Yep, Passkeys Still Have Problems

Original Article ↗ Hacker News Discussion ↗

Perceived Complexity and Poor UX

  • Many commenters find passkeys over‑engineered compared to password+TOTP, especially for multi‑step enterprise login flows already bloated with redirects and 2FA.
  • Users often don’t understand where a passkey is stored (phone, browser, OS keychain, password manager) or what happens when they scan a QR code.
  • Prompts to “create a passkey now” are described as naggy, with dark‑pattern bypasses, especially on corporate SaaS sites where users don’t want or need them.
  • UI copy like “saved in ‘Passwords’” is viewed as confusing; people want clearer, explicit explanations of storage, sync, and recovery.

Cross‑Device and Corporate/Shared Machines

  • A recurring concern: logging into personal accounts from locked‑down corporate machines where installing apps, using USB keys, or syncing profiles is blocked.
  • FIDO cross‑device authentication (QR‑code flow using a phone’s passkey to sign in on another device) is cited as the intended solution, but several users had never heard of it and see that as evidence of poor communication and UX.

Vendor Lock‑In, Standards, and Control

  • Major worry: relying on Apple/Google/Microsoft or a specific credential manager to hold keys that users can’t export in cleartext or back up as simple files.
  • Discussion centers on FIDO’s credential exchange format, attestation, and AAGUIDs; some fear relying parties (e.g., banks) could block certain authenticators or FOSS tools, effectively enforcing vendor lock‑in.
  • There is debate between those arguing for mandatory encrypted exports only vs those insisting users must be allowed to obtain raw keys if they explicitly choose.

Recovery, Lockouts, and Death/Estate Access

  • “Vendors can lock you out” is a strong objection, especially for accounts of deceased users where heirs need access.
  • Some point to legal frameworks and password‑manager “Emergency Kits” as partial mitigations, but others highlight horror stories of permanent Apple/Google/PayPal lockouts and see this risk as unacceptable with non‑exportable passkeys.

Device Loss, Backup, and Migration

  • One camp says “tied to a single device” is a misconception: mainstream systems and password managers sync passkeys across devices with E2EE.
  • Others stress ecosystem silos (Apple vs Google vs Microsoft vs Linux), inability to create simple offline backups, and the fact that specs allow sites to block syncing or certain authenticators.
  • Compared to passwords+TOTP, many feel passkeys degrade to equal or worse recovery in edge cases (device loss, banned accounts, no reset channel).

Security Benefits vs Password+TOTP

  • Pro‑passkey commenters emphasize phishing resistance: you can’t submit a passkey to the wrong domain, unlike passwords+TOTP.
  • Skeptics argue a strong random password + TOTP is “secure enough,” simpler to reason about, easier to back up (including on paper), and more portable between tools and platforms.