Reading List

DHH Argues Against Passkeys from Daring Fireball RSS feed.

DHH Argues Against Passkeys

David Heinemeier Hansson:

Yes, passwords have problems. If you’re using them without a password manager, you’re likely to reuse them across multiple services, and if you do, all it takes is one service with awful password practices (like storing them in plain text rather than hashing them with something like bcrypt), and a breach will mean hackers might get access to all your other services.

But just because we have a real problem doesn’t mean that all proposed solutions are actually going to be better. And at the moment, I don’t see how passkeys are actually better, and, worse still, can become better. Unless you accept the idea that all your passwords should be tied to one computing ecosystem, and thus make it hard to use alternative computers. [...]

Bottom line, I’m disappointed to report that passkeys don’t appear worth the complexity of implementation (which is substantial!) nor the complexity and gotchas of the user experience. So we’re sticking to passwords and emails. Encouraging opt-in 2FA and password managers, but not requiring them.

Passkeys seemed promising, but not all good intentions result in good solutions.

I don’t have strong feelings about passkeys, but I am vaguely unsettled by them. There’s no way to use passkeys without using a proper password manager, like Apple Passwords with iCloud Keychain, or 1Password. But if you’re using a proper password manager, your passwords should all be unique and random, and you should have convenient access to 2FA codes. So what’s the point of passkeys if they can only be used by people who are already using a good password manager? Perhaps the thinking is that too many users just can’t be budged from the risky habit of using passwords they have memorized, and passkeys are a way to break that habit because they can’t be memorized.

Also, I really dislike the practice of replacing passwords with email “magic links”. Autofilling a password from my keychain happens instantly; getting a magic link from email can take minutes sometimes, and even in the fastest case, it’s nowhere near instantaneous. Replacing something very fast — password autofill — with something slower is just a terrible idea. For people who actually prefer email magic links, it’s fine as an option, but it shouldn’t be the default, and it certainly shouldn’t be the only way to sign into an account.