Amazon Passkeys Launched: Response to Consumer Demand with Poor Implementation

&gt; Recognizing the increasing demand by consumers to enhance security and in particular user convenience, Amazon rolls out passkeys widely across most devices and browsers. This underlines Amazon’s commitment to bend to consumer demand.<p>Which consumer base has demanded enhanced security and convenience (for which passkeys are the proclaimed answer)? The non-tech crowd has no idea what it is and is probably just hearing about it. The tech crowd on a forum like HN seems to be mostly against it because of issues with account recovery and cross-device use that passwords don’t pose.<p>From what I understand, it seems like passkeys may ultimately rely on SMS OTP or similar mechanisms for account recovery. The other likely result would be losing the account forever, especially if the user is a single device one (there are billions of such people around the world).<p>I’m going to wait it out a little longer to see how the interoperability factors play out in reality and learn from those who are braver than me.

Sorry to be so bitter about this, but at this point, &quot;Amazon botches UX design for feature X&quot; isn&#x27;t news – &quot;Amazon delivers useable UX&quot; would be.<p>Passkeys are complicated enough, but even as somebody having spent hours looking into WebAuthN and setting up my own smartcard-based NFC authenticator, it took me a while to understand what&#x27;s going on with Amazon&#x27;s implementation.<p>- &quot;If you want to add a passkey, use a different cloud service account (example: Apple ID or Google account). Each cloud service account can only have one passkey for Amazon.&quot; is what I see in Firefox, for example – what on earth does that mean? Firefox doesn&#x27;t synchronize passkeys with either of these accounts. The issue is that they don&#x27;t support platform authenticators on macOS. That error message does not make sense!<p>- Ok, I get it now, so Firefox does not support passkeys, hence the button is greyed out, fair enough. But, wait... 1Password does provide passkey support through their Firefox extension. It works on every other WebAuthN&#x2F;passkey-supporting site. And 1Password&#x27;s passkeys do work on Amazon using Chrome! Do they just sniff the user agent here and grey out the button on Firefox? What&#x27;s going on?<p>- The only option to manage passkeys in my Amazon account is to... <i>delete ALL of them</i>. I guess adding a list of passkeys and the dates they were added, like almost every other service I know supports, was just too much to ask from Amazon.<p>- &quot;If you didn&#x27;t set up this passkey, please go to your account settings to delete the passkey.&quot;. – Oh, right, let me quickly go through the literal <i>dozens of options</i> in my Amazon account page. I get that Amazon does not want to train users to click links from emails (although that ship has arguably sailed, which is why we are getting WebAuthN in the first place: It&#x27;s phishing-resistant!). But Is it too much to ask to simply reference the path there, i.e. &quot;Your Account -&gt; Login &amp; security -&gt; Passkey&quot; in that message?<p>On the other hand, this is completely in line with my user experience on any Amazon site or product. I wonder if Amazon is even aware of the mere <i>concept</i> of UI&#x2F;UX design as something other than a half-day task any backend engineer is just expected to do as part of the feature they&#x27;re shipping.

Just setup passkeys on my Amazon account.<p>1. Asking for OTP after using a passkey is redundant and annoying 2. Not listing the keys individually makes management hard - I can&#x27;t remove a single Yubikey, or Windows Hello or my phone. If anything is replaced it will just keep accumulating in my account. It should list each passkey individually and allow me to give a name to each one.

As long as I can still use passwords.<p>I strongly prefer to keep each account independent, so that there&#x27;s no single point of failure outside of myself.

Passkey transfer across ecosystems is still an unsolved problem, Linux support is lacking, Bitwarden&#x27;s implementation hasn&#x27;t launched yet, and there are host of ecosystem issues and caveats that people keep telling me will be ironed out in the future but haven&#x27;t been ironed out yet. Meanwhile, Amazon botching its rollout is a symptom of the specification not requiring standardized implementations. It&#x27;s a symptom of the FIDO Alliance just assuming companies will do a good job and won&#x27;t break everything.<p>Ideally, this would be the point where the Alliance would step in and say, &quot;okay clearly we need to standardize a lot more because y&#x27;all can&#x27;t handle this much leeway in how you implement the standard.&quot; Ideally it would give the Alliance pause about other parts of the standard like attestation where they&#x27;re also being painfully naive about how corporate implementations will go. But instead, the industry seems intent on barrelling forward with passkeys in their current state anyway.<p>Passkeys aren&#x27;t ready to recommend to normal consumers yet. We still have yet to see any proof that the portability and lock-out problems are actually going to be addressed. Words are cheap, talk to me when there is an official spec for transferring passkeys between ecosystems and when adherence to that spec and allowing export is a requirement for certification. Talk to me when the services that allow only linking one passkey are barred from official certification until they fix the problem.<p>And people say fixes are coming, but nobody in the industry is waiting for them to come. It&#x27;s not a priority for them. The major companies are showing that they are perfectly willing to recommend a product to consumers in a half-finished state at a point where there is literally no major implementation that allows transferring passkeys between ecosystems and where there serious caveats around linking passkeys to accounts. So what trust am I supposed to have in that? Don&#x27;t tell me the FIDO Alliance cares about portability or ease of access; the companies involved do not consider lack of portability and access to be a blocker.<p>I consider it irresponsible to recommend passkeys in their current state and irresponsible for companies to be rolling out wide support based on the current state of the ecosystem. I&#x27;ve lost a ton of faith in the entire standard because of how advocates have glossed over issues and because of how the industry is currently showing that actual universal access and universal support and real Open implementations are not a requirement and that they&#x27;re willing to try pushing consumers onto passkeys before those critical problems are fixed. The whole thing up to this point has felt dishonest and pushy and weird.<p>If the intent from advocates was to build support by papering over the problems, the effect has been the opposite. I&#x27;m still aware of the problems, but now I also don&#x27;t trust the advocates to be honest when talking about the problems. At some point I need to sit down and write up something more detailed about what the timeline has looked like, because I really feel like the conversation around passkeys and the way companies have moved forward with them is a really good example of how to just completely kill consumer trust in a standard that could have theoretically been good.

&gt; especially for those using browsers like Chrome on Mac, where a QR code was shown instead of explaining that a passkey is not available or just skipping passkeys (QR codes still being a major struggle for most consumers)<p>Chrome on macOS supports passkeys in icloud keychain as of M118. Hiding passkeys because users “struggle” with QR codes is, frankly, stupid.

I&#x27;m more upset it sets up a resident key, but then doesn&#x27;t take advantage of not even asking me for my email. Waste of a slot if you use a hardware token.

Website security was recently lampooned by Ryan George: <a href="https:&#x2F;&#x2F;youtu.be&#x2F;5t15a0im-_4" rel="nofollow noreferrer">https:&#x2F;&#x2F;youtu.be&#x2F;5t15a0im-_4</a>