this post was submitted on 11 Oct 2023
-26 points (19.0% liked)

Technology

59421 readers
2850 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
top 11 comments
sorted by: hot top controversial new old
[–] [email protected] 35 points 1 year ago* (last edited 1 year ago)

It’s passkeys. Saved you a click.

And yes, this is a pretty good idea.

I’ve given up on remembering unique passwords years ago. My passwords are basically opaque tokens that I store in an application I trust. Passkeys are basically this concept taken to a logical conclusion.

[–] [email protected] 9 points 1 year ago* (last edited 1 year ago) (2 children)

If anyone here does start using passkeys, just please please please make sure you have backups. And test that you can restore from those backups!

I've read horror stories about losing or breaking a phone and being locked out of everything because the standard phone backups don't save the passkeys private keys.

Personally I'm waiting until Bitwarden supports passkeys and I've made damn sure I can restore them from backup.

[–] [email protected] 10 points 1 year ago* (last edited 1 year ago)

That’s not how passkeys work. You still have the usual Google account recovery flow.

Just make sure you have some 2FA backup codes stuffed into a sock drawer somewhere, that your email address and telephone numbers are up to date and you should be ok.

[–] [email protected] 4 points 1 year ago

I’ve read horror stories about losing or breaking a phone and being locked out of everything because the standard phone backups don’t save the passkeys private keys.

This is no different than what we already have. Many people don't backup their TOTP to any cloud provider, or even themselves, and if their phone breaks, they lose all of their TOTP. And most people don't save recovery keys (if the service even provides them).

So ya. Stop fear mongering.

[–] [email protected] 6 points 1 year ago

Download for uninformative clickbait headline.

[–] [email protected] 4 points 1 year ago (1 children)

Ok, but can I generate a new passkey with the same fingerprint? I’m pretty sure that eventually someone will find an exploit that allows them to steal your keys, so you need to make the old keys invalid by generating new ones.

[–] [email protected] 3 points 1 year ago (1 children)

You make a separate passkey per Authenticator device or application.

Passkeys are not necessarily tied to biometrics unless the Authenticator application/device is configured to do that.

[–] [email protected] 1 points 1 year ago

Ok, that’s great. Seems like a fairly secure option, so I don’t see any major problems with it.

[–] [email protected] -3 points 1 year ago (2 children)

The endgame sounds scary, classic enshittification scheme but deployed to authentication and security: make it flashy and smooth at start, get adoption (this time it's different b/c it's not the masses that need convincing, but website operators), hold the entire internet hostage by threatening to pull the plug on the mode of access to everything. Also more obvious and coming sooner: exploit your handle on the tech to disable Passkeys to someone who "violates ToS" of Google services by, idk, running adblock or logging in with Firefox.

[–] [email protected] 7 points 1 year ago

They can do all that by suspending your account. Passkeys don’t make this better or worse.

[–] [email protected] 3 points 1 year ago

Passkeys are not a google thing at all. And they have been around for ages. Bitwarden will likely support them next month. Passkeys will not lead to anyone holding the internet hostage. While W3C has had its issues with drm in the past, they, along with FIDO are heavily promoting this. Apple rolled it out last? year. Microsoft supports it. Yubico has been a thing for years, and has supported FIDO2 for like 5 years.

Passkeys are not enshitification. They are a better and more secure way to log in than passwords are. The Fido alliance offers open source software to implement it. FIDO2 is an open standard similar to HTML or SQL. There is no reason for fear. Nobody will take our access away.