← Back to context

Comment by goku12

1 day ago

Passkeys are an antipattern in UX design. You want to make it simple for the users? Great! But stop treating them as too stupid to decide anything on their own. Stop locking them out of the decision loop and doing things behind their back. This is practically the corporate design philosophy of the past two decades. You can see this a lot in smartphone design.

I keep asking what advantages passkeys offer over TLS self-signed client certificates. I haven't got any answers so far. Perhaps increase the security by encrypting the private key with a password or an external token. This is safe, like SSH and unlike regular passwords, because no secrets are sent to the server. TLS certs and (encrypted) keys are more tangible and easier to manage.

Perhaps passkeys do offer some advantages over TLS certs. But can't those be added to TLS, rather than rollout an entirely new system? The infuriating part is that this facility exists in browsers. They just let it rot to an extend that it's practically unusable. Meanwhile, Gemini browsers are using it quite successfully (for those who use Gemini).

9 comments

goku12

Reply
cyberax  1 day ago

Passkeys ARE self-signed certs. You can store their private key on a hardware token, but you don't have to.

Their only difference is the automated provisioning.

  • goku12  1 day ago

    > Passkeys ARE self-signed certs.

    So they took something that works well and created a bad UX around it, while ignoring the working, yet languishing UI/UX that was already around?

    • lxgr  21 hours ago

      You can't be seriously claiming that self-signed PEM certificates were working well. I've been using them for years in various contexts, and they're an absolute nightmare.

      Despite all their faults, for the average user, Passkeys are still miles ahead of GnuPG card, PIV, PKCS#15 etc.

      2 replies →

    • lxgr  21 hours ago

      You can't be seriously claiming that self-signed PEM certificates were working well. I've been using them for years in various contexts, and they're an absolute nightmare.

      Despite all their faults, for the average user, Passkeys are still leagues ahead of GnuPG card, PIV, PKCS#15 etc.

    • cyberax  1 day ago

      Self-signed certificates are in the 'barely working' state. They operate on a wrong protocol level, and they can't be provisioned by the website itself.

      If you try to describe how you _want_ the TLS client certificate UI to work, you'll end up with passkeys.

      2 replies →