Casey Liss
π€ SpeakerAppearances Over Time
Podcast Appearances
uh that implement passkeys choose totally different policies for those passkeys than other websites because you can websites can choose to do whatever they want they can give you a passkey and then remove your password they can let you use a password and a passkey github uses passkeys as a second factor in a two-factor login so you enter your username and your password and then as a second factor one of the things that you can use is your passkey which is totally not the supposed intention of passkeys but technologically there's nothing stopping you from doing it so
The bottom line is that every website that uses passkeys has some different notion of where they fit in in their website. And maybe that will change over time. Like in the beginning, we wanted to roll out passkeys just to try them out. And if lots of people adopt them, maybe we'll do this.
The bottom line is that every website that uses passkeys has some different notion of where they fit in in their website. And maybe that will change over time. Like in the beginning, we wanted to roll out passkeys just to try them out. And if lots of people adopt them, maybe we'll do this.
But just because a website supports passkeys or anything supports passkeys doesn't mean... My perspective is I don't know, based on that...
But just because a website supports passkeys or anything supports passkeys doesn't mean... My perspective is I don't know, based on that...
how it's going to work okay so you've got pass keys when someone says like oh we support usernames and passwords i more or less know how that's going to work these days although there was a kind of a uh older people remember the somewhat annoying drawn out transition between uh sites and other things asking you for a username that was not an email address you both remember those days right mm-hmm
how it's going to work okay so you've got pass keys when someone says like oh we support usernames and passwords i more or less know how that's going to work these days although there was a kind of a uh older people remember the somewhat annoying drawn out transition between uh sites and other things asking you for a username that was not an email address you both remember those days right mm-hmm
Those were not good days. Some websites still do it. But in general, we've sort of settled on if you're going to have a login to a website that's not going to be like a third party login, like login with Google, login with Twitter, login with Apple, whatever thing that it's going to say username and password and the username is going to be an email address. But.
Those were not good days. Some websites still do it. But in general, we've sort of settled on if you're going to have a login to a website that's not going to be like a third party login, like login with Google, login with Twitter, login with Apple, whatever thing that it's going to say username and password and the username is going to be an email address. But.
Back in the battle days, you had to come up with a username and put numbers at the end of it and do other awful things, right? That's where we are, I feel like, with passkeys. It's like, oh, so you support caskeys? I don't know what you're going to want from me. If I enable this passkey, are you going to remove my password and my password won't work anymore?
Back in the battle days, you had to come up with a username and put numbers at the end of it and do other awful things, right? That's where we are, I feel like, with passkeys. It's like, oh, so you support caskeys? I don't know what you're going to want from me. If I enable this passkey, are you going to remove my password and my password won't work anymore?
Because sometimes I don't want to do that, not because I don't trust passkeys, but because I don't trust the website to implement passkeys well enough. And there are some things, you know, Casey mentioned the sharing of pass keys, which I think is trivial with Apple's passwords. It's just like you put it in a shared group or whatever. And by the way, I'm loving the shared groups.
Because sometimes I don't want to do that, not because I don't trust passkeys, but because I don't trust the website to implement passkeys well enough. And there are some things, you know, Casey mentioned the sharing of pass keys, which I think is trivial with Apple's passwords. It's just like you put it in a shared group or whatever. And by the way, I'm loving the shared groups.
I made a bunch for my family and they're really making your life better. So thumbs up on that as someone who wasn't a one password user, which has that feature has had it for ages. It's great for me to have it now and the Apple key chain thing. But pass keys, there are still some technical limitations. The sort of
I made a bunch for my family and they're really making your life better. So thumbs up on that as someone who wasn't a one password user, which has that feature has had it for ages. It's great for me to have it now and the Apple key chain thing. But pass keys, there are still some technical limitations. The sort of
export import flow for passkeys is supposedly coming soon but it's not available yet they want to do it in a secure way so on and so forth and that is a limitation versus plain old passwords where it's easy for example not easy but it is very possible for example to migrate from one password to apple's password system because one password has an export and apple's password have an import
export import flow for passkeys is supposedly coming soon but it's not available yet they want to do it in a secure way so on and so forth and that is a limitation versus plain old passwords where it's easy for example not easy but it is very possible for example to migrate from one password to apple's password system because one password has an export and apple's password have an import
Obviously, making that export is incredibly insecure, right? Because there's your passwords in plain text and a file that you're going to import or whatever. So that's not great. And PASC is going to try to do that better. But there's no good cross platform way to do that with PASC yet. And every website that uses PASC can pick a different policy. And you really never know what it's going to be.
Obviously, making that export is incredibly insecure, right? Because there's your passwords in plain text and a file that you're going to import or whatever. So that's not great. And PASC is going to try to do that better. But there's no good cross platform way to do that with PASC yet. And every website that uses PASC can pick a different policy. And you really never know what it's going to be.
Can you just log in with the passkey by itself? Can you keep the password in the passkey? If so, how do you choose to use the passkey? Are you only prompted to use your passkey when you use browser X and not browser Y? Does it work on your phone or your Mac? my stance is anytime there is a passkey, I would like to use it instead of a password, but I'm not even always given that option.