Here are my quick reflections about today, “World Password Day”.

Passwords hurt many, many people. They’re incredibly user-hostile, putting burdens on people that computing devices should solve instead. I love my password manager because it helps me navigate the world, but there is a limit on who can be helped with software that layers on top of the broken password experience.

I can see that that pain is increasingly understood by the people who make and manage apps and websites, as evidenced by huge uptake of passkeys, as well as other “passwordless” strategies deployed by websites. I’m seeing a mix of passkeys, OTPs, and magic links these days.

A few months ago, I wrote about the flaws of email “magic links” and how passkeys can be integrated with magic links to provide a better user experience. I’m still proud of this piece, and I’d love for folks to read it. https://rmondello.com/2025/01/02/magic-links-and-passkeys/

Large websites and apps are seeing incredible results deploying passkeys as a core part of their user authentication strategies, with fewer failed sign-ins and faster sign-ins overall. And this is before we’ve seen large uptake of “Automatic Passkey Upgrades”, which will accelerate this trend.

Obviously, passkeys aren’t perfect, but they have compelling industry momentum and a group of stakeholders who care deeply about making them better. User experiences are being refined, powerful capabilities are being added, and yes, the ability to move passkeys between credential managers is coming.

I am thrilled by the progress passkeys have made in just a few short years and extremely optimistic about their future. Let’s keep it up. :)

@rmondello And passkeys are causing their own disaster, locking out users who have been prompted to use them without understanding the ramifications, and combined with the abysmal account recovery protocols and lack of customer service by firms like #Google, the same category of people who have been left to swing in the wind before are getting the shaft again.

The uptake of passkeys has nothing to do with understanding the issues, it's the way Google and others are pushing so hard for users to accept them when they don't understand them and will be screwed by them later. And Google doesn't care.

@lauren @rmondello Not just that, but they're designed to be un-exportable.

If you use, say, Apple's implementation, but some day you decide you want to try Android, you need to log in to _every single website_ and generate a new passkey (and even that is challenging, because you'll need to login on an Apple device but then somehow create the passkey on an Android device; I'm not even sure how you'd do that---maybe backup codes or something).

When Lastpass decided to f*** over their customers, I just dumped a CSV of all my credentials and imported it into Bitwarden. By design, there is no way to do that with passkeys. That's why vendors are pushing them, and consumers are going to rue the day they took the bait.

Passkeys are probably the single most anti-competitive thing tech has come up with in the past decade.