Brutkey

Daniel AJ Sokolov
@newstik@social.heise.de

How I regret trying a #passkey on an online account!

Before, my #password manager would fill in username & password automatically in the browser, only once in a while I would be asked for 2FA. I clicked "log in", and I was.

Since I accepted the passkey, the browser opens a page, then another, then another, so I wait. Then I have to pick which passkey to use (out of a total of 1). Then I have to identify myself to obtain access to the passkey, then a couple more pages loaded.

1/2

Daniel AJ Sokolov
@newstik@social.heise.de

2/2 At least this implementation of a #passkey is a bad user experience. Total turnoff.

Yes, I can still use username and password, but now I am asked for 2FA every single time, because the system expects the doggone passkey.

In short, for low value accounts, passkeys really don't seem to be worth the #hassle.

tim
@timcappalli@infosec.exchange

@newstik@social.heise.de which credential manager are you using?

Daniel AJ Sokolov
@newstik@social.heise.de

@timcappalli@infosec.exchange That depends, but in this case Chrome for Android. I wanted my first foray into passkeys to be with a mass market product.

tim
@timcappalli@infosec.exchange

@newstik@social.heise.de in that case, the default credential manager is Google Password Manager. You didn't see prompts like this (create a passkey, then use a passkey)?