Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

You are only browsing one thread in the discussion! All comments are available on the post page.

Return

Brokkr ,

While the lock-in issue is annoying and a good reason not to adopt these, the device failure issue is a tech killer. Especially when I can use a password manager. This means I can remember two passwords (email and password manager), make them secure, and then always recover all my accounts.

Passkeys are a technology that were surpassed 10 years before their introduction and I believe the only reason they are being pushed is because security people think they are cool and tech companies would be delighted to lock you into their system.

LuigiMaoFrance ,

Cops also love them because they make getting access to your entire phone including all accounts simple as cake if you use fingerprint/faceID to unlock your device.

l_b_i ,
@l_b_i@pawb.social avatar

I think they are being pushed because cool technology on paper. Whenever I read an article about them, I can't help but think about the human factors. How are passkeys created, often by a password or email. okay... that looks a lot like a password. Oh you lost the passkey, here lets send you one again. It stinks of a second factor without a first. Sure, the passkey itself is hard to compromise, but how about its creation. If your email is compromised I see no difference from passwords or passkeys.

smiletolerantly ,

You can store Passkeys in open source password managers.

I don't know most of my passwords, so the step to passkeys doesn't feel like a big one. I also really like the flow of pressing Login; Bitwarden pops up a prompt without me initiating it; I press confirm. Done, logged in, and arguably more secure due to the surrounding phishing and shared secrets benefits.

Brokkr , (edited )

Sure, they probably work great when you have your *passkey manager on the device, but that's not when I need to have backup routes into my accounts. When using a new device, or someone else's, having even a complicated password that can be typed or copied-pasted has way more functionality.

As far a I can tell, using passkeys would only risk locking me out of my accounts. Everyone else is already effectively locked out.

smiletolerantly ,

I can access my password manager via the browser from any device.

queermunist ,
@queermunist@lemmy.ml avatar

Can't you access your password manager from a web browser? Or your phone?

Brokkr ,

Oops, meant passkey manager, fixed it.

lmmarsano ,

Isn't that the same thing?
All my credentials & passkeys are in the cross-platform password manager available from all my devices & any web browser.
Passkeys even have a cross-device flow, so we can just scan a QR code & use a phone to sign into anything.

Manually keying in a password just feels so boomer.

Brokkr ,

Not at all the same. I can type or dictate my passwords on any device with a keyboard. I am not reliant on an individual device continuing to work. In fact I could get all new devices tomorrow, with no access to any previous device, and log into all my accounts within minutes.

Passkeys do not allow, and specifically prevent, that.

lmmarsano ,

I am not reliant on an individual device continuing to work. In fact I could get all new devices tomorrow, with no access to any previous device, and log into all my accounts within minutes.

Exactly the same with a password manager which stores passkeys.
Are you reading before responding?

umbrella ,
@umbrella@lemmy.ml avatar

its being pushed because corporations want to control your passwords with lock-in.

no way i'm using that garbage over my own manager with recallable plaintext passwords.

cenzorrll ,

I've found a pretty good use for a passkey. Docusign. About every 3 months I need to docusign something at work. The process involves logging in, changing your password, logging in again, opening the document, logging in to sign, logging in to finish. The only steps you get to skip if there's more than one document is the initial log on, and changing password. So with a passkey I just touch it a bunch of times and there's no password change.

Brokkr ,

Sounds like a password manager would make that way easier. Changing your password would involve a few extra clicks. Also, you might want to check with your IT folks. Asking people to constantly change their password is a good way to weaken password strength. I don't use docusign, but there is probably a setting that they can change.

cenzorrll ,

Oh, I agree, but I have to argue enough with professionals who know better as it is. I have to do it every day with recent PhDs as a BA who's been doing the job for 15 years. At this point it's not my problem if something happens. I have other things that affect me every day to fight about. I'll just continue cycling through my no repeats after 10 changes, 12 character passwords and using my yubikey for docusign for my own sanity.

pr06lefs ,

sounds like a better solution is don't use docusign

cenzorrll ,

K, I'll go tell the CEO that they need to come up with something different.

bookmeat ,

There's like a million other free/libre digital document signing platforms out there. Try one that doesn't suck.

cenzorrll ,

Unfortunately, per the comment you replied to, that isnt under my control.

sentientRant OP ,

Even if you are really careful, your details can always be leaked from a company server during a breach. If the companies adopt passkeys, that issue isn't there. Because there isn't a password anyone can randomly use. That's why I feel big tech companies are moving towards it.

Brokkr ,

Yes, you have to trust the company storing the passwords.

A good company can store passwords in ways that are secure to most hacking attempts. It isn't impossible to break the encryption typically used, but it is difficult enough that most thieves will not have the resources or time to make use of the data. They want the low effort password databases, not the difficult and expensive ones.

Fmstrat ,

Not to mention Apple decided to make passkeys Airdropable. Fun.

I worked on a cool projected called FedID: https://fedid.me/ that creates a distributed identifier (DID) out in the world, federated with AvtivityPub, and gives you a key you can sign in with via OpenID Connect. It allows the DID to have multiple keys for multiple devices, and delegate authority, so losing a device/failure is no big deal.

That being said, Web passkeys can be stored in password managers, just like passwords.