I spent the weekend bringing up a new PC and the experience demonstrated many weaknesses in the current authentication infrastructure and the near complete lack of user autonomy. I have no choice but to use an OAUTH account to log in to many applications etc. and the user experience is dire. I ended up responding to at least a dozen PIN challenges to my mobile device. My environment is somewhat extensive but it really isn't that much more complex than a regular user's.
IETF has traditionally avoided doing UI but in this case, the UI is the protocol and it is impossible to discuss the security of the system without discussing the boundaries between what the user can and cannot trust.
Yeah, IETF is a very strange venue for something like OAUTH. Why
wasn't it done at W3C? At least they do UI stuff, and more to the
point have better clue of the inner workings of browsers. It would
have also driven home the point that it was a web thing, not a
general thing.
Will passkeys solve these problems? I am very skeptical because while the security offered is a real improvement on the status quo, what passkeys is really replacing is the browser cookie traditionally used to reauthenticate the machine. That isn't where the real UI pain is for the user.
I'm not sure what the problem is? Using public key crypto instead of passwords is pretty painless even though webauthn made it far too difficult for the average site case where a local password (or whatever else) used to unlock private keys would be plenty sufficient.
I have built a prototype using just WebCrypto and it's even
easier than your typical user/password/email verify account
creation and login.
Mike