Watching my wife struggle to do something on a banking app that I did on the same app with no trouble just a few days ago, I am once again reminded how difficult it is for people who don't grok computers to function in the modern world.
I am also reminded that I personally am incapable of empathizing with people who don't grok computers. "What's the matter with you?" I think to myself. "Why can't you do this simple thing?" I can't seem to truly internalize that it's not simple for them.
I used to think if I didn't help my wife with IT stuff, she'd figure things out on her own. I eventually figured out nope, she would do what so many people do: find inefficient, suboptimal ways to do things so as to avoid needing to interact with computers. But increasingly, that's not even an option: it's the computer or nothing.
My wife isn't stupid or dumb or incompetent. She's smart and talented. She just thinks differently. Lots of people do. They are being left behind.
This thread is me posting through it instead of going to therapy to do something about the immense frustration I feel every time I try to help my wife with anything computer-related. 🤪
Seriously, the issue in this thread is why I think #passkeys are a ticking time bomb. Most people don't understand how they work, or that they're linked to a single device, or that they need to maintain a backup login method. Websites that support passkeys don't do enough to communicate and enforce good habits. If we continue down the passkey path, people losing access is going to be a much bigger problem in the future, and we're not ready for it. #infosec
@jik Passkeys aren’t universally tied to a single device, at least on iOS and Windows they’re tied to your platform account and available anywhere you’re signed in with that account. At least 1Password can also handle them.
I’m curious what platform you’re on where it is tied to a device, because if that is the case it’s certainly an issue.
@jik I do not know the whole ecosystem so I might be missing something but using Bitwarden (Vaultwarden) and Apples Keychain passkeys are synced across devices and I can provision new devices that have access to them.
As long as we talk about “regular users” or traditional threat models that don’t involve three letter agencies or whole governments I see this as a small improvement over TOTPs as a second factor.
Not sure how I feel about them as only login mechanism.
@fallenhitokiri I've addressed the syncing elsewhere in the thread.
I actually think passkeys are a _huge_ improvement for regular users in the northern base when everything is going fine. My concerns are about usability when things go badly wrong and users don't do what they're "supposed to," both of which happen far more in the real world than tech vendors like to acknowledge or plan for.
@jon Already addressed elsewhere in the thread
Edited 4d ago