My first experience with passkeys was eBay. They implemented them 3-4 years ago, and my password manager, Dashlane picked up on it. They offered to save it and I wouldn’t have to enter a username or password. Great, seemed to work. Until I needed to login on another device and then Dashlane saved that passkey too, but each passkey was tied to the specific device… only it wasn’t clear when I logged in which passkey I should choose, and chose the wrong one and it doesn’t work. After having like 6 different passkeys for eBay I gave up. Now I always decline to use passkeys. They don’t work, idk who uses them but as a fairly tech savvy user, without a very complex setup (chrome, with Dashlane installed) if it’s not working for me it’s probably just not working.
I’ll also add. I don’t have a good mental model for what a passkey is or how it works. And again, like most users if I don’t really understand what’s going on I’m just not gonna bother with it. For all the complexity that it takes to implement secure login with a username and password, most of it is hidden from the user, with passkeys it feels like they’re shoving all the complexity front and center, but not explaining any of it.
> Until I needed to login on another device and then Dashlane saved that passkey too, but each passkey was tied to the specific device… only it wasn’t clear when I logged in which passkey I should choose, and chose the wrong one and it doesn’t work.
I'm not sure if that has changed since years ago (when you last tried), or that that is a Dashlane thing. In any case, that's not how it is now. I've stored them in 1Password. I can use them on any 1Password-enabled browser, and on my Android. They're slightly easier than password flows, and much easier than MFA flows.
> I’ll also add. I don’t have a good mental model for what a passkey is or how it works.
It's a public and private key-pair. You keep the private key, the server gets the public key on registration. When you login the server sends a challenge. "You" encrypt it with the private key and send it back. The server uses the public key to verify and boom, you're logged in.
The only way passkeys make sense is in terms of vendor lock in. If you stick with a single vendor (ie. Google or Apple) to manage them for you, it kinda works if you ignore edge cases (eg. how to recover if phone breaks).
So the motivation for why big tech wants them is clear. They've just not managed to make a compelling case for why anybody else should want them.
The only way pass keys become a widespread thing is if they force the issue by removing password authentication, and I don't see that happening any time soon.
I felt the same when implementing OpenID connect flows according to spec. It uses the browser in creative ways ;) Especially the device flow, absolutely insane complexity for what it is.
I think Proton Pass just stores one key for all devices? Not even sure! But it does work anywhere without the experience you had: I go to a website I have saved, it pops up, I click and am logged in.
Not sure if Proton does the device specific stuff under the hood (and hides it well), or if they are abusing the system by simply sharing the private key over all devices? (That is misuse right?)
I don't have this problem. I'm using passkey probably on only 1 website (github) but it's working without any issues on all my devices. Maybe it's a password manager issue? I'm a bitwarden user
Well you have your passkey stored in Bitwarden, which may weaken its security, since it's a software-only solution.
The idea of passkeys is that they are supposed to be tied to a hardware device. And this leads to very odd situations, like Chrome asking Windows to authenticate, and Windows having to ask for the passkey on an Android phone.
I migrated to Bitwarden around 3 weeks ago and now Chrome is no longer asking Windows to authenticate, but Bitwarden. But then Bitwarden doesn't have the passkey, so it will offer to delegate to Windows, which will in turn reach to the Android phone, unless it's one which is stored in Windows.
This are the kind of problems which arise, and for a 75 year old senior who never dealt with all this crap, this is nothing but a huge annoyance, because they simply don't understand what's going on. It was easy with username and password.
What I liked the most was username+password and a Yubikey for OTP. And for what can't or no longer wants to deal with Yubikey, I've moved to app-based OTP. And now I'm starting to get forced to move to passkeys, which annoys me a bit because things are no longer so clear.
> The idea of passkeys is that they are supposed to be tied to a hardware device.
No, not really. That was more of a U2F/WebAuthn concept. Passkeys are intentionally permitted to be attached to accounts.
You can use hardware bound tokens as passkeys if you prefer, of course. However, that approach has led to a huge amount of people getting locked out of their accounts because they lost their Yubikey or reset their phone.
There are implementation improvements to be made, for sure, especially on Windows. However, that same 75 year old also won't know to look in Edge's password manager when Bitwarden says it can't find a password for a given website.
And let's be honest, that 75 year old won't be using Bitwarden or a password manager anyway, their password will be NameOfGrandkid2003 despite being told to pick a different one after the last time their account got taken over.
I wish I could use passkeys more often but when websites offer 2FA of any kind, it'll be through TOTP, and usually without providing any recovery codes either. TOTP and email+password aren't going away.
Do you have a source for the hardware-tied design? Neither the specs[1] nor Wikipedia[2] say anything about Authenticators being hardware-only as far as I can see. The specs even specifically talk about Clients (ie browsers) storing passkeys.
Looks like a Dashlane problem from what you are describing.
Since I use a Mac, I will refer to my MacOS experience: Keychain and now Passwords will sync passkeys via iCloud to any other device. The end result is that you only have one passkey. Pretty seamless experience.
Interesting. I’m only a user of them but not had one second of trouble. I save them on my device in the native saving place (iOS/mac) and it just works. I didn’t know this issue existed and I’d like to avoid it. Is the issue when you save them in a password manager?
I have Bitwarden for personal and now 1Password for work, so might hit the issue at some point.
Nowadays I use the passkeys with my password manager and everything works across multiple devices. I’ve never been presented with a list of passkeys to select from.
I’ll second this. A combo of KeePassXC (desktop), KeePassium (Apple), and KeePass2Android plus manually synching my .kbdx file makes the passkey experience relatively smooth for me.
It doesn't support passkeys yet so I'm surprised you mention it because this is what I wait for a full cross-device (for me) support, to start using passkeys
So you need three different applications and manually moving around files to achieve a "relatively smooth" experience? I don't think this is the endorsement you think it is.
KeePass is a community project, Bitwarden is not. These are just client applications that sync and interact with the .kbdx file the community has formalized a standard on. That's why Bitwarden has a unified client application ecosystem and KeePass does not.
You don't understand KeePass, which is fine, but please don't make bad assumptions like these if you don't understand the underlying reasons for why a thing is the way it is.
It's like calling out why there are two dozen email clients that speak IMAP.
Uh I know what KeePass is and how it works. The proposed "smooth" solution is - at best - clunky and inconvenient. You've missed the forest for the trees.
> You don't understand KeePass, which is fine
Haha this is so hilariously smug and condescending I have to wonder: are you the real-life Comic Book Guy?
Glad to know I'm not alone. My story is more or less the same (except without password manager). One day I was logging into my ancient Yahoo mail account that I use mostly for unimportant/throwaway things and spam, and I was offered a passkey. I accepted. Next time I logged in I was in a different computer (I regularly use 4-5 computers apart from my phone) and it didn't work. Later, in the original computer, it didn't work either... I guess because I updated something or whatever, no idea, I didn't bother to find out. I'm back to the password now, after having logged in successfully with a passkey exactly zero times after setting it up.
I also don't have a good mental model of how passkeys work. I could get informed. But why should I bother? I'm a busy person. Passwords have worked for me for more than 25 years, and passkeys seem much more fussy and inconvenient (what if I'm traveling and connecting from a random computer in an hotel/airport? I imagine I'll be expected to do something with my phone, as modern cybersecurity seems to be based on trusting everything to the phone -if it gets stolen, bad luck- but what if I have no battery?). I guess I'll have to find out if they force them on us, but if I (a CS PhD and professor) have to actively find out in order to use them, it's going to be chaos with regular users.
Exactly my experience. The mental model is easy once you understand that it’s just a key on your device/app.
It’s just really hard to wrap around your head that this is the actual implementation with so many drawbacks given most people have 2+ devices, and different OSes to provide it.
I won’t use them.. although I’d have loved to use them.
When they worm they work, but I can’t trust them completely, so what’s the point? There’s no difference with a password, except that the sign-in process can be streamlined when everything works
I suppose they refer to a more detailed mental model. For example, I know that it's a key in my device, but I don't have a detailed enough model to know if it will work if transferred to another device or stored in the cloud, or what I'm supposed to do at a cybercafe/hotel/airport/borrowed computer. So my mental model is not good enough. With passwords, the answers to questions like that are obvious.
If you think there's no difference between a password and a passkey, that kind of tells me you don't really know a lot about passkeys, so it makes sense you'd think they're just worse-implemented passwords.
The downfall of passkeys is that - as was inevitable - they are horrifyingly implemented webshit.
For example, nearly every visit to my Amazon orders page I am now greeted with a nearly full screen modal browser popup letting me know about passkeys and why I should switch to them RIGHT NOW. I politely declined - the first thousand times. I don't know if this is a site or browser issue and frankly I don't care anymore. It's spam at this point and I want nothing to do with it.
My hesitancy was rooted in concerns about potential issues pretty much what you just described so glad to know I was right.
Seems like passkeys use a very simple model where you are using a single device with a single browser or are somehow syncing across devices with some cloud service - and from your description it sounds like that doesn't even work.
No thanks - I'll stick with passwords. Did everyone forget about hardware tokens which are device and OS-independent and rely on no external infrastructre?
Don't forget that a per-device passkey is the wet dream of any $MEGACORP wanting to track your habbits. Which is another reason why it is a no-go for me.
For those who may not have read the article fully, Microsoft's existing traditional password management on mobile devices is not becoming unavailable, but is being moved from the Authenticator App to Microsoft Edge.
I had this warning show up in the iOS Authenticator app like last week or something and it guides you through changing your iOS settings to instead use Edge as a password manager. As Edge is my browser of choice on my Windows PC and I already had it installed on iOS, this was a very minor inconvenience for me.
It's worth mentioning that even though I almost exclusively use Safari as a web browser on my iOS device, when filling in passwords on websites it seamlessly allows you to use any iOS configured password manager including Edge.
It's definitely a little weird that you now require Edge to also be installed for essentially the same functionally and Microsoft might be doing it to try push people to install Edge.
I have yet to see a compelling argument for passkeys that is strong enough to overpower it's negatives.
- I want to be able to share passwords for accounts with my family (some, but not all of them)
- I want to be able to load up my login information from whatever device I am currently working on; my phone, my home computer, my work computer, my wife's phone, etc
- I don't want to risk my phone breaking and losing access to all my accounts
Something like 1Password or Bitwarden fits all of that perfectly.
It's tied to vendor lock in. Which increases the ability of companies who develop certain technologies for the masses to increase the friction of interacting with things outside of the ecosystem. The argument is that if a user is unable to use an alternative, by hook or crook they will pay increasingly high subscriptions to access the services provided by that ecosystem. This increases a number on a spreadsheet, the only true compelling argument one could say
As long as the passkey spec includes remote snitching (attestation) your keepass open source alternative will exist only because big tech allows it, and it will end when big tech demands it. The entire import/export standard is a red herring.
It's sort of happening already. Members of FIDO threatening to block KeepassXC users [0] from logging in, unless KeepassXC complies with FIDO demands regarding specific implementation
On one side of the pond, we have the EU's Digital Markets Act to protect consumers. It has teeth and it's already being used to ensure consumers have choice.
Not so sure that EU bureaucrats will understand and fix that problem. With NIS2, they let the IT-security-crapware lobby dictate draconian and mostly stupid security laws. Could be that the security-paranoid part of the bureaucracy overrides the consumer protection part in that case.
You can do all of those using Passkeys in Keepass, eg though KeepassXC, including import/export. However, Keepass applications have already been flagged as non-compliant for this reason. What you also currently can't do afaik is use them on mobile.
> I have yet to see a compelling argument for passkeys that is strong enough to overpower it's negatives.
> - I want to be able to share passwords for accounts with my family (some, but not all of them)
This, but for another reason.
To all those "I can do this with Keepass/Bitwarden etc", how can you share your Netflix password with your parents 100 miles away to use it in their smart TV?
You cannot and will never be able to do it. Yes, passkeys improve security in some contexts but also tighten the grip of service providers.
Since sharing Netflix passwords is a breach of their terms of use, that's not really a compelling argument.
I doubt streaming services are looking to make passkeys the only way to authenticate devices though. Too much competition, and too many valid use cases for use outside of a personal device.
> Since sharing Netflix passwords is a breach of their terms of use, that's not really a compelling argument.
Like the millions of "terms of use" breached by the exact trillion dollar companies pushing for passkeys (Google, Microsoft) while training their AI models? Sounds like terms of use are entirely irrelevant in the first place.
Terms of use != laws. ToS are very often overruled by laws in lot of jurisdictions. Saying anything that violates ToS should not exist as a free/public standard, is corporate speak, and not in the interest of the consumer.
> Since sharing Netflix passwords is a breach of their terms of use, that's not really a compelling argument.
Since when "you are not supposed to do it" works? :) Most videogames cannot be freely copied or modified/tampered with, according to their ToS; still, companies implement draconian DRMs/anticheat to block people from doing it anyway. This is the same situation.
But companies like Google, Microsoft, and Apple have a vested interest in making third party tools like bitwarden not work as well, or not at all on their platforms.
Bitwarden works just as well on Android. In fact, it's even easier when it comes to managing multiple passkeys per domain. And yes, that includes CTAP2 logins ("scan a QR code with your phone to log in").
iOS and Android both have APIs for plugging in custom password managers into password entry fields in every app, and for using passkeys with those custom password managers. I use 1password on my iPhone and my Android and it integrates perfectly with both. I agree that those corporations have an interest in making those tools work poorly to stop you from leaving the platform, but they seem to have done the right thing and put some effort into allowing them to work well.
iOS third-party password manager integration has gotten better over the years. It went from nonexistent, to half-working but constantly pushing me to use iCloud passwords instead, to allowing third-party to be the default once I set it up and never mentioning iCloud passwords to me during normal use.
If blocking this integration will ever be in their interest (I can't say much about this though), then they'll just tighten the grip as soon as passkeys are the norm and other auth methods are deprecated. It's always easy to invoke generic or obscure "security" reasons, even if it means creating the problems themselves so they come with the solution just in time.
> I want to be able to share passwords for accounts with my family
No you don't, you want to share access, and the only way you can do it with passwords is by sharing the password itself. With passkeys you can have each person register their own passkey.
And people complain about Apple being paternalistic.
If you’re already saving passwords in an app, you’re being more secure than most users. A forced move to passkeys seems nuts when not all systems support them yet.
I’m also still concerned that passkeys seems more likely to fail the average user when they break or lose a device, compared to a decent password.
They used to complain about that 10 years ago, but apple was just ahead of it's time. Microsoft saw the light and is racing down that path. Soon enough, no computer without user-defeating secret logic and remote ownership will be allowed to interact with important networked applications. Linux users will either need a tainted linux variant or not have access to banking, streaming (already a problem), games, and so on.
And still, the entire bank account is still vulnerable to a $15 silent borrowing of your phone number for a day, bypassing all normal protections. The system is only harder to access for the rightful owner.
It is already required to buy an approved terminal to participate in society. This may seem a bit of joke in some countries but in many places it is absolutely real.
The next step in progress is to bake in functionality that can guarantee interested parties that it is you operating the terminal at all times.
You're probably right. We'll have enforced boot chains and attestation for devices if we want to take part in large parts of our economic system in the future. A ton of important systems like banking, safe and secure sex worker and entertainment sites for users and performers, government services like online taxes and car licensing and drivers testing* and children-safe sites.
Over twenty years ago, many of us warned about the dangers of increased and unaccountable intelligence service power. We saw what the Patriot Act would create.
We joined the EFF and the ACLU, or renewed our memberships. Organizations at the time that focused more on actual deep philosophical issues and how they relate to our political world.
Obviously the Patriot Act has saved lives. Terrorist events and neglected victims are tragic and VERY emotional.
But today, immigrants and others are spending their own lives protesting the actions of ICE. Their own very limited time on this planet.
I'm not here to judge Immigration and Customs Enforcement. I'll take flak for that among liberals. Again, I'm not judging ICE. In many cases they've been falsely accused where there was clear evidence they weren't at fault.
No, what bothers me is immigrants, who already have difficult lives, and Generation Z, who have less economic security themselves, are the ones marching in the streets.
Twenty years from now, who will be working extra unaccountable and unbillable hours protesting in the streets because the DRM and secure computing systems being pushed through today are abused?
Even if most of that abuse is a show, meant to divide citizens and law enforcement. There are people out there working for free for that show.
Who will work more in the future?
And like not judging ICE, I'm not judging the countries racing and battling to deploy secure computing environments. Knox and TrustZone and TPM and whatever new things await us in the future. There are reasons both for safety and economic security I dont judge.
And there are dark patterns around software supply chain weaknesses and online safety and incentives to accelerate those issues to push through security architectures.
Other countries are doing it. I hate the fucking game theory solutions that it encourages.
But what I'm worried is that in twenty years who will be working for free because our secure computing environments are found unfair?
And unfair can be many things. Governments push values, even when it's not explicit. When I'm using my integrated cyberdeck or implants or just ambient room device, what am I missing? What is being pushed into or out of my vision or awareness?
That's twenty years in the future, what's forty years in the future? I won't be here, but you bet your ass I'm worried. Because the people who I fucking care about now working their asses off for free are being blinded about the upcoming digital wreck, like they were in 2001.
Also next to impossible to write down to give to someone else.
This (or by phone) is how I've transferred: all family accounts, all small community accounts, some business accounts, many friend-shared accounts, and it's also how some people ensure accounts can be accessed if they die. It's not a small problem.
Yeah, I think people will lose their passkeys a lot. I think companies are happy to provide another service ("passkey syncing") that you will pay for for life. Back In The Day you could be a freeloader by remembering your passwords like a nerd. No longer. The loophole is closed!
That said, passwords are actually so bad that anything would be an improvement over them. While a stealable passkey vault sync'd to your malware-infested Windows laptop is not ideal for security, it's sure better than typing your bank password into your favorite forum because you don't understand that website administrators can see your password when you type it on their site. (Not to mention phishing.)
Apple, Google, and Microsoft already do passkey sync for free. They don't do exports, though. However, there are various third party solutions for synching passkeys that aren't tied to your computer manufacturer.
I don't think passkeys are going to replace passwords any time soon, and I don't think freeloaders are even part of the equation here. You can share a passkey through Bitwarden just as easily as you can share a password.
Freeloaders already need to jump through hoops to share passwords and even then they're getting off easy; if streaming companies actually cared about catching freeloaders, they could stop the practice all together. What they're doing now is just signalling them that you're not supposed to and adding very minor annoyances to the mix.
This is very bold because passkeys haven't been the smoothest ride so far. There are many inconsistencies in implementations among platforms. For example, many websites use passkeys as an alternative sign-in option, and let you keep your password login. So, you remain susceptible to phishing despite having a passkey on your account. Recovery flows are inconsistent too.
I applaud Microsoft because a big player had to go all-in into passwordless authentication. I'm sure it won't be painless, but it might push others to adopt the approach eventually.
There's still a dearth of support in commonly used open source backend frameworks, too – and, at least after looking a bit the other day, I couldn't find much in the way of documentation on the standard flows. I was hindered a little in searching by SEO spam from various companies offering APIs to deal with users/passkeys for me as a service.
Absolutely bonkers if true. The #2 thing you don’t want a password manager to do (after, of course, leaking your passwords) is deleting your passwords!
Hopefully this will entice people to switch to 1Password, but I’m pessimistic — it will most likely just convince people not to use password managers at all.
I hope they don't switch to 1Password, I switched away from it, after their new Electron app repeatedly failed to autofill passwords in Safari - a basic function.
While not quite switching to 1Password, the latest Win 11 build includes:
> We have partnered with 1Password to bring users a seamless plugin passkey provider integration in Windows 11.
after other details at least it does go to:
> If you are a credential manager developer, we invite you to integrate with Windows 11 to support customers in their passkey journey. To find out more about implementation detail, go to https://aka.ms/3P-Plugin-API.
What is Microsoft gaining from their push to passkeys? They knew this was going to piss off a lot of people, but they went ahead with it anyway. That makes me believe there's something else at play.
My experience with passkeys has been worse that my Bitwarden password auto complete, so needless to stay I'm sticking with my regular passwords on my Bitwarden (I know Bitwarden has Passkeys support. I don't want to use it)
I suspect it's another step in the push to make the mobile device the centre of digital identity. (Yeah, it might support some standalone key devices, but nobody's giving Joe Sixpack a Yubikey)
The one with far more data gathering capability and generally less robust ability for the end user to assert control over it, and which is generally tied to a service contract that in many countries requires identity verification.
So in business Microsoft cloud land, not using Microsoft Authenticator specifically is basically impossible. You have to shut it off four different ways even if you have an alternative solution already configured.
I think centralizing control is absolutely the core play for them.
The simpler version is that Microsoft Authenticator--a mobile app that provides 2FA--is discontinuing its password autofill feature and the passwords stored/used with that will be wiped in August unless action is taken, as has been communicated for a while now.
"Your saved passwords (but not your generated password history) and addresses are securely synced to your Microsoft account, and you can continue to access them and enjoy seamless autofill functionality with Microsoft Edge"
Password managers sync passkeys just fine. If you use one of those, the benefit of passkeys is that some sites skip their SMS 2fa if you use a passkey. The downside is that you can only use them from your own devices, where you have the app/extension.
I don't think skipping 2FA is a benefit. Sure, replace SMS with passkeys or TOTP or literally anything else, but don't actually take away my second factor, please!
This response fundamentally misunderstands what passkeys are, and it feels like a cargo-cult copy-pasted answer for outrage points rather than one that is really considered. The whole point of passkeys is that they are a) one per device and b) stored on the device's secure enclave, where in theory you're never supposed to be able to export/exfiltrate them, only validate them.
And yet people still need to share authentications between different devices (or people) and back them up for recovery purposes. If you're expecting only what you're saying, you'll find yourself simultaneously disappointed at how low the uptake is in the real world and how many major implementations (e.g. Apple) have a vastly different security model.
No, their point is that they are absurdly long and not phishable. Point b is not practical for mass uptake, as hardware devices get broken/lost/stolen all thr time. And no, only nerds will have multiple ones.
Ya really what you want is your passwords saved in an encrypted vault that you can copy from device to device for backup. If passkeys are really one per device and you have have 100 passkeys from 100 different services, and moving to a new device requires accessing each of those 100 services to create a new passkey for the new device, that sounds terrible
> If passkeys are really one per device and you have have 100 passkeys from 100 different services, and moving to a new device requires accessing each of those 100 services ....
I'm typing this on my Firefox remote app. Everything is cached in it. It runs in a VM at home.
Wherever I work, IT departments expect me to install MS Authenticator on my own smartphone. To authenticate myself to MS so they can authenticate me to the organisation that already has seen my passport and my driver's license. No thanks...
I'm confused. Is this a Windows-exclusive thing? As an iPhone and Mac user is there anything I need to do?
There is an app in the iPhone App Store called "Microsoft Authenticator" - is that what this story is about or is there a Windows feature with a confusingly identical name?
Yes, they're talking about a mobile app used for two-factor authentication. It doesn't run on Windows (or Mac). If you don't have this app on your phone, you don't need to worry about it.
IME some MS shops enforce use of it for 2fa to access company resources like vpn and etc. - for eg, the only reason this app exists on my phone is so I can log into my employer's vpn.
Most every bit of online exchange and O365 (+the ever-changing, ever-growing stack of MS policy/admin/security panels) is overkill for 10-20 users who need mail, Outlook, Word, Excel (no substitutions).
It's a massive hydra and it's most dependable output is onerous requirements. And the more of those we heap upon light duty users, the more reasonable it becomes to circumvent them.
In this scenario Winauth is how we placate the unreasonable overlord.
While I understand they want to transparently replace passwords with passkeys for websites that support it, what happens with passwords for websites that don't support passkeys?
Also, if someone sleeps over this, they will just lose their passwords to random websites and have to go through account recovery flows?
If you install Edge, you can keep using the synced passwords. They're only disabling password autofill for their authenticator app, they're not throwing your passwords away.
The app has been warning about this for a while now. This might catch someone out of guard if they only use the app once a year for something bureaucratic, but I doubt a credential like that will be stored in Microsoft's authenticator app.
Slightly off topic, but the Microsoft Authenticator app on iOS is - in my opinion - the probably worst designed app by a large corporation. Nothing in there works the way you’d expect it to work.
And my absolutely favorite thing was when it itself came in the way of seeing the 2FA code for a modal entry and you had the option on the screen to hide the modal for 10 seconds in order to remember the number underneath…
This was in February of last year according to the screenshot, my device was an iPhone 11 - not a small one, but rather very much standard screen size!
If you need a new password manager to keep 2FA codes as well as passwords, Bitwarden is open source (AGPL-3.0/GPL-3.0), and you can self-host the server if you want. Only solution that won't eventually become crappified by a business that doesn't care about you.
Killing autofill and saved passwords in Authenticator is a bold move, especially considering how many non-technical users rely on that feature without even knowing what a passkey is
And more importantly (for them), it's much harder to share a passkey than it is to share a password.
“Why GNU su does not support the `wheel‘ group
Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn’t know how to do that in Unix.)
However, occasionally the rulers do tell someone. Under the usual su mechanism, once someone learns the root password who sympathizes with the ordinary users, he or she can tell the rest. The “wheel group” feature would make this impossible, and thus cement the power of the rulers.
I’m on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.”
No, this will force you to either install Microsoft Edge on your phone or switch to one of the many other password managers that do offer autofill on iOS.
If you weren't synchronising your passwords through the Microsoft authenticator app, you won't be affected at all. If you were, Microsoft has decided to be annoying and make you install their browser to get password autofill support back.
Microsoft prefers synchronising passkeys between devices because passkeys are immune to credential stuffing attacks, but you don't have to do what Microsoft wants.
I would have thought password management will be quite important for a long while yet. Is MS simply dodging the responsibility? Maybe so they can't be leaned on by government?
No it's not, what if I drop my phone in the ocean. Sure in terms of encryption, secure storage and so on, it's securely stored. It's just no physically secured.
That's what concerns people. What happens if I lose my devices? What happens if I need to access an account which has been secured by a passkey, but I don't have any of my other devices, what do I do then?
This is missing an important piece of information. If I open Authenticator on iOS I see this message front and center:
> Autofill via Authenticator ends in July 2025
You can export your saved info (passwords only) from Authenticator until Autofill ends. Access your passwords and addresses via Microsoft
Edge at any time.
To keep autofilling your info, turn on Edge or other provider. (Learn more)
not sure the full Android feature set, but MS is moving their iOS autofill provider to the Edge app, which doesn’t mean I have to use Edge to browse, just changes which app hosts the passwords. I can still fill them using the native mechanism for any password manager to provide passwords to any password field.
Microsoft is not forcing anybody to adopt passkeys as far as I can tell. Although overall people should because passwords are quite frankly a broken idea. Almost as broken as the idiotic janky “we just emailed/texted you a code” bullshit that most sites do now instead of TOTP.
> July 2025: You won't be able to use the autofill password function.
> August 2025: You'll no longer be able to use saved passwords
There has to be some sort of cost benefits analysis for this as this will certainly piss a ton of people off especially the tech illiterate. Maybe passkeys are extremely simple but saved passwords being disallowed is a huge pain point.
Nobody tech illiterate was using MS Authenticator as their default autofill provider as it’s not the default autofill mechanism on iOS or Android.
The passwords have always been stored in your Microsoft account. Anyone who has their passwords there can just install Edge on their device and enable it as the autofill provider (no, that doesn’t require you to browse with Edge, just to log into it). This whole article is silly, as there is zero change to your ability to save passwords in your MS account or to autofill them on mobile.
Is this anything to do with them taking passwords without consent?
I rarely use windows, and when I do one of the first things I do is switch from edge to chrome.
I think I set up edge and used it once to see what it was actually like, but I was pretty careful about the data syncing / sharing settings. I have the Microsoft authenticator app on my phone, I was pretty careful about the privacy settings on that too, but it's been through a couple of phone upgrades.
Somehow all of my passwords were making their way into Microsoft authenticator, so I must have missed something somewhere. I can only imagine how many millions of people must have had their passwords unintentionally slurped by Microsoft if they have been that aggressive with it.