DHH Argues Against Passkeys
David Heinemeier Hansson:
Yes, passwords have problems. If you’re using them without a
password manager, you’re likely to reuse them across multiple
services, and if you do, all it takes is one service with awful
password practices (like storing them in plain text rather than
hashing them with something like bcrypt), and a breach will mean
hackers might get access to all your other services.
But just because we have a real problem doesn’t mean that all
proposed solutions are actually going to be better. And at the
moment, I don’t see how passkeys are actually better, and, worse
still, can become better. Unless you accept the idea that all your
passwords should be tied to one computing ecosystem, and thus make
it hard to use alternative computers. […]
Bottom line, I’m disappointed to report that passkeys don’t appear
worth the complexity of implementation (which is substantial!) nor
the complexity and gotchas of the user experience. So we’re
sticking to passwords and emails. Encouraging opt-in 2FA and
password managers, but not requiring them.
Passkeys seemed promising, but not all good intentions result in
good solutions.
I don’t have strong feelings about passkeys, but I am vaguely unsettled by them. There’s no way to use passkeys without using a proper password manager, like Apple Passwords with iCloud Keychain, or 1Password. But if you’re using a proper password manager, your passwords should all be unique and random, and you should have convenient access to 2FA codes. So what’s the point of passkeys if they can only be used by people who are already using a good password manager? Perhaps the thinking is that too many users just can’t be budged from the risky habit of using passwords they have memorized, and passkeys are a way to break that habit because they can’t be memorized.
Also, I really dislike the practice of replacing passwords with email “magic links”. Autofilling a password from my keychain happens instantly; getting a magic link from email can take minutes sometimes, and even in the fastest case, it’s nowhere near instantaneous. Replacing something very fast — password autofill — with something slower is just a terrible idea. For people who actually prefer email magic links, it’s fine as an option, but it shouldn’t be the default, and it certainly shouldn’t be the only way to sign into an account.
★
David Heinemeier Hansson:
Yes, passwords have problems. If you’re using them without a
password manager, you’re likely to reuse them across multiple
services, and if you do, all it takes is one service with awful
password practices (like storing them in plain text rather than
hashing them with something like bcrypt), and a breach will mean
hackers might get access to all your other services.
But just because we have a real problem doesn’t mean that all
proposed solutions are actually going to be better. And at the
moment, I don’t see how passkeys are actually better, and, worse
still, can become better. Unless you accept the idea that all your
passwords should be tied to one computing ecosystem, and thus make
it hard to use alternative computers. […]
Bottom line, I’m disappointed to report that passkeys don’t appear
worth the complexity of implementation (which is substantial!) nor
the complexity and gotchas of the user experience. So we’re
sticking to passwords and emails. Encouraging opt-in 2FA and
password managers, but not requiring them.
Passkeys seemed promising, but not all good intentions result in
good solutions.
I don’t have strong feelings about passkeys, but I am vaguely unsettled by them. There’s no way to use passkeys without using a proper password manager, like Apple Passwords with iCloud Keychain, or 1Password. But if you’re using a proper password manager, your passwords should all be unique and random, and you should have convenient access to 2FA codes. So what’s the point of passkeys if they can only be used by people who are already using a good password manager? Perhaps the thinking is that too many users just can’t be budged from the risky habit of using passwords they have memorized, and passkeys are a way to break that habit because they can’t be memorized.
Also, I really dislike the practice of replacing passwords with email “magic links”. Autofilling a password from my keychain happens instantly; getting a magic link from email can take minutes sometimes, and even in the fastest case, it’s nowhere near instantaneous. Replacing something very fast — password autofill — with something slower is just a terrible idea. For people who actually prefer email magic links, it’s fine as an option, but it shouldn’t be the default, and it certainly shouldn’t be the only way to sign into an account.