May 7 2023

This blog post doesn’t have the answers. I’m trying to learn about passkeys, but I don’t claim to be an expert. I do have a lot of questions, especially for Apple, because I’m an Apple user and developer. According to Betteridge’s law of headlines, “Any headline that ends in a question mark can be answered by the word no.” Nonetheless, I want to suggest that the answer to the question posed by my headline might be yes. One thing is painfully clear to me already: the BigCos are coming for our passwords, so passkeys can’t be ignored. Google recently wrote about the beginning of the end of the password. Apple has also indicated that it wants passkeys to replace and eliminate passwords. For example, the manager of the Authentication Experience team at Apple has said I’m really looking forward to working with all y’all to eliminate passwords and the harm they cause. Even 1Password, with “Password” literally in its name, has written about the passwordless experience you deserve, asking the rhetorical question “If passwords are going away, do I still need a password manager?” and stating “We believe passwordless is the future, and we want to help everyone get there faster.” Although the timeline is unknown at the point, the end game is known: the end of passwords, game over.

A passkey, in essence, is nothing but a cryptographic key pair—a public key and a private key—like you would use with ssh. The major difference between passkeys and ssh keys is how they are managed. You can, and should as good practice, generate separate ssh keys for each ssh service that you use, just as you should generate separate random passwords for each web service that you use. It’s really not that hard, folks! Just add an entry to your ~/.ssh/config file:

Host github.com
User git
IdentityFile ~/.ssh/id_ed25519_github

However, this is optional, and if you really insist, you can use the same public-private key pair with multiple ssh services. On the other hand, passkeys are always associated with a single web service, never with multiple services, so that’s an improvement in security over ssh keys and passwords. There’s no reuse, and as far as I know there’s no real downside to lack of reuse, because passkey generation and site association is handled automatically by the authenticator.

So far, so good. So what’s the problem? With passwords and ssh keys, I can look at them. I can copy and paste them. I can write them down on a piece of paper. I can import and export them. I can back them up to external hard storage. Whereas in my testing with macOS Ventura and Safari, none of this is possible with passkeys. In fact, Apple requires you to enable iCloud and iCloud Keychain in order to save a passkey on a macOS or iOS device. You can easily test for yourself with a demo site.

I hate iCloud and never use it for anything important. I avoided iCloud entirely for a very long time, but I finally caved in to customer demand and enabled iCloud Drive so that I could add iCloud export and import of settings to my web browser extension StopTheMadness and more recently iCloud sync to my new Safari