Author here. My sentiment is mixed. I like the anti-phishing protection of passkeys. I don't like getting locked in to one password manager.
I think passkeys are worth it for ordinary sites/apps that support resetting your password with a simple email, because if you lose your passkey, you can just reset your passkey with a simple email.
The main point of the article is to demystify passkeys, especially passkey resets. Lots of people (especially on HN, even here on this thread) are in the habit of saying that if you lose your passkey, you're going to get permanently locked out of your account.
That's no more true (and no less true) of passkeys than passwords. If you lose your password, you'll have to reset your password. If you lose your passkey, you'll have to reset your passkey, via the exact same process as resetting your password, however easy/hard that may be.
Logging into Google with a passkey feels more perilous to me, especially if Google is your password manager. Losing your Google password is bad, but you can see your Google password. You can write it down and keep it somewhere secure in your house.
If you're using a passkey to login to Google, you've really gotta go to https://myaccount.google.com/security and set up backup codes, and then keep those in a secure vault in your home.
(But, if you can trust yourself to keep a secure backup code, and not give it away to a phisher, then you're not getting much benefit from passkeys, are you?)
> Author here. My sentiment is mixed. I like the anti-phishing protection of passkeys. I don't like getting locked in to one password manager
Most sites that support passkeys let you make more than one passkey. For all sites I've made passkeys for except one I've simply made two passkeys, one using 1Password and one using Apple's Password.
The one site I have not done this with is Premera. They only let you have one passkey as far as I can tell.
I think passkeys are worth it for ordinary sites/apps that support resetting your password with a simple email, because if you lose your passkey, you can just reset your passkey with a simple email.
The main point of the article is to demystify passkeys, especially passkey resets. Lots of people (especially on HN, even here on this thread) are in the habit of saying that if you lose your passkey, you're going to get permanently locked out of your account.
That's no more true (and no less true) of passkeys than passwords. If you lose your password, you'll have to reset your password. If you lose your passkey, you'll have to reset your passkey, via the exact same process as resetting your password, however easy/hard that may be.
Logging into Google with a passkey feels more perilous to me, especially if Google is your password manager. Losing your Google password is bad, but you can see your Google password. You can write it down and keep it somewhere secure in your house.
If you're using a passkey to login to Google, you've really gotta go to https://myaccount.google.com/security and set up backup codes, and then keep those in a secure vault in your home.
(But, if you can trust yourself to keep a secure backup code, and not give it away to a phisher, then you're not getting much benefit from passkeys, are you?)