Today's rant: passkeys considered bad.  I knew this instinctively, based on their complexity, but David Hansson explains it in detail.  Whew.

Passwords are a problem, for sure, for me as a user as well as for me as an applications developer.  Good passwords are hard to remember, every site has different rules, sometimes you have to change them, sometimes you can't reuse them, and everybody writes them down insecurely.  (Yep, you do too, admit it.)

So when passkeys were invented, everyone said yay.  But they don't solve all the problems and create many new ones.  The difficulty of having them across multiple devices, the difficulty of creating them in the first place, and the difficulty of implementing them.  And the reliance on central authorities.

Whenever there's a new thing, I try to understand it.  (Blockchains!  LLMs!  Etc!)  If the thing escapes me, maybe that's on me - sometimes I'm slow and it has to soak before I get it.  But mostly if I don't get it, it's on the thing - it's too complicated to be good.  (W=UH!)  And so it seems with passkeys.

The best solution to passwords is not to have them at all.  Just send the user a limited time link in text or email.  This is simple to explain, simple to use, simple to implement.  And no less secure than passwords; most of the time you can change or recover a password with a link in text or email anyway.  Oh, and it supports multiple devices easily.

I get the appeal and value of two-factor authentication.  Simple and better.  After you remember your password and enter it, we'll send you a text or email too, just to make sure.  But maybe we skip the "remember your password and enter it" part?  Simpler and betterer.

So long passkeys, we hardly knew ya...

Comments?