Passkeys Promised a Future Without Passwords, But They're Turning Our Present Into a Walled Garden

One of its advocates cautions users that how Big Tech firms are using passkeys to further confine users within their ecosystems.

No comments Twitter Flipboard E-mail

The original vision for the technology behind passkeys was completely open. The goal was pretty straightforward: To find an alternative to eliminate passwords. However, the approach to achieving this has been compromised.

At least, that’s what William Brown, a software engineer at SUSE Labs, claims. He’s well-versed in this area, given that he was the person primarily responsible for developing webauthn-rs, an open-source Rust library created to implement the WebAuthn (Web Authentication) standard.

The Rust library was one of the first to implement the type of authentication sought with passkeys and has been used in projects like authenticator-rs, which is used in Firefox. However, Brown is disappointed with the direction the passkey ecosystem has taken.

Over 150 platforms already support passkeys. Companies and platforms such as WhatsApp, Twitter, TikTok, PlayStation, PayPal, Microsoft, Google, Apple, and Amazon have adopted this interesting new way to sign in.

Passkeys are codes created using public-key cryptography, eliminating the need to remember multiple passwords for different platforms. They are stored and managed automatically on devices like cell phones or PCs and allow users to log in using facial recognition, fingerprint recognition, or a PIN.

According to Brown, the issue is that major technology companies seem to prioritize their own interests when offering this seamless user experience. For example, he mentions Chrome, a browser controlled by Google, which dictates what Chrome can and can’t integrate.

Moreover, the implementation of passkeys is inconsistent and uneven. In this regard, there’s another known issue: Physical security keys–such as YubiKeys and Google’s Titan–don’t work well, as they have a limited storage capacity. Many of them can store no more than 25 keys, but users often have many more platforms that they access regularly.

So, what role have Google and Apple had in all this? These companies have turned our mobile devices into a “security key,” further locking us into their ecosystems. These secure credentials can’t be extracted or exported, and the experiences offered by websites are, once again, inconsistent and not entirely effective.

Wired reporter Matt Burgess attempted to switch from using passwords to using passkeys exclusively, but he described the experience as “a total mess.” This sentiment was also echoed in several threads on Reddit.

While the idea is promising, the implementation falls short. Brown suggests using a password manager like Bitwarden, which is open-source and free to download, as an alternative to the closed ecosystems of Apple or Google.

“If you really want passkeys, you should store them in a password manager that you can control. Don’t use a platform-controlled keystore, and be very cautious with security keys,” Brown says.

He also advised that if you decide to use a physical security key, you should use it specifically to unlock the password manager and your email account, as these are the two major entry points to the rest of your credentials for accessing other platforms.

Image | Yungkingz via Midjourney

Related | Wi-Fi 7: What is It, What is It for and All the New Wi-Fi Standard Features

Home o Index