top | item 35804020

(no title)

ghancock | 2 years ago

I wrote about my experience with passkey support on other services here: https://news.ycombinator.com/item?id=35758918. That experience was mostly negative. For anyone implementing this, the user experience matters and requires usability testing of a lot of combinations.

In comparison to those, Google’s support seems better. It worked, was transparent about what was going on, and gave me the option to create the key on either the device I was using or another one if I wanted. The one hitch was that when I already had a 2FA key on the same platform authenticator, it just said I already had a registered key on this device and didn’t do anything. I would have expected some sort of upgrade flow for people who previously registered their devices for 2FA, or at least to more directly tell me to delete the existing security key on the device (which is what I did, and which worked).

discuss

judge2020|2 years ago

> it just said I already had a registered key on this device

Is this Android? Because, before this change, there was no way to register a real WebAuthn-based passkey with Google, at least when I was trying with chrome (it did not prompt the webauthn popup, just the OS-native security key popup).

ghancock|2 years ago

This was on an iPad. My experience before had been that I was able to register an iCloud passkey for Google 2SV when using Safari on iOS/iPadOS, but I was unable with Chrome.

At that time, I inspected the registration request Google sent to Chrome and found it was passing a private option that Chrome recognized. According to what I found in web searches for it, the option created a legacy U2F key, and they needed to do that because there were existing Android devices that they could not upgrade and that would not support log-in with WebAuthn keys.