17 May, 2023

Recent Survey Request From Google About Passkeys

Too bad Google's recent survey which I received was not open-ended, and was restricted to only the answers they thought of; that is, no place to opine in freeform text.  If they want adoption, they have a LOT of work to do.

  • They call it "passwordless", but if I have to enter a password (it's called a PIN, but same thing) in order to use my YubiKey, it's not passwordless.  I might as well just use a normal password login and touch my key for MFA, it's more convenient because my password manager fills it in automatically.  I don't know for sure at this point, but I'm going to guess this insistence on having a PIN was part of the FIDO standard for using a hardware key.
  • Offhand it doesn't seem infeasible to use a YubiKey for both MFA and passkeys.  They're used at totally different phases of authentication.  Yet you make that clear that there is a MFA section and a separate passkey section on the page, and put up an error if one tries to enroll a YubiKey already registered for MFA as a passkey.
  • Telling me to "hold my phone closer to my computer" is useless if you don't tell me why.  I could have opened the side panel and chucked it inside, not possible to get any closer, and it still wouldn't have helped.  You have to explain that it is to get a better Bluetooth connection, which was never going to happen because Bluez had not paired my phone at that point.  There comes a point where being nontechnical is highly counterproductive.  "Page cannot be displayed" is extremely unhelpful.  "Name not found in DNS," "DNS lookup failure," or "connection refused" are infinitely more helpful.  Similarly, mentioning Bluetooth on that screen on a phone is vastly more helpful than just asking me to hold it closer.
  • You listed all sorts of devices, from tablets, to iPhone, to iPad, to Mac desktop, to Chromebooks, but I had to choose "other" because it was a Linux desktop.  Seriously...does not your business rely heavily on Linux, but you can't be bothered to offer that as a possibility of using your Web products??
  • You confuse the issue by calling it passwordless login and passkeys in different places.  When I wanted to turn it off (more hassle than it's worth, honestly), I couldn't find it for several minutes because of the dual labelling.  It also wouldn't hurt to put this switch to disable it on the enrollment page, either instead of, or in addition to, where it is now.



English is a difficult enough language to interpret correctly when its rules are followed, let alone when the speaker or writer chooses not to follow those rules.

"Jeopardy!" replies and randomcaps really suck!