this post was submitted on 16 Oct 2024
271 points (86.3% liked)

Technology

59347 readers
4401 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 91 points 1 month ago* (last edited 1 month ago) (14 children)

The problem with passkeys is that they're essentially a halfway house to a password manager, but tied to a specific platform in ways that aren't obvious to a user at all, and liable to easily leave them unable to access of their accounts.

Agreed, in its current state I wouldn‘t teach someone less technically inclined to solely rely on passkeys saved by the default platform if you plan on using different devices, it just leads to trouble.

If you're going to teach someone how to deal with all of this, and all the potential pitfalls that might lock them out of your service, you almost might as well teach them how to use a cross-platform password manager

Using a password manager is still the solution. Pick one where your passkeys can be safed and most of the authors problems are solved.

The only thing that remains is how to log in if you are not on a device you own (and don’t have the password manager). The author mentions it: the QR code approach for cross device sign in. I don’t think it’s cumbersome, i think it’s actually a great and foolproof way to sign in. I have yet to find a website which implements it though (Edit: Might be my specific setup‘s fault).

[–] [email protected] 29 points 1 month ago (6 children)

people will pick the corporate options that are shoved on their faces, not the sensible open source user-respecting ones.

vendor lockin will happen if we adopt passkeys as they are right now.

[–] [email protected] 16 points 1 month ago (2 children)

Bitwarden just announced a consortium with Apple, Google, 1Password, etc to create a secure import/export format for credentials; spurred by the need for passkeys to be portable between password managers (but also works for passwords/other credential types)

[–] [email protected] 8 points 1 month ago* (last edited 1 month ago)

I'm definitely holding off on passkeys until that project is finished. I also don't want vendor lock in and while that seems like the solution, it seems like they just started working on it.

[–] [email protected] 3 points 1 month ago (1 children)

Import export is not the same as interoperability

[–] [email protected] 1 points 4 weeks ago* (last edited 4 weeks ago) (1 children)

The interoperability already exists in the protocol webauthn, part of FIDO2 which has been around for almost a decade. Interoperability is not remotely an issue with passkeys. Imported/export is/was and also already has a solution in the works.

[–] [email protected] 2 points 4 weeks ago (1 children)

So I can use the same passkey from say, bitwarden and windows hello? Why do you even need import export then?

[–] [email protected] 2 points 4 weeks ago

Yes you can use a passkey set up on any given service to authenticate to a service that supports passkeys. You’d need import/export to move a given passkey from bitwarden to Windows.

load more comments (3 replies)
load more comments (10 replies)