Passkey technology is elegant, but it's most definitely not usable security

Original Article ↗ Hacker News Discussion ↗

Overall sentiment

  • Thread is highly mixed: many find passkeys elegant in theory but frustrating in practice; a minority (especially all‑Apple users) report they “just work” and feel like a clear upgrade over passwords.
  • Several technically competent users have tried hard and given up, calling current passkey reality “not ready for prime time” or even a failed product; others see messy but acceptable progress for a large ecosystem shift.

Usability and UX problems

  • Major pain: confusing prompts that strongly push the OS vendor’s store (Apple/Google/Microsoft) and obscure alternatives like hardware keys or third‑party managers.
  • Cross‑device use is inconsistent, especially across vendors (e.g., iOS + Windows + Android, or iPad + Android phone).
  • Many sites’ implementations are buggy or half‑baked; some still require passwords/TOTP on top of passkeys or only support a single passkey per account.
  • Users complain they must juggle multiple passkeys per site (for different devices/providers) and manually test whether login actually works.

Vendor lock‑in and account risk

  • Non‑exportable passkeys (and TOTP seeds) are widely seen as intentional lock‑in, not just “safety.”
  • Tying all credentials to Apple/Google accounts scares people given reports of sudden, opaque account bans that cascade into loss of email, photos, phones, and 2FA.
  • Some call for regulation: guaranteed login/appeals windows, bans on disabling “log in with X” after involuntary termination.

Password managers vs platform stores

  • Many prefer cross‑platform password managers (1Password, Bitwarden, Proton Pass, KeePassXC) as the primary passkey or password backend.
  • Advantages cited: works across OSes, easier export/backup (where supported), less dependence on a single cloud ecosystem.
  • But OS/browser integration for third‑party passkey providers is inconsistent; sometimes the OS refuses or makes it hard for them to handle WebAuthn flows.

Hardware security keys

  • Hardware tokens (e.g., YubiKeys) are praised for security and clarity of mental model, but criticized as impractical for everyday users and vulnerable to loss/fire and limited storage slots.
  • NFC/USB support is still uneven across devices, though improving.

Security properties vs real‑world behavior

  • Pro‑passkey side stresses phishing resistance and enforced good credential hygiene (unique, unguessable, non‑reusable secrets).
  • Critics note passwords + good managers already offer near‑equivalent protection for savvy users, without the portability and recovery headaches.
  • Real‑world needs—account sharing with spouses/relatives, tech support for elders, cross‑platform life changes—are often poorly served by device‑ or vendor‑bound keys.

Standards and implementation gaps

  • Server‑side WebAuthn integration is seen as complicated; few simple, drop‑in libraries exist.
  • New FIDO specs for import/export and credential exchange are in draft; some managers already support export, but interoperable, user‑friendly migration and backup are still emerging.