David Sparks is frustrated by the slow adoption of passkeys. Me too. And he pointed out why sites hedging their bets and letting you set up both a password and passkey can be dangerous, which I hadn’t considered:
When a site offers both options, it creates a tempting target for bad actors. Imagine this: You try to log in with your shiny new passkey, and a fake prompt tells you it failed. Next thing you know, you’re asked to log in with your password instead. Guess what? You just handed over your credentials to the bad guys.
It works directly against the promise that passkeys are unphishable.
I tried to get a non tech person to use a passkey, and it was not going to happen.
@darrencohen.me If it were all that was offered, I think people would get onboard. It’s way easier!
For general end users I don’t believe passkeys are as simple as touted, because it isn’t logical for a lot of people.
But I agree that offering both doesn’t really solve that problem (and seems lazy tbh)
@jagibson I dunno, I see most people, even non-techies, using their phone’s built-in password manager these days. If they’re already using that, passkeys aren’t much different, and are technically easier/faster to set up. A hang up is cross platform usage, but again, I don’t see many people confused by QR codes these days.
I don’t think it’s as clear cut, I think conceptually passkey (especially cross platform) paradigm is not as clear of a concept as originally intended and there are real support burdens companies go through for their users with these kinds of shifts (meaning end user friction).