Google Chrome 136 automatically upgrades your accounts to use passkeys

&gt; Allow sites and apps to upgrade existing accounts to use passkeys<p>Is &quot;upgrade&quot; the right word here?<p>I think it&#x27;s becoming a term that is supposed to mean &quot;make things better&quot; but is now used to let a business force things you don&#x27;t want&#x2F;need&#x2F;like on you.<p>In terms of passkeys, it would seem to take something portable you remember like a password and convert it to google password manager lockin.

I do sort of like the concept of passkeys, especially being able to throw them into my password manager. However a lot of sites I&#x27;ve encountered that implement them have decided that presenting a passkey can basically bypass MFA. I get that you&#x27;d have the passkey ideally protected by some MFA or biometric anyways, but I still like to have both forms of auth separated as much as possible.

The &quot;not a fan of passkeys&quot; link toward the bottom is a great read [1].<p>It mentions: <i>As far as Apple is concerned, I would be satisfied if passkeys could be saved in a local, non-iCloud keychain, as normal keychain items with support for export and import. Ideally, the export format would be cross-platform, and I don&#x27;t see why it couldn&#x27;t be cross-platform, given that passkeys are just public-private key pairs tied to a domain. In that case, I would be happy to eliminate web passwords, since I already use randomly-generated, keychain-managed web passwords that can&#x27;t be memorized (by me). Unless and until Apple provides such a solution, though, I remain extremely skeptical of passkeys and feel inclined to fight back against the notion of replacing and eliminating passwords.</i><p>[1]: <a href="https:&#x2F;&#x2F;lapcatsoftware.com&#x2F;articles&#x2F;2023&#x2F;5&#x2F;1.html" rel="nofollow">https:&#x2F;&#x2F;lapcatsoftware.com&#x2F;articles&#x2F;2023&#x2F;5&#x2F;1.html</a><p>Would it be possible&#x2F;viable for a third party to release such a piece of software? Does one already exist?

Holy shit, this could actually cause people to get permanently locked out of their accounts, depending on how the website is configured. Imagine not knowing your login credentials are stored in Place A and then you delete Place A, unwittingly deleting your only login along with it.<p>This is already a worrisome possibility with security keys -- if you have Windows Hello enabled, the dialog you get when adding a security key to an account <i>might sometimes</i> be to add it to your TPM, but it&#x27;s not clear that&#x27;s what Windows is asking so you might put your creds on your CPU while thinking that they&#x27;re going on the Yubikey; imagine what happens then when you upgrade your computer?<p>Users need to know where their logins are stored. Making these things &quot;transparent to the user&quot; in the name of ease of use (treating users like toddlers) is the wrong approach. I realize the average user doesn&#x27;t understand the technical side here, but that just means we need to do better as devs and designers, not throw in the towel and make decisions for the user.

I use Firefox for passwords and my employer wants me to use passkeys which requires an authenticator app.<p>Now, the passkeys require me to set default password app a stye authenticator,so i can&#x27;t use Firefox passwords elsewhere.<p>My ideal solution would be to have an option to go to Firefox for passwords while passkeys go to the authenticator app.<p>Second best would be Firefox could store passkeys locally on device<p>Has anyone been able to make both the passkey autu and Firefox (or any other) work together

Maybe this would be somewhat sane if it&#x27;s only handling automatically generated passwords that have <i>never</i> been viewed in the UI. But I doubt that.