David Sparks is frustrated by the slow adoption of passkeys. Me too. And he pointed out why sites hedging their bets and letting you set up both a password and passkey can be dangerous, which I hadn’t considered:

When a site offers both options, it creates a tempting target for bad actors. Imagine this: You try to log in with your shiny new passkey, and a fake prompt tells you it failed. Next thing you know, you’re asked to log in with your password instead. Guess what? You just handed over your credentials to the bad guys.

It works directly against the promise that passkeys are unphishable.

@jarrod I tried to get a non tech person to use a passkey, and it was not going to happen.

@darrencohen.me If it were all that was offered, I think people would get onboard. It’s way easier!

@jarrod For general end users I don’t believe passkeys are as simple as touted, because it isn’t logical for a lot of people.

@jarrod But I agree that offering both doesn’t really solve that problem (and seems lazy tbh)

@jarrod I don’t think it’s as clear cut, I think conceptually passkey (especially cross platform) paradigm is not as clear of a concept as originally intended and there are real support burdens companies go through for their users with these kinds of shifts (meaning end user friction).