Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

Big Tech passkey implementations are a trap | Proton

  • Big Tech has implemented passkeys in a way that locks users into their platforms rather than providing universal security
  • Passkeys were developed to replace passwords for better account security, but their rollout by Apple and Google has limited their potential
  • Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.
umbrella , (edited )
@umbrella@lemmy.ml avatar

told ya so, i got downvoted for being skeptical of this shit.

if google or similar is pushing it, is should NOT be trusted! lets NOT, please!

EncryptKeeper ,

You still deserve those downvotes. There’s nothing to not trust about passkeys.

umbrella , (edited )
@umbrella@lemmy.ml avatar

theres google, give me an alternative not exclusively controlled by oligarchs and i will consider it.

aniki ,

Youre get downvoted by the same MS defender chuds.

Fuck the billionaires.

EncryptKeeper , (edited )

Not sure what Google has to do with passkeys besides the fact that they’ve implemented them. Google implemented passwords too but I’m guessing you’re fine with those?

Passkeys are not exclusively controlled by oligarchs so I guess by your own admission you should consider them.

umbrella ,
@umbrella@lemmy.ml avatar

i will, when i see these claims of openness estabilished and working in practice.

EncryptKeeper ,

Well you’re in luck, they’re currently established and working in practice.

aniki ,

The billionaire owner class are defacto untrustworthy.

EncryptKeeper ,

No one is suggesting that you secure your online accounts with the billionaire owner class. They’re suggesting you secure them with passkeys.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

That is not the takeaway here.

The takeaway is Passkeys are great technology but as implemented by Google, Microsoft, and Apple fall short of what they could be.

This isn't some "owned by the billionaire class". It's an open standard that's why Bitwarden and Proton both have implementations. Big tech of course provided implementations that are not as portable as possible, that's all that's going on here.

There's really not some big conspiracy to kill kittens or whatever. Passkeys are far more secure (and for most people far more usable) than passwords.

umbrella ,
@umbrella@lemmy.ml avatar

The takeaway is Passkeys are great technology but as implemented by Google, Microsoft, and Apple fall short of what they could be.

then get them implemented by someone else useably. that open authentication login garbage they pushed years ago was also supposed to be an open standard, but you can only use it if you lock yourself in to facebook/google to this day. i still have to use a different password for each damn website still.

id like to see its opennes at work in the real world, in practice, first.

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

Proton, Bitwarden, 1Password, Yubico (via the Yubikey), and others (including big tech) already have their own independent implementations(?)

Even Keypass has at least a partial implementation https://github.com/keepassxreboot/keepassxc/pull/8825

umbrella ,
@umbrella@lemmy.ml avatar

i'm sure they do, but can i login to most websites using them?

99/100 i get the option to use facebook, google or just bite the bullet and make an account. i'm talking about this by the way:
https://lemmy.ml/pictrs/image/ce948991-25cc-47b4-a247-35552b0b6338.png

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

It will get there... https://passkeys.directory/ https://passkeys.2fa.directory/us/

It's still relatively new technology.

EncryptKeeper ,

Yes. Any website that has implemented passkey authentication can be logged into by any Passkey provider. There are no websites that “Only accept Apple passkeys”

Dark_Arc ,
@Dark_Arc@social.packetloss.gg avatar

I think you better understood their question; thanks for jumping in.

elrik ,

I am not using passkeys until it's possible to easily migrate them between providers (not just devices / browsers). If I used Proton Pass, and then later decided to use another password manager, could I export my passkey data?

Swarfega ,

We’ve also given passkeys and passwords equal priority so that you can use them interchangeably in our apps. This means you can store, share, and export passkeys just like you can with passwords.

https://proton.me/blog/proton-pass-passkeys

elrik ,

That's excellent. Thanks for pointing that out!

Swarfega ,

The next question is does anyone actually let you import passkeys? I don't think there is ☹️

I have a few keys in Bitwarden but before I go adding more I am going to play with Proton Pass. A lot of users were understandably annoyed when Bitwarden released passkey support but in such a limited manner.

gian ,

Proton Pass allow you to export your passwords in various formats (both plain and encrypted). That you are able to import somewhere else is not something Proton Pass can guarantee but you have your data.

alsu2launda ,

Not surprised,

Google too nowadays.

There's a reason why they removed their company motto "Don't be Evil"

Ashyr ,

Google has obviously been crap for a long time, but that was just a dumb motto to begin with. It’s not aspirational, it’s not useful for anything and it barely requires anything of anyone.

They changed it to: Do the right thing.

It’s not much better, they’re still an awful company, as most companies are, but this is just the worst reason to rag on them.

mb_ ,

The right thing to whom? Shareholders? (=

dabu ,
@dabu@lemmy.world avatar

"Don't be evil" to whom? Shareholders? ;)

DJDarren ,

"Do the right thing (for the shareholders)"

lurch ,

don't be google

friend_of_satan ,

I thought they just removed the first word.

SkaveRat ,

I'm well versed in IT security, and even with (or because of) my knowledge, I still haven't looked deep into setting up passkeys on my services. Just because it's such a clusterfuck of weird implementations.

I can't imagine being a normal consumer and wanting to set them up. The poor support teams having to support this...

And I'm managing at least one service at work that could totally benefit from passkey integration. The headache of looking into how to properly implement them is just way too much

deranger ,

I can't imagine being a normal consumer and wanting to set them up.

It’s quite simple on iOS. IIRC, when logging into the paypal website you get a prompt asking if you’d like to use passkeys. Accept that, then you get a keychain prompt asking if you’d like to make/use a passkey. Click continue and pass FaceID authentication, then you’re in with a passkey. For future logins you click the login with passkey and it faceIDs you in. It’s easy.

randomaccount43543 ,

Then you are totally locked in with Apple devices and cannot switch to Android and take your passkeys with you

deranger ,

I’m not saying it’s good, I’m saying it’s easy. It is not hard for normal consumers to setup.

MigratingtoLemmy ,

What does secrets management look like at work?

werefreeatlast ,

Lock downs are pretty much a hard pass for me. Anything I buy, I research, and if there's even the slightest hint of BS incompatibility, it's simply a no go.

Petter1 ,

Jokes on them: If they allowed passkeys on iOS 16 or have let the iPhone X update to iOS 17, I most likely fell for it, now I have only some 2FA keys that I need to pull from keychain (have no macOS)

  • All
  • Subscribed
  • Moderated
  • Favorites
  • technology@lemmy.world
  • random
  • incremental_games
  • meta
  • All magazines
    •