Watching my wife struggle to do something on a banking app that I did on the same app with no trouble just a few days ago, I am once again reminded how difficult it is for people who don't grok computers to function in the modern world.
I am also reminded that I personally am incapable of empathizing with people who don't grok computers. "What's the matter with you?" I think to myself. "Why can't you do this simple thing?" I can't seem to truly internalize that it's not simple for them.
I used to think if I didn't help my wife with IT stuff, she'd figure things out on her own. I eventually figured out nope, she would do what so many people do: find inefficient, suboptimal ways to do things so as to avoid needing to interact with computers. But increasingly, that's not even an option: it's the computer or nothing.
My wife isn't stupid or dumb or incompetent. She's smart and talented. She just thinks differently. Lots of people do. They are being left behind.
@jik@federate.social
Seriously, the issue in this thread is why I think are a ticking time bomb. Most people don't understand how they work, or that they're linked to a single device, or that they need to maintain a backup login method. Websites that support passkeys don't do enough to communicate and enforce good habits. If we continue down the passkey path, people losing access is going to be a much bigger problem in the future, and we're not ready for it.
This thread is also about infosec practitioners who insist on telling random infosec-naive people that they should be using a VPN all the time, when the user experience of using a VPN is absolute shit because of how many websites randomly block people who are on a VPN, often lying to them about why they're doing it.
I see from the replies that I need to expand on what I mean here because people are asking the same questions / raising the same objections over and over. One 500-character post is not really enough to get into all the intricacies, so it's going to take a few posts for me to explain what I was getting at.
I am not saying passkeys are less secure than passwords. They are much more secure in the normal workflow. A vast improvement. I share the hope that they will eventually replace passwords.
…
The tech industry in general has a habit of writing off people on the margins and not putting enough effort into handling failure modes.
There are two problems with this approach: (1) things fail for real users in the real world far more frequently than they do for tech nerds who grok computers and are using the beefiest hardware; (2) when millions or billions of people are using your stuff, even a small percentage of them experiencing failure modes is a lot of people.
…
Regarding my use of the phrase "single device"… I know passkeys can be synced. I wasn't referring to physical devices. Your password manager is a single "device." Your iCloud is a single "device." People get locked out of these "devices" on the regular and lose access to their data. This is a pretty catastrophic (for usability) passkey failure mode, and most passkey vendors don't allow people to protect themselves against it since they don't allow passkeys to be backed up and restored.
…
