{
  "$type": "site.standard.document",
  "description": "Every time I get pushed to set one up, I lose another life",
  "path": "/blog/passkeys-suck-and-you-should-feel-bad",
  "publishedAt": "2025-11-01T00:00:00.000Z",
  "site": "at://did:plc:fuos6tklyozmefygjota4enw/site.standard.publication/self",
  "textContent": "So I switched to Zen because Arc is dead, and with a new browser comes logging in everywhere again, Annoying but that’s just the motions of these things. Anyway, as I was logging into Google and GitHub I was reminded of Passkeys in the most annoying ways.\nHey Hey? Wanna be more secure? Set up a passkey? No? Okay We won’t let you say no only ‘maybe later’\n\n(Ok to be fair, github does have a checkbox to not ask for this browser)\n\nBut god, I really hate passkeys.\nI was a believer\n\nWhen I first learned about passkeys, I thought they were cool! A Simple way for normal people to not have to deal with passwords. I even started implementing support for them in my own applications and thats when i realized… They were very complicated! That’s not a problem though, that complexity would go down as more libraries were built and I just let it be for then.\nWe can’t have nice things\n\nWhen Google, Microsoft and Apple all want the same thing, It’s usually not a good thing, Maybe passkeys were different yknow? Maybe the big three were actually interested in making your accounts and data safer. uhh.. yeah.. Maybe it’s tinfoil hat time but I can only think of these reasons for why they would be so universally onboard.\n\n- Vendor Lock-in: If they can manage your passkeys, They can make it more difficult to switch to a competitor (For example: Apple stores passkeys in Keychain. migrating this to android/windows is pretty annoying).\n- Complexity Arms Race: Passkeys are inherently complex to implement, This could be a way to make platforms that don’t want to invest time/resources (money) into passkeys seem “insecure” just because they don’t support them\n\nObviously, passkeys also do have benefits! They are less prone to phishing, are easy to use due to browser/system integration and are pretty easy to set up & use. (But these are all things a normal password manager already does! And the main 3 already have these built in too!)\nSo what happens when you.. Lose them?\n\nUnlike passwords, you have to rely on the manager/store to allow you to export them or otherwise read them, When using passwords you will always have access and control over the “key” that is used to access your account, the only downside is that with passwords you’re only allowed one.\n\nwhat happens when your macbook dies and you’re forced to only use your android phone? Well you better hope you have your passkeys set up on your phone too! Otherwise good luck getting into your accounts!\n\nI seriously think this should be a deal breaker for the average person. There is nothing wrong with writing down your passwords. I might get some slack for saying that, but for the average person there really is no problem with writing down the password for your facebook account. The risk of someone coming into your house and stealing your password is basically 0.\nBut passwords are bad!\n\nYeah, I mean. They are. A Single string of characters that for most people ends up being LastnameMarriageYear or MiddlenameBirthday. Which are not great passwords (Please change them if you use these…).. And thats where a Password Manager comes in! I personally use 1Password but there are free ones available too, including the one built into your browser.\n\nThe biggest problem though, is phishing. Accidentally entering your credentials on a website that is pretending to be the actual website. (For example, when you receive a email from Michealsoft that says your account will be deleted TODAY if you do not sign in.)\n\nAnd hey, It happens. All it takes for someone to fall for a phishing attempt is a single absent minded moment where you’re not paying full attention and just.. Make the mistake!\n\nA Password manager here though, gives you an extra chance since it won’t auto-fill your credentials on the phishing website, and might even warn you! This would require you to manually go in and copypaste your username & password, which hopefully will get you to think “hey, why did that not work” before you do paste your details.\n\nSo… How would passkeys fare in this scenario?\n\nWell, exactly the same! Minus the part where you can manually paste your credentials.\nThis is why I don’t think passkeys are a bad idea.\n\nPreventing users in a organization from being able to stick their credentials where the sun don’t shine is a good thing, I think for business accounts limiting your employees to only be able to use passkeys is genuenly very very tempting because you gain the following:\n\n- Phishing Prevention: Physically being unable to hand over your credentials is, well very good.\n- Credential Controls: You can more easily take control of credentials and prevent these credentials from leaking onto personal devices, meaning in the event of a termination you don’t need to worry that sensitive data gets left behind.\n- idk some other business shit: idk, there’s probably a lot of other cool things that business can do with passkeys, I’m a person so I have no clue\n\nBut this is exactly where my main problem with passkeys lie, they are a solution for businesses so stop asking me to set them up for my personal accounts. I Do not want them, I will not use them and please please give me an option to NEVER have to click NO again.\n\nThey are NOT more secure for the average user (me included). they serve no purpose to me, so I will not bother with them.\n\nFuck off google!\nUhm.. So.. Should I use passkeys?\n\nWell… It’s really up to you but i’ve made this small flow chart to visualize it: \n\nSorry for being mean to you passkeys. The conditions of your birth makes us as enemies, maybe in another life we could dance amongst the flowers.\n\nIf you are more technically inclined and think im full of shit or just stupid, please reach out to me and enlighten me on why i’m an idiot. Maybe i’ll reconsider. Maybe.",
  "title": "I don’t like passkeys."
}