I’ve been listening to the same music every night when I go to sleep 10+ years now. Weird endorsement; I’ve listened to it with more attention plenty of times too. But it’s particularly good for going to sleep; calm, interesting, and comfortably familiar. That music is GAS, Werner Voigt’s ambient techno project (Bandcamp, Youtube). The primary collection is Nah und Fern, four albums that were made over 1996–2000. In 2017 he released a new GAS album, Narkopop. Followed in 2018 by Rausch and 2021 Die Lange Marsch (a sort of remix). I like the first four most. Ambient music is pretty hit or miss. For every brilliant work like Music for Airports or Aphex Twin’s early music there’s a zillion gormless electronica and “earth fart” recordings that fail to inspire. Furniture music is supposed to be in the background, sure. But still high enough quality to be appreciated. GAS succeeds. It has just enough of a beat (sometimes) to make time flow without being overwhelming like regular techno or something rhythmically complex like Autechre. The sounds are richly textured with a bit of fuzz and noise to make it organic. And I like the slightly broody or sinister tone. Not scary, but they make me happy I’m snug in my home under the blankets. That’s the post. What are passkeys? I don’t have answers, just questions. I believe passkeys are a great idea but the tech world is doing a terrible job explaining them. Someone really needs to explain how passkeys work in Internet products. Existing descriptions aren’t sinking in, as evidenced by the confusion online. For instance this Hacker News discussion where a new Passkey product announcement is met with a bunch of basic questions about what Passkeys even are. Update: see these newer Passkey overview articles
here
and here.
Also my
own
notes written after this was published.
The tech is pretty well defined: Passkeys are a password replacement that uses WebAuthn to log you in to stuff. Companies are widely deploying them now: Apple, Google, Microsoft, 1Password. Passkeys are an industry consensus and are arriving in production very soon or already has. Great! Now then what are they really? Here’s some questions from my perspective as an ordinary if expert Internet user. I own a few computers and phones and don’t want to trust just one company with my entire digital identity.
The core of many of these questions is exactly what a passkey is. What I want to read is an article that explains the gestalt of passkeys and identity on the Internet in a way the answers to all these questions becomes clear. My understanding from what I’ve read is that passkeys are an authentication token, basically a replacement for a single secret like a password. Naively that’d mean I’d need a different passkey for every website I log in to (just like I need different passwords). But I could be wrong. Or maybe the passkey intention is that we use federated logins, so sites like my Mastodon server use Google to help me log in with my Google passkey? (That’s an enormous business problem, if so.) My other understanding is a lot of my questions don’t have good answers yet. Ie: revocation of a passkey or migrating to new devices. The product announcements from various companies say “trust us, that’s coming soon”. But I do not trust a company like Google or Apple to later add a feature that will make it easy for me to migrate away from their loving embrace. That stuff has to be defined and working before Passkeys are a good product for consumers and the Internet. Update: Ensuing discussion has made one thing clear:
you don't share passkeys between sites. You have a separate passkey
for each thing you log in to. That clears up several of my questions.
I don't know how I didn't understand that already but the confusion
isn't mine alone.
There really needs to be a good, clear description of Passkey as a product so questions like this aren’t being asked over and over again. I’m hopeful the folks working on this stuff understand the answers and just haven’t communicated it well. After yesterday’s post about passkeys I got enough answers to learn how to use passkeys myself as a consumer. Here’s what I learned. If you want to try it yourself, passkeys.io is a nice demo server. Passkeys work a lot like passwords do today. You create a different passkey for each website and use it to log in. Your passkeys are stored in what’s called a “Passkey Authenticator”, agent software on your computer. (Behind the scenes passkeys use public key systems that are better than passwords.) Your phone probably works today as a passkey authenticator but most sites don’t support passkeys yet. Managing passkeys — backing up, migrating, sharing passkeys between devices — is still a work in progress. Android and Apple both support syncing passkeys between devices, that’s important so you can log in even if you don’t have your phone with you. Some software can also delegate. For instance Chrome on Windows will use Bluetooth to use a passkey on a nearby Android phone. The passkey authenticator is the main user interface. The rest of this post is notes on what authenticators are available to consumers. See also this companion piece that’s a deep dive into the user experience on Android, Chromebooks, and Windows. Apple seems the best implementation of a passkey authenticator today. It’s built in to Keychain, Apple’s existing authentication product that is pretty well designed. There’s a bunch of screenshots in this article of how the Apple experience works. My Apple-using friends say it’s pretty usable. Keychain syncs passkeys between devices via iCloud. Android has a passkey authenticator built in called “Google Password Manager,” which already saves ordinary passwords you use in the phone’s web browser. Here’s Google’s docs for users about that and some technical notes on security. Android syncs syncs passkeys between devices. It’s also pretty usable but passkeys are Android-only, not available on desktop (yet). Chrome on Windows or a Chromebook has passkey support. But the Chrome browser doesn’t store passkeys itself, it delegates to nearby Android devices via Bluetooth. Firefox and Edge on Windows can also do this delegation. Chrome can also delegate to Windows as the passkey authenticator instead of Android. Microsoft Windows has an authenticator that is connected to Windows Hello, their relatively new login system. I don’t know much about it but it's what you'd use to store passkeys on your Windows machine. 1Password, the password agent, is shipping passkey support in about a month. They have a demo that actually works on Chrome and Edge. It’s nice! In theory this should be a good cross-device way to manage and sync passkeys. I'm waiting for it before adopting passkeys widely. Dashlane, the password agent, has passkey support. Sounds like early days but usable. Yubikey, the hardware login token, has a passkey story. I don’t know much about it, their writing points out that passkeys aren’t really anything new and they’ve been doing this kind of thing all along. Having spent most of a day playing with passkeys my impression is they work today and are usable. My main concern is there’s no support for migrating your passkeys out of, say, Google Password Manager and in to Apple Keychain. And I fear given business realities no one is in a hurry to enable that. The other problem is how long it will take sites to adopt passkeys; we’re going to be stuck with passwords for a good long time. I tried out Noom, the weight loss and cognitive behavioral therapy program. The app is more like CBT for upselling customers than CBT for weight loss. Now I’m hoping they’ll delete my sensitive medical data and refund the $3 they tricked me out of. (They did, quickly in response to my support email.) I was excited to try Noom. I’ve used basic calorie counters in the past and was hoping for something better. I’m also curious about CBT. And a friend recommended it. The account creation process goes OK at first. Then it gets more and more involved, taking 10–20 minutes to fill out the questions. There’s little UI tricks to keep you engaged: fake progress bars, questions injected at random intervals. Classic product UI hacking. At first it told me that I’d reach my weight goal in about a year. Seemed reasonable! Then it kept shaving weeks off that as I answered questions, like I was making progress already. The conclusion it came to is that I was going to lose 18 pounds in the first month. Pretty sure that’s not possible, certainly not healthy. Then the upselling begins. They ask some questions to find out your interests and then offer premium packages. “Folks who pay for this package lose 35% more weight” Look, I just want to try the basic thing. It looks like a 7 day free trial but before you know it they want you to pay asserting “it costs $10 to offer a 7 day trial”. Really? They gave me a choice of what to pay from $0.50 to $18.83. I chose $3 and had to pay via PayPal / credit card; super sus they don’t just use Google Pay on the Android app. They also try to get you to sign up your friends. They talk about how having folks involved in your program will make you more successful. Which is probably true but then immediately they’re asking for email addresses and offering discounts and gift certificates. It’s marketing, not therapy. The whole thing was so sleazy and deceptive. Particularly for a therapy-like product. Real therapists have all sorts of ethical guidelines to stop them from exploiting their customers. Noom instead seems to be using CBT to trick customers into paying more. Gross, gross, gross. I worked at Twitter part-time starting June 2007. I've never talked much about this in public. I'm revisiting it because of the complete disaster Elon Musk has made of Twitter. His sabotage of the company has felt personal to me. It hurts to watch him destroy something I helped create. The recent API debacle particularly stings. Early Twitter was chaotic without enough experienced engineers. I acted as a management advisor. I helped the engineers organize and the executives work better with engineering. I did some good but I've always wished I could have done more. In retrospect, I should have committed more time. I did enjoy a long insider relationship with some of the leadership and was of some help that way. The most useful concrete thing I did was what we called "Nelson's graphs". I made some simple measurements of performance like tweet delivery times. Post a tweet to one account and see when it shows up on another account's timeline. (Note this graph shows an average of 15 minutes!) ![]() Simple but useful. It was a clear view of whether the site was working and ended a lot of arguments. These days we'd call this basic devops but in 2008 it was still a novel idea. My graphs kept running for several years even after they leaked to the press. I grieve for Twitter now. I grew to love it over the years and was an enthusiastic user. Musk has ruined Twitter both culturally and technically. I suspect Twitter will survive in some new smaller, crueler form. But I've moved on to Mastodon and that's working for me. I’ve found a mobile app for weather I finally like enough to be happy about paying for. Windy, best known for its website. The mobile app has extra phone features like notifications and home screen widgets. Also its UI is a little more understandable. ![]() Windy makes a strong first impression with its colorful animation of winds. But wind speed is not that interesting to me. Windy also does an excellent job displaying radar, air quality, current thunderstorms, etc. Even weather station observations and webcams. All displayed beautifully and uniformly; that’s not easy! ![]() But my favorite thing is the forecast view, hidden away in the website but a bit easier to find on mobile. It’s a lot of detail packed into a very small tabular display. I appreciate that it shows the full forecast by hour going out for days. Also the choice of forecast models; their website explains the options. It’s all very nerdy in the way I want. It’s not great at “weather at a glance” but is good for a deeper understanding. Their business model seems to be a $19/mo yearly subscription. Their privacy policy is clear they won’t sell your data to third parties. The app says “we do not store your location on our servers”. Most weather apps are sleazy and sell your location to advertisers and data brokers. Sadly they have nothing like Dark Sky’s unique microforecasts. Nothing to say “it will rain where you are standing in 7 minutes”. But they do have excellent presentation of large scale traditional forecasts. I've added an archive calendar to my linkblog, so you can see old posts going all the way back to 2003. The UI is a little minimal but usable and it will work for any search indexers, which is what I most care about. Note old posts will have a grey background because I wasn't classifying link sentiment (new posts are white or black). The most fun thing here are the images; I generated them for all my old links. Of course that's only possible if the site is up, I generated most of these in July 2022. I've got a total of 20,700 links going back 19 years; that's an average of about 90 a month. I've been pretty steady the whole time, 50-150 a month with no missing time. A key thing is it's very easy for me to linkblog a new post, I just use the Pinboard browser extension and it's done. The time sorted archive is not too thrilling. The other choice here would be to use the tags somehow to extract archives by topic, maybe cluster in to categories or (god forbid) do a tag cloud. A project for another time. My Starlink Internet service has gotten pretty bad; every evening I'm well under 50Mbps and some hours I only get 2Mbps. (Compare 100Mbps+ last year.) I've given up trying to stream 1080p video at night; that's a pretty dismal result for a new Internet service in 2022. Starlink imposed major restrictions on US customers last month: 1 TB / month data cap and expected download speeds dropped from 50-200Mbps to 20-100Mbps. Details of all that on my secret blog. Note they didn't drop the price, we're still paying $110/month. Maybe the new caps will help the congestion? I'm sympathetic to their technical problem. They have limited bandwidth and they have to share it somehow. Caps are an awkward solution; most users have no idea how much bandwidth they are using or why and thus can't control it. Starlink's caps are nice in that if you exceed the cap you just get lowered in priority, not charged money or cut off. So maybe it'll be self regulating. My real fear is that instead of improving service the result of all this is Starlink is just going to add even more customers to an already overloaded network. Ken and I just got back from a 23 day trip exploring most of Austria. We had a lovely time although we did get a little worn out and ready for home after a couple of weeks. Along the way we stayed in Vienna, Graz, the Wörthersee, Zell am See, Innsbruck, Salzburg, Hallstatt, Linz, and Dürnstein. A nice mix of cities and countryside. I tweeted a bunch of postcards, easily viewed here and here. ![]() My favorite places were the town of Graz and the countryside in the south from the Wörthersee through Zell am See to Innsbruck. The drive over the Grossglockner Alpine Road was a particular highlight and the lush green alpine valleys of Styria, Carinthia, and Tyrol were just a delight. Salzburg was also a very good visit. Linz was an industrial disappointment and Hallstatt was tourist hell; skip it unless you are very interested in the archaeological story. We ate very well on this trip; Austrian cuisine is more interesting than the schnitzel-and-boiled-beef that was my stereotypical view. Lots of fresh fall ingredients. The pumpkin cream soup was particularly good. Enhanced with Kürbiskernöl, pumpkin seed oil that's deliciously nutty and green tasting. And of course plenty of fantastic sweets; the French call pastry viennoiserie for a reason. The single best meal we ate was at Pfefferschiff in Salzburg. This is gonna sound silly but one of the nicest home improvements we've done recently is install a new garage door opener, the Liftmaster 87504-267. It works so much better than my old insecure garage door! Internet access is the surprise best feature; I use it all the time. Mostly to walk in and out of the garage door without my car. There's also a keypad remote I can mount outside so someone can punch in a code to open the door. Setting this all up was easy and reliable. There's even a way to give Amazon access to open your garage for deliveries. The opener also has a camera. I would have skipped that if I'd known, saved some money. But it's actually quite useful! If I get a notification the garage door opens I can easily see on my phone what's going on. Basic live views seem to be free, there's a subscription if you want stored video. Ken's favorite feature is the motion sensor that turns the light on. The lights on the unit are bright, it's enough to light the whole garage without having to flip a switch. I also appreciate there's a battery backup built-in so if the power goes out I can still easily open the door. The drive itself is smooth and quiet too, belt drives are a real improvement. The #1 upgrade you should do for an older house is a dishwasher; they got a lot better about 15 years ago. But #2 may well be the garage door opener. |