Lightnews — Scholar-powered news

LightNews

Tim Cappalli

@timcappalli.me

990 followers 270 following 920 posts

🔐 #passkeys 🪪 verifiable digital credentials 🏒 bruins ⚾️ sox 🚆 urban mobility 🍉 cars ruin cities

Posts Media Videos Starter Packs

Reposted by Tim Cappalli

Kevin Jones @vcsjones.dev · 2h

I like Mitchell’s post on “vibe coding” a feature for Ghostty. A good look at how to use AI successfully. mitchellh.com/writing/non-...

Vibing a Non-Trivial Ghostty Feature

Tim Cappalli @timcappalli.me · 3h

I'm attending No Kings's event, “NO KINGS Boston” - sign up now to join me! www.mobilize.us/nokings/even...

NO KINGS Boston · No Kings

**BOSTON SAYS NO KINGS!** We’re wicked pissed. Wicked loud. Wicked united. Join us Saturday, October 18, as we take to the Parade Grounds of Boston Common! We’re standing together against the abuse...

www.mobilize.us

Tim Cappalli @timcappalli.me · 3h

curious to hear why you're framing it as "trick me"

Reposted by Tim Cappalli

Justin Baragona @justinbaragona.bsky.social · 1d

The New York Times says that their journalists will not sign the Pentagon's new press pass policy:

Tim Cappalli @timcappalli.me · 5h

do you use a password manager?

Tim Cappalli @timcappalli.me · 6h

why does it rule out that? Your credential manager should be on *all* your devices.

the cross-device experience is for exception use cases where for whatever reason, your passkeys aren't on that device (ex: a friend or family's device, a library computer, etc).

Tim Cappalli @timcappalli.me · 6h

Most users typically have their credential manager on their phone, yes. It's often there by default.

You can also choose to store your passkeys on a hardware security key (but this isn't something the average user is going to do). It's an open ecosystem.

Tim Cappalli @timcappalli.me · 6h

Hmm. Not sure what prompts you're referring to then.

Tim Cappalli @timcappalli.me · 6h

you can use cross-device authentication (the device you're trying to log in on will show a QR code which you scan with your phone camera).

When your local device doesn't have a passkey for the site, it will offer this experience by default.

Tim Cappalli @timcappalli.me · 6h

if you have suggestions on how to position this with users, we're all ears. Most users in UX testing have balked at prompts which explain this kind of stuff.

Tim Cappalli @timcappalli.me · 6h

If you're a multi ecosystem user, you can use a cross-platform credential manager such as Google Password Manager, 1Password, or Bitwarden. It's an open ecosystem so you can use whichever credential manager you choose.

Tim Cappalli @timcappalli.me · 6h

You have a few options. Passkeys are always available for use cross-device, whether it's a public computer, a friends computer, or a device which your credential manager doesn't support (e.g. Apple Passwords + Windows).

Tim Cappalli @timcappalli.me · 6h

I think I know the experience you're referring to. Is it similar to the image below?

This is an unfortunate remnant from the pre-passkey world. There is hope that will go away soon (cc/ @satragno.bsky.social) as it causes confusion.

But the "average user" most likely will not see this prompt.

Tim Cappalli @timcappalli.me · 6h

we've added a bunch of experiences that make it largely transparent to the user (ex: passkeys showing up in the autofill UI).

Tim Cappalli @timcappalli.me · 6h

what we've learned from UXR and large deployments is that many users don't care about the term. They are familiar with the end result: using bio or a PIN, just like their apps.

Think about Bluetooth. Users have no idea what it means or any tech details, just that it makes their headphones work

Tim Cappalli @timcappalli.me · 6h

which browser / OS?

Tim Cappalli @timcappalli.me · 6h

the default credential managers on devices usually explain this to users. Language like "Your passkey for < insert site name > will be available on all your devices with < insert credential manager name >"

Tim Cappalli @timcappalli.me · 6h

In your opinion, whose responsibility is it to explain that to users?

There's been some interesting UX research on this, so I'm curious about your thoughts.

Tim Cappalli @timcappalli.me · 7h

do you have a screenshot of the prompt? Every prompt I've ever seen clearly says the credential manager where the passkey will be saved (and in most cases, the user actively selects it).

Tim Cappalli @timcappalli.me · 7h

there are also libraries out there for credential managers. Which one do you work on?

Tim Cappalli @timcappalli.me · 7h

while traditional "File > Export" isn't typically allowed for cryptographic keys (for good reason), many credential managers now support a standardized protocol which allows you to move your passkeys (and other items) to a new credential manager.

Tim Cappalli @timcappalli.me · 7h

Can you give some concrete examples of where you ran into issues implementing? Asking as one of the spec authors here.

Are you using a library? Most developers I've chatted with find implementation using a library quite easy.

Tim Cappalli @timcappalli.me · 7h

in your opinion, who should explain them to users?

Tim Cappalli @timcappalli.me · 7h

Passkeys have strong phishing protections, which no other authentication method has. Using a passkey is also much more user-friendly than having to enter a password and then do some additional action.

Tim Cappalli @timcappalli.me · 1d

if you use a security key or Windows Hello, those passkeys are only available on that device. You should be sure you have two passkeys for the account in those cases.