> Until I needed to login on another device and then Dashlane saved that passkey too, but each passkey was tied to the specific device… only it wasn’t clear when I logged in which passkey I should choose, and chose the wrong one and it doesn’t work.
I'm not sure if that has changed since years ago (when you last tried), or that that is a Dashlane thing. In any case, that's not how it is now. I've stored them in 1Password. I can use them on any 1Password-enabled browser, and on my Android. They're slightly easier than password flows, and much easier than MFA flows.
> I’ll also add. I don’t have a good mental model for what a passkey is or how it works.
It's a public and private key-pair. You keep the private key, the server gets the public key on registration. When you login the server sends a challenge. "You" encrypt it with the private key and send it back. The server uses the public key to verify and boom, you're logged in.
I remember being a kid on the internet 20-something years ago, understanding how passwords worked, and thinking the whole of the internet must be crazy for accepting a "pinky-promise we don't store that secret password you're sending us in plaintext, let alone use it for nefarious purposes" as the status quo.
I then discovered SSH and how it worked, asked in some public forum why there isn't a way to log in to websites using an ssh keypair, and was ridiculed for it.
I defend against that scenario by letting my password manager generate a different random password for every site. It defends also against sites handling passwords in terribly wrong ways, hacks, leaks, etc.
> I then discovered SSH and how it worked, asked in some public forum why there isn't a way to log in to websites using an ssh keypair, and was ridiculed for it.
In an alternative universe, the web standardized something like "tripcodes but cryptographically secure" which would keep any secrets out from servers, and we'd just be dealing with signed data.
Client certificates are a thing and can in principle be used for authentication on websites. Not 100% sure that was possible 20 years ago, but Istrongly suspect that it was.
The problem is the UX around handling the certificates. Password are nearly impossible to beat in terms of "works everywhere without requiring any support infrastructure".
Even with SSH, you need access to the console when things went awry. But that’s easier to secure as you need to be physically present in front of the machine, or go through your cloud provider’s security mechanism.
But that’s only inconvenient when you want access back. Most B2C don’t care about you enough to offer those processes.
In the article they mention they are not just going to support exporting passkeys, but also passwords and other credentials. The goal is to create a secure exchange format for that. They have published drafts of the standards.
I'm not sure if that has changed since years ago (when you last tried), or that that is a Dashlane thing. In any case, that's not how it is now. I've stored them in 1Password. I can use them on any 1Password-enabled browser, and on my Android. They're slightly easier than password flows, and much easier than MFA flows.
> I’ll also add. I don’t have a good mental model for what a passkey is or how it works.
It's a public and private key-pair. You keep the private key, the server gets the public key on registration. When you login the server sends a challenge. "You" encrypt it with the private key and send it back. The server uses the public key to verify and boom, you're logged in.