Introducing passkey support to Fastmail

Original Article ↗ Hacker News Discussion ↗

Perceived Benefits of Passkeys

  • Advocates highlight: no shared secret sent over the network, replay resistance, strong protection against database leaks and phishing.
  • Passkeys are compared to SSH keys or FIDO security keys: origin‑bound, non‑forwardable, and can’t be copied or pasted into chats or phishing forms.
  • Seen as especially beneficial for non‑technical users who don’t use password managers or reuse weak passwords.
  • Some view them as a “protocol upgrade” for password managers, simplifying security while keeping similar workflows.

Skepticism vs Password Managers

  • Several argue good password managers already provide strong, unique passwords and phishing resistance via domain‑matching and autofill.
  • Critics say the only significant incremental benefit is replay resistance, and that advantages are being oversold.
  • Concerns that people bypass autofill and copy‑paste into phishing sites, undermining theoretical protections.

Usability, UX, and Edge Cases

  • Confusion reported among less‑technical users when prompted to “migrate to passkeys.”
  • Edge cases raised: logging in on shared/hotel/work computers, device loss while traveling, broken phones, and reliance on backup hardware or recovery schemes.
  • Some frame “you can’t log in from an untrusted machine” as a feature; others see it as dangerously inflexible for critical access.

Vendor Lock‑in and Sociological Concerns

  • Strong worry that passkeys deepen dependence on big tech ecosystems and cloud keychains (Apple, Google, etc.).
  • Fear that once passwords are phased out, users will effectively be forced into particular vendors.
  • Counter‑argument: passkeys can also live in third‑party or self‑hosted password managers and hardware keys, potentially reducing dependence on phones and SIM‑based OTP.

Implementation Details and Ecosystem Support

  • Questions about Chrome/Windows cloud sync; one reply suggests storage in TPM but details remain unclear.
  • CTAP2/WebAuthn flows (QR codes, phone as security key) are cited as a way to use passkeys on other devices without revealing credentials.
  • Some complain that discoverable passkeys make older hardware keys with small slot limits less useful.

Fastmail-Specific Feedback

  • Login UI with initial “username only” field is divisive: some dislike extra steps; Fastmail staff justify it for passkey/SSO flows and non‑resident keys.
  • Billing complaints about inability to prepay long in advance; Fastmail explains constraints of new billing provider and describes grace periods.
  • Security critique around DMARC and STARTTLS; Fastmail management disputes the characterization and outlines current practices and rationale.