Here's the iCloud Passwords extension for Chrome -- works on my Mac happily, and also with Arc (which means I now get to use it just as much as Safari)
I've found them to be a real pain in the arse because they're implemented so inconsistently. Only the biggest sites are offering them, but it's those big sites where I'm worried about locking myself out because of setting it up wrong.
I've locked myself out of Squarespace by setting up then subsequently removing a passkey. Doing so triggered a bug which "updated" the TOTP (that was already set up) and the backup codes. Support was absolutely deaf to the whole thing being a bug, absolutely impossible to report, and I'm sure it'll keep being an issue for years to come.
I stopped logging in into there since they forced 2FA on me because of an old contribution to an open source project. It's too much of a pain and I don't need to be logged in to look at the code of the modules or libraries I'm using or I could use. As collateral damage, I stopped opening issues on open source projects, that was maybe two or three issues per year. All my customers are on Bitbucket at the moment and it still works with username and password. If it would switch to 2FA, I'd have to comply.
If you have something like 1Password, it takes one or two clicks to set up 2FA for a given site and Passkey setup for a given site is pretty painless. There’s even a decent amount of CLI integration for signing commits, etc. As a federal contractor working in and out of higher security areas, 2FA and Passkey are… really not intrusive or disruptive to my daily life.
It’s not that the gp is trying to avoid being secure.
It’s that for a service that you only have a need for, a few times a year, mandating 2FA is an unnecessary hassle that can lead to user frustration.
I’ve experienced the same with Gitlab. I rarely use Gitlab and don’t have anything important hosted there but when a project I was a member of enabled 2FA for all contributors, it made my Gitlab account completely frustrating to use.
Typical scenario: I’m trying to do something brief on Gitlab that requires me to be logged in so I login then get shown an interstitial page saying I cannot proceed until I enable 2FA on my Gitlab account. Every action I attempt while logged in will fail unless I either enable 2FA or remove myself from the project that enabled mandatory 2FA after I was added.
GitHub’s 2FA implementation is night and day better than Gitlab’s but I imagine the user frustration must be similar if you find yourself suddenly having to enable 2FA because a GitHub org you were already part of mandates it.
True, but the alternative is that people with valuable projects to secure don't do that (because they aren't forced to), and lose things.
That said, the sign-in flow with a Passkey and BitWarden is great. Click "sign in with a passkey", click "confirm", done. No username, password, or 2FA required.
One day I hope BitWarden implement my suggestion of not requiring that second click if you only have one key.
Maybe they could have offered me the choice to "uncontribute" to that project, that is transfer my commits to the admin or to another account of mine that I would create, transfer the commits to and never access again after then. Then no more 2FA for opening issues and commenting on other projects.
I wonder if I can delete my account and create it anew with the same email and (probably) a different username.
Now that many sites are moving to passkeys or TOTPs, it would be great if Apple could not lock users in there as well.
> Apple has had a Chrome extension available for a while now which has allowed me to use it on other browsers/platforms
That's only on Windows and requires you to install iCloud tools locally, right?