Yubikey

Microsoft, Google and others are pushing hard for users to adopt passkeys.

And sure, when a good old password with a second factor can be phished in a manner that even Troy Hunt falls for¹, we clearly need to find a better way.

However, I’m nervous.

Not for myself or the other techies. 1password (other password managers are available, they’re just not as good) does an excellent job of storing passkeys, and my access to 1password itself is locked down using hardware keys as the second factor. I’m happy enough with the whole set-up to have started using passkeys instead of passwords where possible, including on my many many Google accounts.

What bothers me is that the user experience on this stuff is a bit rough around the edges. If you’re trying to use a Yubikey to store a passkey, it gets into a fight with your password manager (if any) and Windows itself (I imagine MacOS is similar).

For a lot of civilian users, though, their Windows or Apple laptop will just cheerfully offer to store the passkeys and tie them to face unlock or fingerprints.

What’s not clear to me, though, is what happens when my mother tips a cup of coffee into her laptop which is the repository of her passkeys for accessing N different services. Is there any means of recovery or backup without having a password manager and training the user to use it in preference to the device itself?

If passkeys can get lost easily, we’ll either have to accept that recovery via e-mail and other angles of attack remain in place, or that a lot of people will be permanently locked out of their accounts.

There probably is an answer to all this, but it’s not nearly obvious enough in my opinion.

¹I was lucky enough to be in the audience at his talk in Oxford later that day, and fair play to him for talking openly about falling for it and what should be done.