seen as a way to capture users and audiences into a platform. What better way to encourage long-term entrapment of users then by locking all their credentials into your platform, and even better, credentials that can't be extracted or exported in any capacity," writes William Brown, developer of webauthn-rs, on his blog.
Passwords are a pain, and a massive security risk. They can be phished, guessed, stolen, or cracked, and if you use the same password for different services, then you're going to end up getting multiple accounts hacked. The answer has been to use a password manager to generate and store passwords, but even if your own "password hygiene" is perfect, you still have to trust the services you're using them with to keep their end secure.
rc.xyz NFT gallery / Unsplash
Passkeys, on the other hand, are invulnerable to most of this. They work by generating two related keys, one public, and one private. The private one never leaves your devices and can be used to lock and unlock things. The public key, which you share, can only be used to lock stuff. It is designed to be public and is useless if stolen.
"Passkeys eliminate the need for users to remember complex passwords, reducing the risk of weak password usage. In addition, passkeys remove the reusing of passwords across different services," Bojan Simic, CEO and founder of passwordless company HYPR, told Lifewire via email. "Unlike passwords and some other forms of authentication, such as one-time-passwords (OTPs), SMS, and email links, there are no shared secrets with passkeys. The confidential credential information is not transmitted and is decentralized, rendering interception, theft, breaches, or cracking implausible."
To use a passkey, you authenticate yourself to your device with a face scan or fingerprint, and your device takes care of the rest.
So what went wrong?
Maybe you're already using some passkeys. If so, they're almost certainly being taken care of by your phone's built-in password manager—iCloud Keychain on your iPhone, for example. Now, try to export that passkey, either to another non-Apple phone, or to another app. Good luck with that. Your keys are automatically shared between your Apple (or Google-based) devices, but you are essentially locked in by the hassle of moving to another platform.
"There needs to be a specific focus on improving the portability of passkeys, which is currently inadequate. While networks like Apple and Google have developed their own systems for sharing passkeys across devices, open standards that allow users to export passkeys from one password manager to another, or from one vendor to another, are still lacking. Without careful management, this could lead to vendor lock-in, a problem not present with our existing password systems," Kee Jefferys, the CTO of encrypted messaging app Session, told Lifewire via email.
rc.xyz NFT gallery / Unsplash
Compare this to using an independent password manager like Nordpass or 1Password. Those make it easy to share passwords between platforms, and are adding support for passkeys too. The problem here is that you have to be a "power user" to even think about using a third-party password manager, and passkeys are supposed to eliminate that kind of hassle.
WebAuthn, or the Web Authentication API, is a standard supported by Apple, Microsoft, and Google, and the promise was that it would do away with passwords almost entirely. It still could. The technology is still amazing. But thanks to the land-grab by the big platform owners, who are using their keychains as a way to stop you leaving their platforms, it's actually a worse experience.
Does this mean sticking with regular passwords for now? It might. Passwords may be an insecure nightmare, but at least they are our insecure nightmare. Managed properly, you can mitigate many attacks, and—here's the big one—you can always have access to a password. You can even write it down on paper, and keep it in a safe, rather than in some possibly-inaccessible enclave of your phone. Try that with your iCloud passkey.
Thanks for letting us know! Subscribe
Passkeys, perfect for lock-in.
Almost Perfect
Lock-In
![[1]](image.php?loc=BE&i=https://www.lifewire.com/thmb/bAYShK6qtOrekrwurVu90-VEuXw=/1500x0/filters:no_upscale():max_bytes(150000):strip_icc()/rc-xyz-nft-gallery-q7h8LVeUgFU-unsplash-886ba93ff6d84d2684fe19b1ee8579cc.jpg){kind=link}