this post was submitted on 11 Oct 2023
291 points (98.0% liked)

Technology

59421 readers
3562 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Passkey is some sort of specific unique key to a device allowing to use a pin on a device instead of the password. But which won't work on another device.

Now I don't know if that key can be stolen or not, or if it's really more secure or not, as people have really unsecure pins.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 161 points 1 year ago (27 children)

Man, the amount of fearmongering and anti-Google rhetoric in this thread makes me sad. Passkeys are almost entirely a good thing and are supported by many big and small companies.

No, it won’t lock you into Google, it’s an open web standard. Google will have an Authenticator, Apple will, and third parties will spring up to support it as well. And there’s no lock in, you can get a new passkey when you want to switch devices or providers.

No, someone who gets access to your device can’t get access to everything if you have basic security hygeine. Secure your passkeys with a secondary password or use biometric authentication.

Yes, it’s almost a straight upgrade to text passwords. They are immune to phishing attacks and other social engineering tricks, and you don’t need to remember long strings of numbers and letters anymore.

Do your research people, sheesh.

[–] [email protected] 42 points 1 year ago (17 children)

The problem with passkeys is that surrender of a physical key is not protected by the 4th amendment and subject to seizure. From a security perspective, I agree that passkeys are good. But I only use a physical key as a secondary factor. Never a primary.

The courts have ruled that you can't be forced to give up a password or passcode. (We'll have to see if the current court will keep this precedent.)

Until we get better privacy protections, I'm not trusting passkeys whole cloth.

[–] [email protected] 15 points 1 year ago (2 children)

There is no implementation right now that enables you to own and manage your own passkey backups without Google it icloud.

Additionally, the attestation feature is one step away from banks and other sites mandating specific implementations, preventing people from using software tokens or OSS managers.

Passkeys is great, and I am eager to recommend it to everyone, but without those items addressed, it's a trap door, and one bitflip away from very strong lock in.

[–] [email protected] 2 points 1 year ago

The same webauthn standard allows you to use a security key with PIN luck

load more comments (1 replies)
load more comments (15 replies)
load more comments (24 replies)