> While the tech is great, the problem is that nothing supports these new-fangled methods of authentication.
Should we never switch to anything else, then, because nothing will support it until everything does?
> Multi-devicing for authentication is a poor user experience. Even having to go click a link in your mailbox sucks.
WebAuthn doesn't require multi-devicing.
> People don't have their phone on them all the time (and some don't even have a smartphone).
WebAuthn doesn't require a phone.
> New users don't understand these methods of authentication.
New users don't understand how to safely use passwords either. If we're going with max usability, we might as well get rid of passwords and just use usernames for authentication. Otherwise, we should compare like to like, and the usability of passwords is not worth how insecure they are.
> They're generally much more complicated to implement than a basic email/password combo.
Yes, it's much easier to implement something insecure than something secure. This sentence is disingenuously omitting all the impossibility around actually making passwords secure, ie using a different password for each site, 2FA, password length restrictions, etc.
When it comes down to it, Passkeys are orders of magnitudes more secure for a small usability cost over completely insecure passwords. To say anything else is hostile to security.
https://www.stavros.io/posts/clearing-up-some-passkeys-misco...
To answer the article's points:
> While the tech is great, the problem is that nothing supports these new-fangled methods of authentication.
Should we never switch to anything else, then, because nothing will support it until everything does?
> Multi-devicing for authentication is a poor user experience. Even having to go click a link in your mailbox sucks.
WebAuthn doesn't require multi-devicing.
> People don't have their phone on them all the time (and some don't even have a smartphone).
WebAuthn doesn't require a phone.
> New users don't understand these methods of authentication.
New users don't understand how to safely use passwords either. If we're going with max usability, we might as well get rid of passwords and just use usernames for authentication. Otherwise, we should compare like to like, and the usability of passwords is not worth how insecure they are.
> They're generally much more complicated to implement than a basic email/password combo.
Yes, it's much easier to implement something insecure than something secure. This sentence is disingenuously omitting all the impossibility around actually making passwords secure, ie using a different password for each site, 2FA, password length restrictions, etc.
When it comes down to it, Passkeys are orders of magnitudes more secure for a small usability cost over completely insecure passwords. To say anything else is hostile to security.