I’ve been listening to the same music every night when I go to sleep 10+ years now. Weird endorsement; I’ve listened to it with more attention plenty of times too. But it’s particularly good for going to sleep; calm, interesting, and comfortably familiar.
That music is GAS, Werner Voigt’s ambient techno project (Bandcamp, Youtube). The primary collection is Nah und Fern, four albums that were made over 1996–2000. In 2017 he released a new GAS album, Narkopop. Followed in 2018 by Rausch and 2021 Die Lange Marsch (a sort of remix). I like the first four most.
Ambient music is pretty hit or miss. For every brilliant work like Music for Airports or Aphex Twin’s early music there’s a zillion gormless electronica and “earth fart” recordings that fail to inspire. Furniture music is supposed to be in the background, sure. But still high enough quality to be appreciated.
GAS succeeds. It has just enough of a beat (sometimes) to make time flow without being overwhelming like regular techno or something rhythmically complex like Autechre. The sounds are richly textured with a bit of fuzz and noise to make it organic. And I like the slightly broody or sinister tone. Not scary, but they make me happy I’m snug in my home under the blankets.
That’s the post. What are passkeys? I don’t have answers, just questions. I believe passkeys are a great idea but the tech world is doing a terrible job explaining them. Someone really needs to explain how passkeys work in Internet products. Existing descriptions aren’t sinking in, as evidenced by the confusion online. For instance this Hacker News discussion where a new Passkey product announcement is met with a bunch of basic questions about what Passkeys even are.
Update: see these newer Passkey overview articles here and here. Also my own notes written after this was published.
The tech is pretty well defined: Passkeys are a password replacement that uses WebAuthn to log you in to stuff. Companies are widely deploying them now: Apple, Google, Microsoft, 1Password. Passkeys are an industry consensus and are arriving in production very soon or already has. Great! Now then what are they really?
Here’s some questions from my perspective as an ordinary if expert Internet user. I own a few computers and phones and don’t want to trust just one company with my entire digital identity.
The core of many of these questions is exactly what a passkey is. What I want to read is an article that explains the gestalt of passkeys and identity on the Internet in a way the answers to all these questions becomes clear.
My understanding from what I’ve read is that passkeys are an authentication token, basically a replacement for a single secret like a password. Naively that’d mean I’d need a different passkey for every website I log in to (just like I need different passwords). But I could be wrong. Or maybe the passkey intention is that we use federated logins, so sites like my Mastodon server use Google to help me log in with my Google passkey? (That’s an enormous business problem, if so.)
My other understanding is a lot of my questions don’t have good answers yet. Ie: revocation of a passkey or migrating to new devices. The product announcements from various companies say “trust us, that’s coming soon”. But I do not trust a company like Google or Apple to later add a feature that will make it easy for me to migrate away from their loving embrace. That stuff has to be defined and working before Passkeys are a good product for consumers and the Internet.
Update: Ensuing discussion has made one thing clear: you don't share passkeys between sites. You have a separate passkey for each thing you log in to. That clears up several of my questions. I don't know how I didn't understand that already but the confusion isn't mine alone.
There really needs to be a good, clear description of Passkey as a product so questions like this aren’t being asked over and over again. I’m hopeful the folks working on this stuff understand the answers and just haven’t communicated it well.
After yesterday’s post about passkeys I got enough answers to learn how to use passkeys myself as a consumer. Here’s what I learned. If you want to try it yourself, passkeys.io is a nice demo server.
Passkeys work a lot like passwords do today. You create a different passkey for each website and use it to log in. Your passkeys are stored in what’s called a “Passkey Authenticator”, agent software on your computer. (Behind the scenes passkeys use public key systems that are better than passwords.) Your phone probably works today as a passkey authenticator but most sites don’t support passkeys yet.
Managing passkeys — backing up, migrating, sharing passkeys between devices — is still a work in progress. Android and Apple both support syncing passkeys between devices, that’s important so you can log in even if you don’t have your phone with you. Some software can also delegate. For instance Chrome on Windows will use Bluetooth to use a passkey on a nearby Android phone.
The passkey authenticator is the main user interface. The rest of this post is notes on what authenticators are available to consumers. See also this companion piece that’s a deep dive into the user experience on Android, Chromebooks, and Windows.
Apple seems the best implementation of a passkey authenticator today. It’s built in to Keychain, Apple’s existing authentication product that is pretty well designed. There’s a bunch of screenshots in this article of how the Apple experience works. My Apple-using friends say it’s pretty usable. Keychain syncs passkeys between devices via iCloud.
Android has a passkey authenticator built in called “Google Password Manager,” which already saves ordinary passwords you use in the phone’s web browser. Here’s Google’s docs for users about that and some technical notes on security. Android syncs syncs passkeys between devices. It’s also pretty usable but passkeys are Android-only, not available on desktop (yet).
Chrome on Windows or a Chromebook has passkey support. But the Chrome browser doesn’t store passkeys itself, it delegates to nearby Android devices via Bluetooth. Firefox and Edge on Windows can also do this delegation. Chrome can also delegate to Windows as the passkey authenticator instead of Android.
Microsoft Windows has an authenticator that is connected to Windows Hello, their relatively new login system. I don’t know much about it but it's what you'd use to store passkeys on your Windows machine.
1Password, the password agent, is shipping passkey support in about a month. They have a demo that actually works on Chrome and Edge. It’s nice! In theory this should be a good cross-device way to manage and sync passkeys. I'm waiting for it before adopting passkeys widely.
Dashlane, the password agent, has passkey support. Sounds like early days but usable.
Yubikey, the hardware login token, has a passkey story. I don’t know much about it, their writing points out that passkeys aren’t really anything new and they’ve been doing this kind of thing all along.
Having spent most of a day playing with passkeys my impression is they work today and are usable. My main concern is there’s no support for migrating your passkeys out of, say, Google Password Manager and in to Apple Keychain. And I fear given business realities no one is in a hurry to enable that. The other problem is how long it will take sites to adopt passkeys; we’re going to be stuck with passwords for a good long time.