Dan Romero
@dwr.eth
Why Passkeys aren’t a panacea 1. Passkeys are password-less credentials built on Webauthn. The OS companies — Apple, Google and Microsoft — are responsible for their implementation 2. For most users, Passkeys are usually stored in the OS vendors secure cloud, eg iCloud, to sync across devices. 3. This means that you need to have devices from the same ecosystem — a Mac and an iPhone — for sync to work 4. Naturally, there are plenty of people with a different mobile device vs. computer. 5. Further, OS vendors have been inconsistent with the various features of Passkeys they implement, eg Apple did largeBlob and Google did PRF. 6. Would expect this to take a few more years at a minimum before all the consumer UX kinks are rolled out.
11 replies
2 recasts
53 reactions
shazow
@shazow.eth
Isn't that missing the existence of password managers? 1Password, Bitwarden, etc all support passkeys and are platform neutral. Also passkeys can be very powerful if we treat them as per-device signers (no sync necessary). We can use our world computer with programmable security to globally manage device signers for us. (Keystore rollup is another approach, and can even do interesting offchain versions, currently reviewing a design where it's a state channels of CRDT updates that get flattened onchain on demand.) Overall I think passkeys may end up being more useful for crypto than they are for Google/Apple.
6 replies
1 recast
3 reactions
boscolo.eth
@boscolo.eth
Password managers are an anti-pattern that should be phased out and replaced with device-specific TEE-protected credentials. They create a central point of failure that become a liability when teams let the code rot like LastPass did.
1 reply
0 recast
0 reaction
shazow
@shazow.eth
You just described passkeys. 🫠
1 reply
0 recast
0 reaction
