In June I sat in a hotel room in Amsterdam with my Android phone, laptop, iPad, hardware security fob, and full access to my personal email and password manager, trying to log in to my Gmail account on my phone. It took three hours and something like a hundred different attempts.
Of the eight-odd services I've set up to use WebAuthN 2FA or passkeys, I think three of them have subsequently locked me out of my account because they couldn't talk to the security key properly.
Up until this week, Google would let me *register* via Firefox WebAuthN, but completely refuse to let me actually log in unless I used Chrome. Apparently Chrome is broken now too.
Trimble happily let me register the Titan key as a passkey, and then locked me out of the account permanently. Thankfully all it took was one email to support to get them to reset my password (!)
Apple seems to have no concept that someone would not own an iPhone, and insists I return home to look at my iPad instead.
TOTP with an authenticator app is decent, actually. I just wish I didn't have to do it a dozen times a day.
@aphyr
Good to know passkeys are still a hot fucking disaster. I'll just keep using Long Passwords for the foreseeable future
@aphyr been down this road and I am back to just random passwords that I maintain via GPG. All as long as the service allows. 128 character random garbage? Sure, I’ll take it. But passkeys are too error prone at the moment.
And being on FreeBSD, manually maintaining 2FA keys like a Yubikey broke the actual hardware key one too many times.
@aphyr I find having the TOTP integrated into Bitwarden is super convenient (even though it's consolidating 2FA into one system with both factors, so if your vault gets compromised you're hosed).
@aphyr as someone struggling to even get Passkeys off the ground with our CIAM stuff, it's so so bad. The UX is crap just about everywhere.