Introduction

As the holiday season approaches, families gather to tackle a common technological woe: securely logging into countless online accounts. Although using the same password everywhere seems easy, the alarming rise in data breaches and sophisticated phishing attacks has made this practice a dangerous gamble. For Uncle Charlie, who just got his first smartphone, creating and remembering unique passwords for every service represents an uphill battle.

Enter Passkeys

Enter passkeys—the much-hyped alternative to traditional passwords. Designed to combat online threats, this solution has been around for about two years. Initially, I was optimistic about passkeys and their potential to thwart various cybercriminals. However, two years in, the reality brings the term 'usable security' into question.

The Usability Challenge

While the underlying FIDO2 specifications for passkeys are elegant, their implementation is anything but straightforward. As seen across multiple browsers, operating systems, and password managers, the user-friendly experience envisioned by developers has been largely undermined, resulting in a convoluted and inconsistent experience for users.

Barriers to Ease of Use

Prominent software engineer William Brown raises a valid point: 'There are barriers at each turn that guide you through a developer's idea of how you should use them.' While these barriers might not be outright deal-breakers, they accumulate to create frustration.

Widespread but Confusing

Passkey support is now widespread, available across major platforms and hundreds of websites. But rather than streamline the login process, users are often left bewildered by a hodgepodge of workflows and options that vary from site to site. For instance, logging into PayPal may vary dramatically between devices and browsers, sometimes even being rendered impossible on certain configurations—like trying to use Firefox on Windows.

Syncing Across Platforms

The messy scenario continues when trying to sync passkeys across different browsers and platforms. For example, users who create a passkey in LinkedIn on a Mac via Firefox might find it an exercise in futility when attempting to login through other apps without sufficient inter-browser communication. In many situations, the convenience of syncing across platforms through password managers like 1Password is the only effective solution, but users may find themselves wrestling with confusing dialogs that push vendor preferences instead of valuable options.

Vendor Messaging Dilemmas

As a case in point, when someone tries to enroll a physical security key on macOS, they're greeted with instructions favoring passkey creation instead—leading them away from their original goal. In other instances, a simple login process morphs into a frustrating chase through vendor messaging, often sidelining the user’s intentions in favor of promoting platform-based solutions.

Locked Into Ecosystem

The issue only gets trickier when using multiple devices. David Heinemeier Hansson, a notable developer, criticized the passkey ecosystem as being burdened with unnecessary dependencies that can lock users out of their accounts across platforms. This fragmentation illustrates a broader problem: the lack of seamless cross-platform coexistence is akin to being trapped in a single vendor’s garden.

Current Limitations

Currently, despite hundreds of supported sites, no major ones have gone entirely passwordless. Most still allow standard logins via traditional passwords, raising concerns that as long as fallback options exist, security promises remain weak. Moreover, many platforms still use SMS-based authentication, an inherently insecure method that leaves accounts vulnerable.

The Bright Side

Despite these drawbacks, the technology itself offers some clear benefits. Passkeys provide a level of multifactor authentication, relying on something users possess (the physical key) and something they know (PIN, password, or biometrics). In environments with less variation in technology—think small businesses or individuals with consistent device usage—passkeys can serve as a robust solution.

Conclusion

The big takeaway: if you're still relying on traditional passwords, consider adopting a password manager now. Tools like 1Password can help create long, unique passwords and significantly lower the risk of breaches. If Uncle Charlie can navigate this terrain, surely others can, too. In the end, while passkeys present a fascinating tech advancement, the road to usability remains fraught with challenges and complications. To truly capitalize on this technology, further improvements in cross-platform support and user experience are essential. As we move forward, understanding these nuances will be key in deciding whether to embrace passkeys or opt for a more traditional approach to online security.