• mosiacmango@lemm.ee
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      5
      ·
      edit-2
      2 months ago

      Passkeys are becoming the industry standard. They are better in nearly every way, but would not have been possible before smartphones.

      They are unique for each site, not breachable without also having a users device, not phishable, and can’t be weak by design.

      • unconfirmedsourcesDOTgov@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        29
        arrow-down
        1
        ·
        2 months ago

        Agree that passkeys are the direction we seem to be headed, much to my chagrin.

        I agree with the technical advantages. Where passkeys make me uneasy is when considering their disadvantages, which I see primarily as:

        • Lack of user support for disaster recovery - let’s say you have a single smartphone with your passkeys and it falls off a bridge. You’d like to replace it but you can’t access any of your accounts because your passkey is tied to your phone. Now you’re basically locked out of the internet until you’re able to set up a new phone and sufficiently validate your identity with your identity provider and get a new passkey.
        • Consolidating access to one’s digital life to a small subset of identity providers. Most users will probably allow Apple/Google/etc to become the single gatekeeper to their digital identity. I know this isn’t a requirement of the technology, but I’ve interacted with users for long enough to see where this is headed. What’s the recourse for when someone uses social engineering to reset your passkey and an attacker is then able to fully assume your identity across a wide array of sites?
        • What does liability look like if your identity provider is coerced into sharing your passkey? In the past this would only provide access to a single account, but with passkeys it could open the door to a collection of your personal info.

        There’s no silver bullet for the authentication problem, and I don’t think the passkey is an exception. What the passkey does provide is relief from credential stuffing, and I’m certain that consumer-facing websites see that as a massive advantage so I expect that eventually passwords will be relegated to the tomes of history, though it will likely be quite a slow process.

      • Deceptichum@quokk.au
        link
        fedilink
        English
        arrow-up
        15
        arrow-down
        4
        ·
        edit-2
        2 months ago

        And if you lose your device, get fucked forever!

        Passkeys are passwords but worse.

        • mosiacmango@lemm.ee
          link
          fedilink
          English
          arrow-up
          6
          ·
          2 months ago

          Nope. The private key can be backed up, stored in an online password vault, copied automatically to other devices, whatever.

          There are good and simple answers to this issue.

        • sunbeam60@lemmy.one
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          2
          ·
          2 months ago

          No.

          Most people will store in their ecosystem (Microsoft or Apple). Lose your device, recover via logging back into your service. That effectively means that logging in to your ecosystem is your “one password”. Of course you can shield that login with a passkey that sits in another instantiation of your account (laptop, home PC).

          The nerds will use a platform-neutral password manager (last pass, 1Password) etc. That is likely to either be protected by a strong password AND a recovery key (to print on paper) OR a passkey stored in your platform ecosystem.

          Personally I’m in 1Password, using a very long passphrase and a recovery key (two print outs, kept in two different locations).

          If you ONLY use one device to enter your ecosystem you do have some risk if it is passkey secured. The end of the chain ought to be a highly secure password that you never reuse anywhere else (your “one” password). Best to go completely random and write it down on paper.

          But the risk of never being able to access your ecosystem are really quite low.

          • Saik0@lemmy.saik0.com
            link
            fedilink
            English
            arrow-up
            2
            ·
            2 months ago

            Most people will store in their ecosystem (Microsoft or Apple). Lose your device, recover via logging back into your service.

            You’ll own nothing and be happy!

            • sunbeam60@lemmy.one
              link
              fedilink
              English
              arrow-up
              1
              ·
              2 months ago

              Yeah it’s not for me but that’s a different point to “will they be locked out of their passkey storage”.

              • Saik0@lemmy.saik0.com
                link
                fedilink
                English
                arrow-up
                2
                ·
                2 months ago

                It’s directly related. If it’s in Apple’s system… or M$'s systems… They get to control your passkeys (not you). Including arbitrarily locking you out for whatever reason they want. Including “oops our datacenter died”. Hell… case and point. I bought new pixel phones (GrapheneOS), Google store didn’t charge my card at all, a card that’s been associated with my account for at least 10 years now, they marked it as “Suspicious” and locked my entire google account. Talking to support… None of them can even see that my account is locked.

                This is what “normal” people will get shoved into. This is not a win for any consumer. It’s a win for corporations. They get to see each request you make and use that metadata for themselves.

      • douglasg14b@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        1
        ·
        edit-2
        2 months ago

        That’s literally just a long password that you can never recover your data from when you inevitably lose or forget it (remember we’re talking about the majority of users here who do not use password managers).

        • jdeath@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          2
          ·
          edit-2
          2 months ago

          there’s literally zero technical reason that a user couldn’t reset a private key the same as a password. after all, you just pointed out they are almost the same.

          edit: if you’d like to see an example create SSH keys for your GitHub account and then reset them

          • douglasg14b@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            2 months ago

            That’s… Literally just a long password.

            I assumed you were talking about a private key as in cryptographic private key, where your data is encrypted on the remote server and your private key is required for it to be decrypted and for you to use it.

            If you just talking about something to get into an SSH key then all that is is a longer password.

            • jdeath@lemm.ee
              link
              fedilink
              English
              arrow-up
              1
              ·
              2 months ago

              not at all. are you expected to remember it? would it even be possible to memorize for most? not even close to the same thing, passwords have very low entropy which causes all their problems

              • douglasg14b@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                1
                ·
                edit-2
                1 month ago

                A password is literally just:

                secret data, typically a string of characters, usually used to confirm a user’s identity

                A secret key or passcode meets that definition 🤦 You’re most definitely on poor standing here.

                A very long password that no one can remember (ie. A key) is still a password. Also are you unaware of the existence of password managers and random password generation…?