Jeff Johnson (My apps, PayPal.Me, Mastodon)

Passkeys: A loss of user control?

May 7 2023

This blog post doesn't have the answers. I'm trying to learn about passkeys, but I don't claim to be an expert. I do have a lot of questions, especially for Apple, because I'm an Apple user and developer. According to Betteridge's law of headlines, "Any headline that ends in a question mark can be answered by the word no." Nonetheless, I want to suggest that the answer to the question posed by my headline might be yes. One thing is painfully clear to me already: the BigCos are coming for our passwords, so passkeys can't be ignored. Google recently wrote about the beginning of the end of the password. Apple has also indicated that it wants passkeys to replace and eliminate passwords. For example, the manager of the Authentication Experience team at Apple has said I’m really looking forward to working with all y’all to eliminate passwords and the harm they cause. Even 1Password, with "Password" literally in its name, has written about the passwordless experience you deserve, asking the rhetorical question "If passwords are going away, do I still need a password manager?" and stating "We believe passwordless is the future, and we want to help everyone get there faster." Although the timeline is unknown at the point, the end game is known: the end of passwords, game over.

A passkey, in essence, is nothing but a cryptographic key pair—a public key and a private key—like you would use with ssh. The major difference between passkeys and ssh keys is how they are managed. You can, and should as good practice, generate separate ssh keys for each ssh service that you use, just as you should generate separate random passwords for each web service that you use. It's really not that hard, folks! Just add an entry to your ~/.ssh/config file:

User git
IdentityFile ~/.ssh/id_ed25519_github

However, this is optional, and if you really insist, you can use the same public-private key pair with multiple ssh services. On the other hand, passkeys are always associated with a single web service, never with multiple services, so that's an improvement in security over ssh keys and passwords. There's no reuse, and as far as I know there's no real downside to lack of reuse, because passkey generation and site association is handled automatically by the authenticator.

So far, so good. So what's the problem? With passwords and ssh keys, I can look at them. I can copy and paste them. I can write them down on a piece of paper. I can import and export them. I can back them up to external hard storage. Whereas in my testing with macOS Ventura and Safari, none of this is possible with passkeys. In fact, Apple requires you to enable iCloud and iCloud Keychain in order to save a passkey on a macOS or iOS device. You can easily test for yourself with a demo site.

I hate iCloud and never use it for anything important. I avoided iCloud entirely for a very long time, but I finally caved in to customer demand and enabled iCloud Drive so that I could add iCloud export and import of settings to my web browser extension StopTheMadness and more recently iCloud sync to my new Safari content blocker StopTheFonts. Why do I hate iCloud? It's unreliable, with Apple web services going down not infrequently. It's a violation of privacy, because your device is constantly phoning home to Apple. It's intrusive, because when you enable iCloud, it wants to immediately upload everything—calendars, contacts, documents, mail, messages—from your device to the cloud, without asking first. Whenever you install a new app that supports iCloud, sync gets enabled silently, without your consent; you have to watch your System Settings like a hawk! Sometimes iCloud just seems to enable things for no apparent reason. And if you log out of iCloud and log back in (I've needed to do this for software testing), it forgets your previous settings and enables everything again. (I've filed feedback with Apple about this.) It's wonky. You can't actually trust iCloud to sync correctly. For example, last month I helped my mom update her Mac to a new macOS version, and for some reason iCloud duplicated all of her contacts! It's opaque. You can't see the specific details of iCloud's sync operation, or manage it yourself. This is true of passkeys as well. I looked at the iCloud keychain in macOS Keychain Access, and all I saw for passkeys was a bunch of SOSDataSource-ak files with data that I couldn't access. iCloud is insecure. Apple makes it too easy for criminals to "recover" your Apple ID and seemingly impossible for you to lock down your account voluntarily in way that would prevent recovery by someone else. (Personally, I never want my Apple ID to be reset without my current password or my cryptographically secure recovery key. My multiply redundant backup routine ensures that I'll never lose these.)

I get the feeling, from how I've seen Apple behave and how Apple employees talk, that Apple has no intention to ever loosen their requirements for passkeys. And to be clear, these requirements are inessential, arbitrary, paternalistic. As far as I can tell, the WebAuthn standard doesn't explicitly require an authenticator to use cloud sync, or forbid manual export of passkeys. Apple's attitude seems to be that users can't be trusted with their own passkeys. My fundamental problem is, I don't trust Apple to manage my passkeys, especially not via iCloud, nor do I consent to subject myself to the requirement of using their cloud services.

What are the alternatives to allowing the operating system to save passkeys? 1Password claims to be shipping passkey support in 2023. However, I don't like 1Password either. It used to be good way back in the day, originally, but I stopped using it many years ago when 1Password version 4 removed Mac keychain support, effectively making it 2 passwords instead of 1 password. The product has only gotten worse since then, with the company taking VC funding, forcing users into their cloud service just like Apple, and adopting "subscription" payments—more accurately, software rental—which I hate.

You can save passkeys on a separate hardware peripheral such as a YubiKey. I bought a YubiKey for a Google account when Google required two factor authentication for Chrome Web Store developers. (StopTheMadness used to be in the Chrome Web Store before Google eliminated the store payment system.) I hate using a YubiKey too, because it's so inconvenient. Every time I need to log in, I have to dig the YubiKey out of a drawer. And since last year when I bought a new MacBook Pro without any USB 2 ports, I also have to get a dongle just to plug in my YubiKey. Am I supposed to bring the YubiKey and USB dongle with me everywhere I take my laptop? The whole thing seems to be a bit of security theater too, because the YubiKey is not keyed to my biometrics, so anyone in physical possession could touch the button to authenticate. In any case, passkeys in YubiKeys are not copyable, so the backup problem still exists with this method of saving passkeys.

The people driving the adoption of passkeys are mostly big tech companies and banks. I'm not convinced that they have my interests at heart, and "user freedom" is not likely to be in their vocabulary. They're more than happy to lock you in to their ecosystems and set all of the rules for how you can live in the computing world. There are real problems with passwords, of course, but I fear that the elimination of passwords will mean the elimination of freedom, and lead to a passkey police state, as it were.

What's the solution? As far as Apple is concerned, I would be satisfied if passkeys could be saved in a local, non-iCloud keychain, as normal keychain items with support for export and import. Ideally, the export format would be cross-platform, and I don't see why it couldn't be cross-platform, given that passkeys are just public-private key pairs tied to a domain. In that case, I would be happy to eliminate web passwords, since I already use randomly-generated, keychain-managed web passwords that can't be memorized (by me). Unless and until Apple provides such a solution, though, I remain extremely skeptical of passkeys and feel inclined to fight back against the notion of replacing and eliminating passwords.


After the publication of this blog post, some statements were made on Mastodon by the aforementioned manager of the Authentication Experience team at Apple. (Once again, the power of blogging demonstrated! Thanks to the Hacker News commenter who linked to these statements.)

Passkeys will be importable and exportable, cross-device, and across passkey managers. They aren’t at this time, but they will be. It’s something that’s being defined and designed.

That's great news! I do wonder why passkeys shipped in iOS and macOS without this export and import, but at least passkeys haven't reached critical mass yet. I look forward to seeing the proposed solution.

And amazingly, me saying this isn’t news. Some companies and folks are already on the record about this. :)

Well, it's news to me, as someone who follows tech news closely! I wish there were links here to the record, or clarification of which companies and folks were on the record. Did these companies and folks include Apple and Google?

Addendum 2

On further reflection, I don't find the above response as satisfying now as it appeared on first impression. Specifically, there was no mention at all of Safari's iCloud keychain requirement for saving passkeys. It's one thing to say, "Of course you can migrate from Apple's passkey manager to a different manager, so you're not locked in!" But that wasn't my primary concern as a longtime Apple user. I don't want to switch to another platform, or to a third-party passkey manager. I just want Safari to allow me to save passkeys to a non-iCloud keychain, and continue to use those passkeys for logging into web sites in Safari. If that's not on the table, then export is largely irrelevant to me. I don't want to have to export from iCloud keychain, which would defeat the whole point of avoiding iCloud in the first place. My main complaint was the iCloud requirement, and if Apple is going to say, "As long as you're using our passkey manager, you have to use iCloud, but you're free to use a different passkey manager, that wouldn't address my concerns. It's a dismissal of my concerns.

Jeff Johnson (My apps, PayPal.Me, Mastodon)