5/9/2023: The passwordless mess

Passwordless logins are a mess

Plus: Gmail’s extra ads, AI news editors, and Bluetooth speaker deals

eBay’s passwordless login prompt.

Ready or not, the tech industry believes it’s time to start killing the password.

After discussing the idea in mostly theoretical terms last year, companies like Google and Apple are starting to push passwordless logins in earnest. By weaning people off passwords, they hope to make account logins easier and less susceptible to phishing attacks.

But behind the optimistic press releases—like last week’s from Google, which declared the “beginning of the end of the password“—lies a harsher reality: Getting rid of passwords will be a long, messy, and occasionally maddening process, especially without clearer documentation and guidance from the companies involved.

Even so, you can expect to see more apps and sites encourage you to create passwordless logins in the weeks and months ahead. Here’s what you need to know about how this is all going to work.

What might replace passwords

The big idea behind passwordless logins is that your phone or computer proves who you are through biometric data, such as with FaceID or your fingerprint.

This does not mean you’re sharing biometric info with every app or website. Instead, your phone or computer can store the keys for your online accounts, and your face or fingerprint provide a kind of security check that tells each site to provide access.

Google’s passwordless login prompt

The concept is somewhat similar to password managers such as Bitwarden and 1Password, in that you can’t access your vault on your phone without a biometric check (or your master password). The difference is that you never see an actual password, and neither does the app or site you’re logging into. Having your login stolen becomes less likely as a result.

Your passkeys are also supposed to sync across devices, either via Apple’s iCloud Keychain or Google’s password manager in Android or Chrome. When those options aren’t available, the passkey system lets you sign into other devices from your phone using Bluetooth or a QR code. In theory, this means you’ll be able to login without a password even as you move between your phone and laptop.

Why it’s a mess right now

Creating and using a passkey on Best Buy’s website

All of this falls apart when you try to start using passkeys in earnest. The technology is so new that every website handles it differently, and things that are supposed to just work often don’t.

eBay, for instance, is now encouraging users to create passkeys after they log in with a regular password. But once you do that, the site provides no way to actually use the passkey on other devices.

Best Buy’s process is even more confusing. While the site prominently offers a “Sign in with Passkey” prompt on its login page, creating one in the first place requires you to dig deep into Best Buy’s account menus.

I also had trouble using my Best Buy passkey across devices. While its desktop site lets you transfer passkeys created on your phone, the same process wasn’t available in reverse. Meanwhile, Google failed to sync my Best Buy passkeys at all, so trying to use “Sign in with Passkey” on a second Android phone only produced an error message.

Transferring a passkey from a phone to a PC.

As for Apple, it’s in its own universe when it comes to passwordless logins. To port passkeys over from a non-Apple device, you either need an Android phone or a physical security dongle with NFC support, which rules out easily syncing passkeys created on a Windows PC.

I have a pretty solid handle on technology, and I still find this to be overwhelming. Even across just a handful of sites, I’ve already lost track of which passkeys are stored where, and as of now, there’s no way to bulk-transfer them onto a single platform or password manager.

All of this, by the way, is separate from the “Sign in with Google” and “Sign in with Apple” buttons that are already ubiquitous around the web. While those options are also passwordless, they’re separate from this new passkey system that’s now being created.

What happens if you lose your phone?

The other concern with passkeys is how much pressure they put on your phone to serve as the keys to your digital life. As of now, none of the systems’ biggest backers have provided clear documentation on what happens if you phone goes missing.

What I’ve gathered is that you’re supposed to use a secondary device—like a laptop or an iPad—to help authenticate the replacement phone. At that point, all your passkeys will sync over, and you’ll be on your way.

Setting aside all the sync issues I mentioned above, what happens if your phone is your only device, or if your other devices have gone missing as well? Today, the recovery process usually involves getting a text message sent to your new phone after entering your password. That option, which already carries some risk, won’t be possible in a passwordless future.

Even now, there are other ways of recovering your account, such as printed backup codes or trusted recovery contacts. Setting those up will become even more important if passwords someday cease to be an option.

Right now, though, the companies pushing passwordless logins are glossing over the issue entirely. In Google’s latest post about adding passkey support, the possibility of losing your phone doesn’t even come up, and its support page offers no guidance for users who’ve lost all their devices.

Passwords aren’t going away (yet)

All of which helps explain why passwords are sticking around. Despite the hype, most of the services that offer passwordless logins today aren’t actually deleting your passwords. They’re just offering passkeys as an additional sign-in method as they try to work through an array of new inconsistencies, inconveniences, and technical hiccups.

In other words, when you see a “sign in with passkey” prompt on a website today, it roughly translates to “please be our guinea pig.” Leaving that job to others is a perfectly acceptable option.

Sign up for Advisorator to get tech advice like this every Tuesday.

Thanks for subscribing.

Need to know

Gmail’s extra ads: Just in case you needed another reason to check out the alternative email apps I wrote about last week, Google says it’s “experimenting” with more ads inside Gmail. The additional ads are showing up for some users in the middle of the Promotions inbox (rather than just on top) and inside the Updates tab (which had been ad-free).

Oh, and one more option I didn’t mention last week: Simplify Gmail is a great browser extension that strips the ads out of Gmail’s desktop site while providing a cleaner interface overall. Given how much time I spend inside Gmail, it’s well worth the $24 annual fee.

Apple’s extra security patches: If you’re seeing a prompt on your iPhone, iPad, or Mac for a “Rapid Security Response” update from Apple, know that it’s legit and that you should take it. This is a new initiative from Apple, aimed delivering important security updates between even minor versions of iOS and MacOS. These updates are denoted with a letter, such as iOS 16.4.1 (a).

While Apple had some trouble delivering the update last week, it seems to be rolling out more broadly now. (My wife, for instance, got prompted to update via a pop up over the weekend.) Hopefully they’ll be a rare occurrence rather than a constant nuisance.

An AirTag anti-stalking initiative: Apple and Google are now working together on ways to detect unwanted AirTags and other Bluetooth item trackers across both iOS and Android. While the iPhone can already alert users if they’re carrying someone else’s AirTag, it can’t find trackers from other brands such as Tile. Android has no system-level alert feature for unwanted item trackers at all.

AirTags’ effectiveness comes from being able to report their location whenever another iPhone is in range. It’s for this reason that the NYPD is now encouraging more AirTags in cars to mitigate theft. But as Glenn Fleishman points out, that effectiveness also makes them conducive to bad behavior—a point for which Apple didn’t seem fully prepared. The company expects to ship some kind of solution by the end of the year.

Tip of the moment

An AI news editor: A theory I’ve been rattling around is that generative AI tools like ChatGPT are at their best when they’re helping people soft through human-made content, rather than replacing it with their own.

A great example of this is News Minimalist, a website that uses ChatGPT to read hundreds of news stories per day, assigning them a “significance” score based on concepts like event magnitude, scale, and source credibility. The site then presents a daily list of headlines and links to any stories with a score of six or higher. (The summary is also available as a daily newsletter.)

The results tend to be pretty dry, but that’s the point, and I like that you’re encouraged to click on the actual source for more detail and context. While the focus is on global news, one could easily imagine the same idea applied to more specific areas such as technology or U.S. politics.

For another take on this concept, check out Boring Report, which offers links to top stories along with brief, non-sensational descriptions.

Now try this

Plexamp’s AI playlists: For more on that theory I just mentioned, Plex has just released an awesome playlist generator based on the tech behind ChatGPT. With a Plex Pass subscription and the Plexamp music player—plus either your own music collection or a Tidal subscription—you can create incredibly specific playlists using natural language. Some examples:

  • “70s classic rock with awesome guitar solos, but nothing by The Eagles and no Stairway to Heaven or Free Bird.”
  • “Just the uptempo stuff from Ben Folds Five.”
  • “Experimental death metal, interspersed with the occasional track by Rick Astley.”

In each case, Plexamp will generate a playlist along with brief descriptions for each track. This works best when the app is connected to a Tidal subscription, but you can also limit playlists to just media server content.

Plexamp users can set this up under Settings > Advanced > Sonic Sage. Note that you’ll need to set up an API key with OpenAI (the makers of ChatGPT), and each playlist will cost you about two tenths of a cent in API fees.

Around the web

Spend wisely

Need a Bluetooth speaker for summer? Amazon currently has the UE Wonderboom 3 for $79, which is $21 off the regular price. I’ve used a previous version of this speaker, and it has solid sound quality and excellent durability, having survived several drops onto pavement. It’s also waterproof, and the built-in loop is handy for hooking onto a bag. Here’s a well-balanced review.

Other notable deals:

Thanks for reading!

Did you enjoy this newsletter? Sign up to get Advisorator in your inbox every Tuesday!

Thanks for subscribing.