Notices by jcoglan (jcoglan@mastodon.social)

@blaine @evan @darius part of this is that programming, like a lot of other things, has the property that if you get good at it, the scope and complexity of your ideas for what to do with it grow

you also find out that growing and maintaining programs is a different sort of problem that writing the first draft

you also find out that a lot of the effort of making software is not in writing code, it's in thinking and talking to other people about it

@blaine @evan @darius the fallacy at the core of a lot of this stuff is the idea that the hard part of making software is writing the first draft of it. which... it's not that programming isn't difficult and making it more accessible isn't good, but once you become passably ok at it you just start finding lots of other problems you previously weren't aware of

@blaine @darius @evan right, product development does not consist of someone having an idea and giving the blueprints to a developer, it is conversational and both parties push it in different directions, can both tell each other they're solving the XY problem, etc

I am a software developer with some understanding of security and cryptography and *I* have found passkeys hard to understand from existing available information

ok now I've remembered the rest of how passkeys work and they're *really* stupid

replacing passwords with biometrics is a terrible idea, sorry

do they replace passwords, do they perform some auxiliary function, am I responsible for retaining them, what happens if they get lost, how do they work across devices

I am finding them absolutely impenetrable to understand which bodes poorly for them actually helping users

e.g. are biometrics an essential part of passkeys, and if so: A. that is really silly and B. how does this work when I am not using a phone

my current password scheme: has no essential state, requires storing nothing, cannot be breached by stealing my phone, its keys can be written down on paper, I cannot be physically compelled to reveal any of it

passkeys+biometrics: the opposite of all these

given the opaque nature of the essential state, it requires a ux solution that boils down to "the user must retain a particular physical device, or access to a vault where the keys are stored, which is secured with a password"

I actually don't understand how you can look at the ux and security problems with passwords and conclude that making users retain a set of private keys, a concept that is completely opaque to most people, will help at all

you're replacing passwords with "the user has to retain a set of private keys or else they lose access to their accounts", which implies stealing a physical device with said keys gets you into the victim's accounts

passwords are very problematic but people do understand what they are and what it expected from them. asking the user to adopt passkeys without explaining their obligations if they want to retain account access is just offering to lock them out of their account

I see the great history of educating users on security continuing as a website offers to save a "passkey" on my computer with no explanation of what a passkey is

who called it creating a new python package manager and not reinventing the wheel