Introducing passkey support to Fastmail

It&#x27;s good to have options but... I hate passkeys. Here is why:<p>1. Passkeys are device dependent. That means you need to have more devices and be tied to your existing devices. For a lot of people, that means even tighter phone dependence.<p>2. Even if you don&#x27;t use a phone to store your passkeys, they promote vendor lock-in, because you need to rely on Apple, Google, or some other cloud-keychain system to store your passkeys.<p>Tech companies love passkeys, not because it makes your life better, but because it entrenches people further into relying on their systems. People will love passkeys because it appears simple and makes passwords a thing of the past.<p>But there&#x27;s a tradeoff: more dependence on advanced technology are major tech corps. Let me ask you this: suppose you want to go phone-free and big-tech company free. Or you lose your phone and computer overseas. If you only use a passkey, then you&#x27;ll have to grovel back to Apple or Google to log into your fastmail. Tech corps love that.<p>This is just one step to make people tied to big tech, and so it seems harmless. But it is part of an overall procedure to integrate us so tightly (free Google docs, log in with Google&#x2F;Apple&#x2F;X is another of many), so that we can&#x27;t function on our own any more, or choose any company we like any more.

What are people’s thoughts on the UIX of a sign in page initially with only a single username input?<p>In my view, it is a backwards step. First, I can’t do username &lt;tab&gt; password &lt;enter&gt;. Secondly, with auto fill, it requires two clicks to sign in.<p>I can understand it for Microsoft login where push notification login is an option. Otherwise, I’m not sure it is a great design pattern.<p>I would prefer a regular sign in page, with a button to sign in with passkey (which also does not require username input).

I like and use fastmail but I&#x27;m yet to hear any sort of convincing argument why passkeys are better for me in any way, shape or form than passwords (with a password manager)?

Long time Fastmail customer. Not sure why all the hate on here. More options is never a bad thing and great to see you&#x27;re still making product improvements.<p>Seeing as Fastmail peeps are reading this, can we _please_ have a native android app. The function I really need is to be able to rely on quickly showing emailed pdf tickets knowing the app won&#x27;t try and reload and stall waiting on data connection. I try and load in advance but generally switching back results in a page reload. This is my far my greatest annoyance.

But even with passkey you have:<p>- a password, which still can be brute forced if done authentication service doesn’t play nice<p>- resets still need to work somehow<p>The only good thing about it is that you will know which auth device is used for a session and that you don’t need 2fa afaict. Unfortunately most information about sessions and attempts isn’t communicated by 99% of the services

One of the most common platform combos on the planet (Chrome + Windows) still doesn&#x27;t natively support cloud sync for passkeys apparently? <a href="https:&#x2F;&#x2F;support.google.com&#x2F;chrome&#x2F;answer&#x2F;13168025" rel="nofollow">https:&#x2F;&#x2F;support.google.com&#x2F;chrome&#x2F;answer&#x2F;13168025</a><p>Is that true?

Could someone point to a description of how the passkey protocol actually works? I mean for example at the level of, here&#x27;s how you would implement it using a crypto library in Python or some other language.

How about they fix their long-standing security issues first. Particularly their DMARC is set to &quot;p=none&quot; which is essentially disabled at a time large providers are mandating properly functioning DMARC. Anyone can spoof email account of other Fastmail users (1). Their #1 job is email, yet Fastmail has poor security scores still in 2024 (2). MTA-STS should be enabled for any competent email host.<p>(1) <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=18997054">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=18997054</a> (2) <a href="https:&#x2F;&#x2F;www.hardenize.com&#x2F;report&#x2F;fastmail.com&#x2F;1723612173" rel="nofollow">https:&#x2F;&#x2F;www.hardenize.com&#x2F;report&#x2F;fastmail.com&#x2F;1723612173</a>

I like passkeys - as a second factor

Tangential: Email spamming is out of control. My fucking hair salon wants me to add 2 factor authentication, and still sends me emails with an OTP. Login and guess what? They’ll send you moar emails to fucking confirm it’s me.<p>Guys, we are destroying the internet in the name of safety and security.<p>I want no GDPR bullshit, I want a simpler and risky experience. I am OK with losing my hair salon account and its history. Don’t care.

Using the same device,Fastmail never asks for a password except when doing sensitive actions (like adding an email account).<p>There are a lot of words here, this is an SEO bait, rather than a product update.