PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
Structural security trumps computational security ... or ...
Diffuse structural security trumps amalgamated computational security ...
All your big, strong passkeys in one basket is less secure than your passwords in many individual baskets ...
Trying to explain this to tech bros can resemble pushing a wagon uphill ...
Because they want to sell something, logic is not paramount.
"A password in my brain is generally safer than an app or SMS stream that can be compromised. Although a passphrase may in some cases not be computationally more secure than a token mechanism or two-factor sytem, the simple passphrase is often structurally more secure because that passphrase only links to and exposes one service target."
"I like to compare it to having one basket of eggs in one spot, and many baskets of eggs in many places. If your one basket of eggs has the master key to all the other stronger keys, is it easier to get the one basket, or the many baskets with weaker keys? So in this scenario cipher strength is not the most important factor for security. With a single basket one fox or pick-pocket or one search warrant can own all of your eggs for all your services."
Am I the only one confused by #passkeys? They feel clunky, it's not at all clear what is going on, and honestly doesn't feel any different than a password manager (but somehow worse)
I really don't even understand what is going on under the hood. Are there any good explainers out there? #ux#passkey
Do you recommend using passkey if you are already using a yubikey or some other similar tool? I asked Google Gemini AI and here was what it said:
Yes, I generally recommend using Passkeys in addition to your YubiKey, even if you're already an active YubiKey user. Here's why:
1. Enhanced Security: Passkeys add a significant layer of security on top of your YubiKey. They are tied directly to your device and website/app and resist phishing attacks far better than passwords. This extra layer makes compromising your accounts significantly harder.
2. Improved Convenience: Passkeys can streamline logins. Instead of manually entering a password or even plugging in your YubiKey, Passkeys can often provide a near-seamless login with biometric recognition (face or fingerprint).
3. Future-proofing: Passkeys represent the direction passwordless authentication is heading. As adoption increases, you'll benefit from smoother login experiences on more and more platforms.
4. YubiKey as a Backup: Your YubiKey still plays a vital role as a secure backup if:
Your primary device with Passkeys is unavailable or malfunctioning.
A website or app doesn't yet support Passkeys.
Considerations:
Compatibility: Passkeys are still in their growth phase. Check that your devices and the websites/apps you use frequently support them.
Education: Take some time to understand how Passkeys work, their differences from passwords, and how to set them up and manage them.
Overall: Passkeys and hardware security keys like YubiKeys work best in tandem, offering a strong balance of security and convenience.
Let me know if you'd like more details on setting up Passkeys or would like resources for learning more!
So ganz stimmt es nicht: Passwörter die auf dem Server #Argon2 nutzen und in @keepassxc gespeichert sind, sind einiges sicherer als sonst aber #2FA sollte auch genutzt werden. Klar ist Passkey eine sichere Lösung doch noch nicht genutzt, da auf vielen pop. Dienste noch nicht umgesetzt.
«Neuer Standard #Passkey: Sind Passwörter bald passé? #Passworte sind unsicher und unpraktisch. Ein neues Verfahren bringt mehr #Sicherheit und ist einfacher in der Anwendung.»
Seeing a pal's Facebook account get hacked (ofc by some useless bitcoin scammer) reminded me that Meta is now falling well behind a lot of companies in #passkey support. Like, there is no way I would have predicted Home Depot would support passkeys first.
I'm pretty hyped for #passkey adoption, not gonna lie. I know passkeys have drawbacks (especially when synced to the cloud, and if not, issues when a device is lost/stolen). These passwords have gotta go.
How many of y'all been able to add a #passkey to your #PayPal account? For the third or fourth time in a row, I've gotten a "We can’t complete your request right now" error in Chrome for Android--the only way I can create one, since for some inscutable reason this service doesn't support creating one in desktop browsers or even my iPad's copy of Safari.
(This does remind me that I should try setting my Mac's Safari user-agent to iOS Safari the next time I'm in front of that computer.)
#PayPal#passkey update: I was able to get the site to cough up one by using macOS Safari's Develop menu to impersonate an iPhone browser--which I had to do to get around PayPal balking at providing one in Chrome for Android and not allowing users to create a passkey in desktop browsers because reasons.