Embed Notice

@dalias @whitequark @glyph @mcc What, no, @whitequark didnt say anything about a separate device and the point still stands stands. It’s just pub/private crypto vs shared secrets. It’s one reason why we use SSH keys instead of passwords despite passwords being possible to generate uniquely and strongly.

For sure, this problem has been “solved” in the sense that you (and me) just use a password manager, tweak its generator when websites want some different “secure” password requirement and know how to deal with the PITA if the passwords are shared across domains etc. Possibly even monitor HIBP and rotate the password in that case.

But all this is something that requires domain knowledge and we should admit that. We failed to make computers useable by end users. Which would be fine if we wouldn’t require them to that.

If Passkeys were implemented correctly the above problems wouldn’t appear, Phishing would almost completely be gone and it would even be easier for users. And “losing credentials” neither.

I’m honestly surprised about this pushback by you. We’re effectively unrestricting FIDO2 which has been our go-to advice for ages and make the keys copyable like SSH keys are … and suddenly it’s all evil