I published a quick update about Little CRM, mainly the behind-the-scenes work that’s been going on
“Okay, but what about THIS failure scenario with passkeys?”
“Okay, but what about THIS failure scenario with passkeys?”
Important caveat: I’m not a security researcher, I’ve just read a lot about passkeys & thought about their implementation. I’ve been trying to collect findings from actual security researchers; if you know of any discussions related to this, please send them my way!
When talking about passkeys, I’ve gotten the same set of questions, poking at the edge cases of them. Which is good! Skepticism is always good; especially with new authentication techniques. But I wanted to answer some of these FAQs in a centralized location to save having to repeat myself a bunch.
“What about if my computer/phone breaks?”
If you’re in the vast majority of users, you’ll likely have your passkeys stored in a distributed credential manager; like iCloud keychain, Bitwarden, 1Password, Google’s saved credentials, etc.
Apple has a really great breakdown of the security measures for iCloud keychain, including the security of recovering access: https://support.apple.com/en-us/102195
In short: as long as you’re still able to access your credential manager, and it syncs online, you’re good. 💪
“What if I don’t want to rely on an online service?”
A good question! I always recommend that folks use a hardware security key (such as a Yubico) for their essential accounts, and keep it in a safe place. The analogy I use is: “treat it like your passport, birth certificate, or other essential documents.”
This will allow you to make sure you can access your most essential services, even if there is a SNAFU and your credential manager is no longer accessible.
“Okay, but what if I really lose access to everything? My backup hardware key, my iCloud/Google/1Password account, everything”
This is also a good question; and needs to be addressed. What we’re talking about here is not passkey specific, it’s a general question of “how does account recovery work?” So the questions being asked are the same ones we ask about our current password-based authentication flows.
For the vast majority of services, a familiar email-based recovery process makes sense:
- You request an emergency passkey registration for your account
- You’re emailed a token that can only be used once, and expires
- You use that token to register a new passkey (likely on a new credential manager/hardware key)
- You’re logged in!
And if you’re unable to get a new security key or credential management account, this flow works so long as you’re able to access your email. You can use a browser/OS that stores credentials locally. Because of this, even though it’s not recommended, you could recover your account on a public computer (just make sure to delete the passkey when you’re finished!)
This is why it’s important to make sure your email account is as secure as possible, with multiple avenues for recovery. Your email is your identity card online; for better or worse.
This one is tough to tease out a bit, because:
- The writing about this recovery process is very vague, because it’s out of scope for passkeys. See the sparseness of: https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Account_Recovery.html
- The credential managers listed above can’t easily talk about it (because that’s kinda what they solve 😅), and their focus is on how their recovery processes work. Which is totally valid!
“What about accounts I share access for, like utility accounts?”
Good passkey implementations allow you to register multiple passkeys. This is for a number of reasons, including this one!
- You can save passkeys for devices on different ecosystems, to reduce the headache of working across platforms. For example: if there’s a service I access on my windows gaming PC, I can create a passkey specifically for that windows machine to avoid the hassle of having to use my phone + Bluetooth to log in every time.
- Ecosystems can allow you to share a passkey, such as Apple allowing you to AirDrop a passkey to a nearby contact
- This reason, so your partner/family member can access this joint account independently
“What if I need to remove someone with a passkey from the account?”
Good passkey implementations allow you to remove previously registered passkeys after verifiying that you can access a different passkey (to avoid deleting the passkey you currently have access to!). This is no different than someone using a shared password to change the password on an account; but it is less disruptive.
New LittleCRM devlog! This time about being trapped in The Sketch Vortex for 5 months, why it’s important, and commoditized UIs: buttondown.email/little-cr…
👀👀👀
Dear lord. This took way too long; the first pass of reference renderings for the Practical Framework are finished.
It only took 1 false start which did ultimately make for a better end result.
It’s also only one part of a larger, standardized pipeline. 😅 but definitely the hardest one to get right

warden 0.3.0 released
A new version of warden-webauthn is out (the foundation for devise-passkeys)
This one ensures that the underlying credentials must be discoverable by default; but provides hooks to override in edge cases where you need to allow non-discoverable credentials. Check out the Github issue for more info!
Check it out! And, as always, we need maintainers!
devise-passkeys 0.2.0 released
The next alpha for devise-passkeys is out!
This includes:
- a number of bug fixes, including fixing a bug with reauthentication breaking CSRF
- The start of proper YARD documentation for the gem
- The first outside contributors! Thanks so much to everyone who’s helped out
There's still a long ways to go, but check it out! And, as always, we need maintainers!
I stand corrected github.blog/2023-05-1…
What’s the over/under on GitHub being down system-wide twice in as many weeks due to running Edge Rails on arguably one of the most mission-critical bits of internet infrastructure?
Devise-passkeys 0.1.0 is out
👋 Updating with some news! I've cut an initial alpha of devise-passkeys
Note that this is an alpha build, so it should be used with experimental projects. I wanted to get this version cut as soon as the test coverage was finished so that folks could start providing some concrete feedback.
There's still a long ways to go, but check it out! And, as always, we need maintainers!
One small step for man, one giant leap for mankind 🎉 🎉 🎉 www.theverge.com/2023/5/3/…
Huge, huge congrats to the Google team for making it happen 💪
This incredibly cursed meme came to me today
Oops, wrote 1,000 words about what I've been working on for Little CRM (in reality, the design system I'm building for Practical Computer; and why that's the first thing I'm doing)
[buttondown.email/little-cr...](https://buttondown.email/little-crm/archive/say-hello-to-tangelo/)
Also look at this little feller!
First draft of the Little CRM landing page!
Love that my internet went out right as I go to share the first draft of my landing page for Little CRM. 🫠
Want a privacy-first CRM that will allow you to:
- Focus on your best customers
- Reflects the modern ways indie creators are supported
- Helps you stay focused on the marketing efforts that are actually working for you
I’m building it out in public! Sign up for updates here:
Building in public 1
👋 I’m stuck waiting on laundry to finish, so carving out some time for an announcement!
I’ve been wanting to build something in public for a while, and there’s no time like the present.
I’ve had an idea kicking around in my head for a privacy-first CRM that’s aimed at very small companies/operations. It’s directly informed by my own experiences working in Noko, and publicizing my music.
The audience is very focused on small operations. Stuff like my music, smaller SaaSes/service businesses. Where you want *some* place to keep track of leads & seeing who your most valuable customers are, but you specifically don’t want to track a ton of data.
And there are ancillary/modern assumptions, like tracking different product purchases by default, tracking influencers/promo efforts, and some way of ranking how effective you find particular marketing channels.
Some implementation notes:
- It’ll also be a real-world example of a passkeys first application; because right now there are way too few of those
- It’s a chance to really use Web Push!
- I know it’ll be a vanilla/minimal JS app; to prove again that you don’t need a ton to make a great, useful app.
- I think I’ll also be working on a vanilla JS/HTML variant of Standerd, made by my friends over at Nicer Studios. Have to try it out before I make that call
What if I told you this was only ~10% of them?

Mesh Network made it to an art show!
Last night was the first art show at Atlas Local, and I was lucky enough that two different people wanted to collaborate!
First up, my friend Dorcas Lanyero and I collaborated in a giant Mesh Network inspired painting! It turned out incredibly; and there are still some bits we want to improve (such as actually painting on the photovolic shading/projections onto the vertical greenhouses)
Also: Em Blitstein embraced the inner 90s punk in us all and made a zine; with some of the liner notes and a poster design I’ve been toying around with!
Ruby Passkeys Update
Posted a quick update about the Ruby Passkeys organization in the passkeys issue for Devise
The gist is:
- There are very early alpha implementations for Devise and Warden, including a template repo
- Once again, I am asking for desperately needed maintainers for this
City Skylines 2 really has to ship with proper transit & walkability 🤞🤞 DLCing that is ridiculous www.rockpapershotgun.com/paradox-a…
Glamping

👋 Hey y’all! Unfortunately, I got laid off from my job. I’m actively looking for work; if you’re interested in hiring someone with 16+ years of practical, real-world, customer-focused development work; please reach out! 😄
I also love doing customer support, developer relations, build-chain improvements, and engineering management.
I’ve put together a “I’m for hire” page below
I am delighted to inform you that this riiiiips louiezong.bandcamp.com/album/let…
HTTPS, Subdomained System Tests in Ruby on Rails
Getting puma to use self-signed certificates in Test
Install the localhost
gem, which allows Puma to use self-signed certificates in your test environment: https://github.com/puma/puma/#self-signed-ssl-certificates-via-the-localhost-gem-for-development-use
group(:test) do
gem 'localhost'
end
It’s not documented anywhere in Capybara, but Capybara’s built-in Puma handler allows you to issue a custom bind
: https://github.com/teamcapybara/capybara/pull/2028
Capybara.run_server = true
Capybara.server = :puma, { Host: "ssl://#{Capybara.server_host}"}
I found that you do need to explicitly pass the Capybara.run_server = true
argument in your system tests
You also need to have Selenium Webdriver explicitly accept insecure hosts: https://developer.mozilla.org/en-US/docs/Web/WebDriver/Capabilities/acceptInsecureCerts
For example:
Capybara.register_driver :chrome do |app|
options = Selenium::WebDriver::Chrome::Options.new
options.accept_insecure_certs = true
Capybara::Selenium::Driver.new(app, browser: :chrome, options: options)
end
With that, Capybara runs with self-signed certificates in development, and the WebDriver will accept them.
Running subdomained tests
Because of how macOS does not handle wildcard DNS resolution for localhost
by default, if you need to run your tests using subdomains, you’ll need to use a loopback DNS service like nip.io
For example:
Capybara.app_host = "https://myapp.127.0.0.1.nip.io"
Depending on how your existing tests are setup, you might also need to setup a custom initializer block in config/environments/test.rb
to override the tld_length
#config/environments/test.rb
Rails.application.configure do
#...
config.hosts << “.127.0.0.1.nip.io”
if ENV[“PREP_SYSTEM_TESTS”].present?
config.action_dispatch.tld_length = 5 # 127.0.0.1.nip.io = 5 top-level host details to throw out
Rails.application.routes.default_url_options[:host] = “127.0.0.1.nip.io” # Necessary for routes to play nicely
# …
end
end
The next project I’m working on: Data-augmented composition. In essence: a way to use data as an input for composition. It won’t drive the entire piece, because I still want a human elements but the transcendent nature of generative music is appealing to me
I am now the proud owner of the most cumbersome sampler out there, thanks to #SuperMIDIPak (https://www.supermidipak.com)