That’s the post. What are passkeys? I don’t have answers, just questions. I believe passkeys are a great idea but the tech world is doing a terrible job explaining them. Someone really needs to explain how passkeys work in Internet products. Existing descriptions aren’t sinking in, as evidenced by the confusion online. For instance this Hacker News discussion where a new Passkey product announcement is met with a bunch of basic questions about what Passkeys even are.

The tech is pretty well defined: Passkeys are a password replacement that uses WebAuthn to log you in to stuff. Companies are widely deploying them now: Apple, Google, Microsoft, 1Password. Passkeys are an industry consensus and are arriving in production very soon or already has. Great! Now then what are they really?

Here’s some questions from my perspective as an ordinary if expert Internet user. I own a few computers and phones and don’t want to trust just one company with my entire digital identity.

• What device holds my passkey(s)? Let’s assume it’s my phone.
• What software do I use for my passkeys? I trust 1Password already; can they do all my Passkeys for me? Or can my web browser hold my passkeys?
• Who issues me a passkey? Let’s say Google issues me one.
• Logging in to Google with a Google passkey is easy, right? I just unlock my phone and press a button? Awesome!
• Do I have many passkeys or just one?
• How do I log in to some other website, say my Mastodon server? Can I use my Google passkey there too? Or does my Mastodon server issue a different passkey?
• How do I log in to Google if I temporarily don’t have my phone with my passkey on it?
• How do I reset a passkey if my phone is stolen?
• How do I log in to other sites if Google goes offline or revokes my account or something?
• How do I migrate my passkeys to a new phone?
• Can I store the same passkey on several devices for convenience?
• Can that passkey be automatically synced between devices, securely?
• Can I use multiple passkeys to log in to the same account?
• Can I share a passkey with my partner so we can both log in to the thermostat?
• Can I still use passwords to log in to a site even with a passkey enabled?
• I have two factor authentication with a TOTP code generator. Does the passkey replace my password? The code? Both?
• I really want to use two factors for my bank: I don’t trust just my passkey on my phone to log in me in. How does that work?
• Can I use passkeys to log in to apps and computers? Or just web sites?
• If I own a fancy Yubikey device can I use it as a passkey? Use it to protect my passkey?
• Is there a way for me to generate a passkey myself so I don’t have to trust a company to issue it for me?
• Can I turn off passkey on a site and log in some other way?

The core of many of these questions is exactly what a passkey is. What I want to read is an article that explains the gestalt of passkeys and identity on the Internet in a way the answers to all these questions becomes clear.

My understanding from what I’ve read is that passkeys are an authentication token, basically a replacement for a single secret like a password. Naively that’d mean I’d need a different passkey for every website I log in to (just like I need different passwords). But I could be wrong. Or maybe the passkey intention is that we use federated logins, so sites like my Mastodon server use Google to help me log in with my Google passkey? (That’s an enormous business problem, if so.)

My other understanding is a lot of my questions don’t have good answers yet. Ie: revocation of a passkey or migrating to new devices. The product announcements from various companies say “trust us, that’s coming soon”. But I do not trust a company like Google or Apple to later add a feature that will make it easy for me to migrate away from their loving embrace. That stuff has to be defined and working before Passkeys are a good product for consumers and the Internet.

There really needs to be a good, clear description of Passkey as a product so questions like this aren’t being asked over and over again. I’m hopeful the folks working on this stuff understand the answers and just haven’t communicated it well.