aside: The whole issue of passwords and permission...
# devlog-togetherg
guitarvydas
12/19/2023, 11:45 AMaside: The whole issue of passwords and permissions is a huge UX issue that deserves a long discussion on of-end-user-programming. Users should be allowed to just use a device without being forced to answer a bunch of questions about technical issues and needing to keep a bowl full of anti-anxiety meds nearby. Imagine if my refrigerator required me to perform some ritual before allowing me to put my recently-bought lettuce into the crisper.
i
Ivan Reese
12/19/2023, 4:50 PM
Have you seen the work being done on Passkeys?
Ivan Reese
12/19/2023, 4:51 PM
(Addresses passwords, doesn't address permissions)
k
Kartik Agaram
12/19/2023, 11:42 PM
I don't really understand them. Like, where do they lie on the spectrum between something you know and something you have?
a
abeyer
12/20/2023, 2:04 AMImagine if my refrigerator required me to perform some ritual before allowing me to put my recently-bought lettuce into the crisper.haven't lived w/ a roommate? I recall those days, and would have killed for a password to keep my food mine 😛
i
Ivan Reese
12/20/2023, 2:06 AM
@Kartik Agaram purely something you have
a
abeyer
12/20/2023, 2:11 AMExcept isn't it also tied to your provider's account you control in most realistic scenarios too? Having some level of access to an account substitutes for having an actual physical thing.
(this isn't strictly necessary, but seems to be how every consumer facing provider of them is keeping their grips on their customers)
i
Ivan Reese
12/20/2023, 2:16 AM
Oh yeah! Right.
So yeah, you know your device password, and you have your device.
a
abeyer
12/20/2023, 2:23 AMor you know someone else's account password and can activate your device on it! 😱
abeyer
12/20/2023, 2:24 AM(that's a scenario I've seen people try to set up as soon as they got access to passkeys -- you can debate whether such sharing is a good idea or not, but you're not going to stop people from trying to)
abeyer
12/20/2023, 2:26 AMSo, for most people it reduces to "whatever level of security you have on your (Apple|Google) account, but no more"
g
guitarvydas
12/20/2023, 3:54 AMk
Kartik Agaram
12/23/2023, 12:52 AM
Follow-up question: under what scenarios are passkeys better than oauth?
Kartik Agaram
12/23/2023, 12:55 AM
I think I understand. Oauth is a way to delegate user accounts to say google. Passkeys are a way to delegate auth to google independent of where the user account lives.
a
abeyer
12/23/2023, 12:56 AMNot necessarily... passkeys aren't meant to or required to specifically provide delegation at all
abeyer
12/23/2023, 12:57 AMBut realistically 99% of users are going to get them and use them via the default support in android or iOS, which then ties to that account
abeyer
12/23/2023, 1:00 AMIn an ideal world a passkey could be tied permanently to a single hardware device, and backup/recovery be strictly out of band.. but that's not a feasible solution for the unwashed masses, so Apple and Google's implementations tie it to the service account so that you can migrate it to a new device
abeyer
12/23/2023, 1:01 AM(at least that's my understanding of what they've announced... I don't have an iOS device at all and haven't specifically experimented with passkey on Android)
k
Kartik Agaram
12/23/2023, 1:19 AM
Now I'm thinking about this insight I had from a few months ago, which seems relevant: https://merveilles.town/@akkartik/109485586724177657
In general I'd trust Apple as a provider for this, but not Google.
a
abeyer
12/23/2023, 1:21 AMOne advantage here is that just using a passkey linked to a Google account doesn't necessarily have to grant any access to that account... The passkey itself is sufficient, and the account is just used to backup/restore/replicate it
abeyer
12/23/2023, 1:23 AMAgain I'm not familiar with the specific implementation, but I would expect that Google is totally out of the actual authentication loop and has no linkage either way with a third party service that just happens to use the key
k
Kartik Agaram
12/23/2023, 1:23 AM
That's a good point. Decouples authorization from authentication, as Ivan pointed out up top.
Kartik Agaram
12/23/2023, 1:28 AM
My toot is still relevant in a narrow way: there's always some chance of Google cancelling your account for opaque reasons with zero accountability. So to trust your passkey with them you'd have to really trust the backup/recovery flows. And that's always a challenge. Testing backup/recovery scenarios is annoying and time consuming.
In general my prejudiced opinion here is that passkeys are another vector to keep us hooked on our big tech accounts. Which, I don't use anything Apple but I'd trust Apple with. But Google or something lesser like Github, forget about it. Just my opinion of course, as I'm trying to think about passkeys.
a
abeyer
12/23/2023, 1:30 AMthey don't have to be that way... the system was designed so it wasn't necessary to do that, but I agree that's absolutely how they're going to handle it from what I've seen
abeyer
12/23/2023, 1:31 AMI really wish proper hardware fido/webauthn keys were just a little bit easier to manage yourself
abeyer
12/23/2023, 1:31 AM...but that backup scenario that the tech giants can make easy is exactly the pain point in doing that.
2 Views