Microsoft Confirms Password Deletion for 1B Users

Passkeys are a terrible idea. They are security theater and a disaster for users waiting to happen.<p>Imagine you&#x27;re on vacation and have lost your phone. You want to go to a cafe and log into a chat app, an email service, whatever to contact your family. In the world that passkey advocates want this is impossible via the passkey flow. If you can&#x27;t authenticate via a primary device that contains your private key, you&#x27;re f-ed. Service providers know this so of course they will provide recovery mechanisms. (Not consistent recovery mechanisms of course, each will have their own convoluted and likely to be broken ones). If the recovery mechanism allows for knowledge based recovery (challenge questions) then you&#x27;re basically telling people that they need N passwords rather than one password. Maybe that challenge question is just a long password (recovery key). Maybe it requires access to another system, which you likely don&#x27;t have in this circumstance. So you&#x27;re either back to having passwords, or you&#x27;re f-ed. Security theater or a disaster.<p>A service only has value if I can access it. I should be able to sit down at any computer in the world with the knowledge in my head and get access to any online service to which I subscribe.

The software industry has <i>zero</i> concept of how much pain and suffering passkeys are going to cause the average person, almost entirely because the average American has an iPhone and a Windows laptop and there&#x27;s literally nothing built-in to iOS or Windows that will sync passkeys between these two devices. The world&#x27;s most popular password managers are Excel and Apple Notes, in that order; these apps do not support Passkeys.<p>Passkeys are not going to happen, and its the industry&#x27;s fault. Its a bad standard that solves some problems the industry itself has, by creating more problems for consumers. If you force consumers to move to only-passkeys, you&#x27;re going to lose customers, and it might not even be their choice, you&#x27;re just making the decision to lock people out.

Blogspam for <a href="https:&#x2F;&#x2F;www.microsoft.com&#x2F;en-us&#x2F;security&#x2F;blog&#x2F;2024&#x2F;12&#x2F;12&#x2F;convincing-a-billion-users-to-love-passkeys-ux-design-insights-from-microsoft-to-boost-adoption-and-security&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.microsoft.com&#x2F;en-us&#x2F;security&#x2F;blog&#x2F;2024&#x2F;12&#x2F;12&#x2F;con...</a><p>The title is inaccurate. Microsoft doesn&#x27;t actually &quot;confirm password deletion for 1B users&quot;. They confirm it for millions. They have a concept of a plan for getting &gt;billion people on passkeys as an auth factor, and will be able to get some of them to go passkey-only.

The problem with passkey is that it&#x27;s obscure for the common folk.<p>I&#x27;m a developer, yet for some odd reason I&#x27;m having a hard time understanding passkeys. Are they synced between devices? Do I need to set up a passkey per device? What happens if I have a single passkey on my phone and it gets lost? Do I lose access to that service?<p>So many questions that need a clear and concise answer.

I think technical people understand the mechanics of using Passkeys, having them backed up to multiple devices etc, but there&#x27;s no way my 70 year old father is going to be able to understand that. He barely knows the difference between the computer login and his gmail login. My parents are also not wealthy-enough to have Apple take care of all of this for them. He has a hand-me-down Linux laptop because all he needs is Google Chrome. Thankfully I&#x27;ve been able to teach my parents to write down their passwords in a password book.<p>I can&#x27;t tell you how many times I&#x27;ve ask my father &quot;what&#x27;s your google password&quot; and he says &quot;I don&#x27;t have a google password&quot;. I like the idea of eliminating passwords, but inevitably his phone is going to break or his computer is going to crash and he needs a way to recover.

If I install all my private-passkeys onto my phone, then I have a new problem of Lost, Stolen, Broken to deal with. I’m device agnostic, I want to get to my account from my phone, tablet, laptop, desktop, all I’m doing is spreading the exposure out by needing to install passkeys everywhere.

I haven’t dug into this but I must be missing something with passkeys.<p>It’s the same issue I had with getting a Yubikey.<p>The odds that I lose a piece of hardware that I’m carrying on me seems orders of magnitude greater than the odds of having my password cracked.<p>How does one recover from a lost device (other then backing up to Apple’s private cloud in which case you’re beholden to them forever to be able to access your own accounts).

&gt; Passkeys not only offer an improved user experience by letting you sign in faster with your ... PIN, but they also aren’t susceptible to the same kinds of attacks as passwords.<p>I don&#x27;t know about you, but a PIN is pretty much a password in my book.<p>Once I figured out that I can use a password with Windows, I stopped using my PIN. (I didn&#x27;t use Windows for about a decade.) It&#x27;s much easier to remember.<p>Even worse, on Windows, I&#x27;ll only use passkeys on sites where I can use a Yubikey. If the passkey requires a PIN, I don&#x27;t bother. I just can&#x27;t be bothered to remember it.<p>Otherwise, on Mac, my passkey supports my fingerprint sensor. Much easier.

I&#x27;m really skeptical about passkeys. This blog post talks about it in detail:<p><a href="https:&#x2F;&#x2F;fy.blackhats.net.au&#x2F;blog&#x2F;2024-04-26-passkeys-a-shattered-dream&#x2F;" rel="nofollow">https:&#x2F;&#x2F;fy.blackhats.net.au&#x2F;blog&#x2F;2024-04-26-passkeys-a-shatt...</a><p>Also discussed on HN at the time: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=40165998">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=40165998</a><p>I think I&#x27;m fine with my uf2 &#x2F; webauthn devices as second factor, thanks.<p>(Edit: to be clear, I&#x27;m not the author of said blog post)

&gt; And once that’s done, the data suggests there will be no turning back:<p>&gt; Users are three times more successful signing in with passkeys than with passwords (98% versus 32%).<p>&gt; 99% of users who start the passkey registration flow complete it.”<p>I suspect this is because primarily tech oriented folks use passkeys today, and they are fairly unlikely to have trouble logging in with any method.

If Microsoft really wants to push passkeys, why do they require Microsoft Authenticator for passwordless accounts? I already have a passkey set up and I&#x27;d be perfectly happy to delete my password, but I can&#x27;t because I don&#x27;t want yet another authenticator app exclusively for an account I barely use.

&quot;Passwords are no longer safe, the future is passkeys. Thus you can log in with face, touch or a PIN&quot;<p>PIN - a personal identification number (aka a password)<p>This is one of those times where there is usually an ulterior motive behind this decision. Most cases in the form of power and&#x2F;or control.

Until they are successfully explaining how to use these in a way that 70 year olds on eBay can understand, this should not be forced on users.

So Microsoft blocks password attacks. A blocked password attack will never be successful. And they have to block a measly 7,000 of such attacks per second across the entire organization.<p>Wow ... how <i>not</i> to convince me that passwords are a problem.

Passkeys are good <i>but</i> giving my access keys to big tech (Google, Apple, Microsoft) is not acceptable to me.<p>There&#x27;s other passkeys implementations and you can even use regular yubikeys as a passkey. But the problem is, many idiot sites block these implementations. PayPal for example only allows it in Chrome or Safari.

How do I backup my passkeys? I can print out a hard copy of passwords and even 2FA code generator strings, but I haven’t seen an easy way to export and import passkeys. This is a problem.<p>If it were as simple as printing out a list of QR codes or URL strings I would be happy, but so far no password app I know of supports this.

I really just want passkeys to exist for a decade and all lockout&#x2F;lock-in edge cases being resolved before I retire my password manager, and before I tell my mother to move to passkeys.

Is there a good ELI5 for passkeys somewhere? A quick google got me to a site that says:<p>&gt;Passkeys use Bluetooth technology, which requires physical proximity, to help verify the user.<p>Which I somehow doubt is accurate.

I’m all for alternatives to passwords but what is the pathway for “I lost passkey”<p>Is it sending a reset to a recovery email?

so OTP with the seeds backed up somewhere, and then passkeys on the devices I use often?<p>Seems like this will also be difficult for a lot of non-technical ppl. Though I guess not much worse than forgotten passwords?<p>In Scandinavia we have authenticators tied to the banking system (MitID in dk and BankID in sv), where if you lose it, you can get it renewed by going to your bank, or you can have a special hardware device at home that helps you renew it. Does this exist other places? These are used on more and more sites around here, where your real identity is important (everything utilities, banking, insurance, banking etc).

If you are comfortable using a cross-platform app like 1password, then passkeys <i>can be</i> a pretty great user experience even across ecosystems.<p>But Passkeys have a huge problem: They assume you will never have your device(s) stolen or broken or otherwise made inaccessible.<p>What happens if you&#x27;re out of the country on holiday and your phone&#x2F;laptop gets stolen and you need to log into your account(s) from a brand new device? You&#x27;re mostly shit out of luck if you use passkeys. Especially because most peoples&#x27; backups&#x2F;account recovery is a google email or icloud account which...requires you to have a known device handy to access them or set them up on a new machine.

&gt; Passkeys not only offer an improved user experience by letting you sign in faster with your face, fingerprint, or PIN,<p>Just like with a password manager<p>&gt; Plus, passkeys eliminate forgotten passwords and one-time codes.”<p>Again, can&#x27;t forget what&#x27;s stored in a password manager

I use Bitwarden. I don’t mind passkeys ending up there. But i want them all in there. I find the UI&#x2F;UX is really poor with browser extensions, etc. and preferentially trying to use the OS’s password manager to store passkeys.

My mother has been using it because &quot;now [she] only needs to enter her 4 digit computer pin instead of her long Bitwarden password&quot;<p>Unfortunately she is unwilling to change her Windows pin to anything other than the PIN she uses everywhere else.<p>This has not improved her security at all. Before she switched it from what I assume was a Microsoft prompt, she had (through a bit of coaching from me) been fine with Bitwarden + TOTP

A lot of the arguments I&#x27;m seeing against passkeys are essentially that they are worse for power users who already have a password manager. But they&#x27;re not mutually exclusive. I&#x27;ve been using bitwarden to store some passkeys. The UX is excellent. Everything is seamlessly synced across Linux, Android, and Windows.<p>I do worry a bit that using a passkey tends to disable MFA requirements, so basically anyone with access to my bitwarden vault can log into those services.

One thing passkey proponents forget is password-authenticated key exchanges (PAKEs).<p>PAKEs use passwords, and they are unphishable. That is the direction we should go to avoid vendor lock-in.

Passkeys are an excellent way to lock yourself into your current device and out of your accounts if you ever move away.

I&#x27;d appreciate it if they let me block specific countries, etc from even attempting to log in. You can see the failure attempts somewhere in your user settings and I have them all day long from countries I&#x27;ll never step foot in and quite a few adversarial.

&gt; Signing in with a passkey is three times faster than using a traditional password<p>Unless I&#x27;m using a password manager.<p>&gt; Users are three times more successful signing in with passkeys than with passwords (98% versus 32%).<p>With my password manager, I almost never fail to sign in. Admittedly, the autofill does mess up on some websites and then I have to spend a few seconds fixing it.<p>On the other hand, I am pretty darn skeptical that only 2% of users with passkeys have trouble signing in. Are they not counting the people whose passkey accidentally got deleted, or who are on the wrong device, since those people (by the nature of passkeys) could not even attempt to sign in?

Unless this is 100% free, easy and no PI, I will tell people to move to Linux

&gt; 99% of users who start the passkey registration flow complete<p>What about the flow where 99% of users don’t know how to back up and restore passkeys and get permanently locked out of their accounts?

And passkeys only work with Microsoft OS, Microsoft Browser or some other thing that Microsoft controls?<p>Not hat I would ever imply that Microsoft has anything than our best interests in mind...

Aren&#x27;t passkeys centrally hosted? So if MS gets breached or decides I don&#x27;t matter they can just lock me out of my life if I host my passkeys with them?

<a href="https:&#x2F;&#x2F;www.microsoft.com&#x2F;en-us&#x2F;security&#x2F;blog&#x2F;2024&#x2F;12&#x2F;12&#x2F;convincing-a-billion-users-to-love-passkeys-ux-design-insights-from-microsoft-to-boost-adoption-and-security&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.microsoft.com&#x2F;en-us&#x2F;security&#x2F;blog&#x2F;2024&#x2F;12&#x2F;12&#x2F;con...</a>

I dont get it. How is changing<p>What you know then what you have then what you are<p>To passkeys any better ? Sure you cant hack them but what happens with losing your phone ?

I can’t say I’ll care all that much when they delete my MS account password, but LinkedIn and GitHub are going to be more painful.

Border security and thief&#x27;s wet dream.

The FIDO Alliance can eat it until they support exporting passkeys and stop passive-aggressively threatening, &quot;why don&#x27;t we talk about this privately&quot; anyone who tries to implement that.

Wait.<p>“In the two years since passkeys were announced and made available for consumer use, the FIDO Alliance reported a few weeks ago, “passkey awareness has risen by 50%, from 39% familiar in 2022 to 57% in 2024.”<p>I don’t think that math works? Am I misinterpreting something?

My company uses Azure SSO so I am curious if this is just coincidence... but just this morning I had two (2!) separate desktop support technicians reach out to me today asking if I got my passkey set up for the company portals.

adversary-in-the-middle == MITM

Great and the solution is passkeys.. were fucked.

&quot;Convincing a billion users to love passkeys&quot;<p>Microsoft&#x27;s &quot;convincing&quot; is just going to be more months of casual user assault, abuse, and gaslighting with no way to just say &quot;no&quot;.

What are passkeys?

I honestly don’t care about the “passkey” revolution. I use a password manager that generates a unique password for every service for a reason. Then secure it with 2FA (either with TOTP or emailed magic link), if available.<p>I think I have used a digital passkey a few times to try it. Works okay, I guess.

When will Hacker News adopt passkeys?

From the HN pushback I think this will end up like IPv6. I get to have nice things and some others likewise - many people get to repeatedly say &quot;Nice things are impossible&quot; and roll their eyes. I guess they&#x27;re having fun in their own way?<p>It&#x27;s nice when we build a non-brainer technology which gets adopted at scale by default, as happened for TLS 1.3, or even when other motives overwhelm the instinctive conservatism (e.g. Let&#x27;s Encrypt) but that can&#x27;t always happen and it looks like for WebAuthn the conservatives are going to stick by passwords &quot;From my cold dead hands&quot; etc.<p>One problem with HN in particular is that there are a lot more decision makers here, so more people whose conservatism means they&#x27;re going to build, promote and demand worse solutions since the better option is in their minds impossible. That&#x27;s unfortunate, it means there&#x27;s a good chance that over the next years I&#x27;m going to be using more important services which have terrible authentication on account of somebody senior said &quot;Passwords are good, we should require passwords&quot; and anybody disagreeing was hushed or worse fired. So that&#x27;s not great, but it is what it is.<p>Anyway, for the few people who get why this is a good thing but understandably don&#x27;t trust Microsoft (or Apple, Google, Facebook, I dunno, Epic Games?) I have a suggestion: All of this technology also works fine with a Security Key, which is a thing you can buy from Yubico (or several other outfits, but Yubico is easiest if you have no idea what you&#x27;re doing) for like $25. And if you - like me - use Security Keys those &quot;But what if I lose it?&quot; questions can be answered by Technology Connections&#x27; favourite: The magic of buying two of them.

the only secure device is turned off