Technology

While the lock-in issue is annoying and a good reason not to adopt these, the device failure issue is a tech killer. Especially when I can use a password manager. This means I can remember two passwords (email and password manager), make them secure, and then always recover all my accounts.

Passkeys are a technology that were surpassed 10 years before their introduction and I believe the only reason they are being pushed is because security people think they are cool and tech companies would be delighted to lock you into their system.

The biggest disadvantage:

Disadvantages of Passkeys

Ecosystem Lock-In – Passkey pairs are synced through each vendor’s respective clouds via end-to-end encryption to facilitate seamless access multiple devices.

More eggs in the American megacorp basket for more people, yay

Better title:

Passkeys: still trying to explain why it's worth the hassle when it isn't

The eco-system lock-in makes this a non-starter for me. If I could store the private keys in something like a keepass vault (or that) and do the authentication magic from that I would consider it.

No, thanks. I'll keep using password+2FA and I hope that passkeys never become "mandatory".

Why do you have the 4-digit PIN? Well, it’s just to unlock the part of your device where the private key is stored.

And there is the problem I have with passkeys. With a password it is me authenticating to the service I'm using. Pretty straight forward (if you ignore the operating system, web browser, network protocols, etc., but that's part of using the tech).

With passkeys you've got this third party storing your keys that increases your attack surface. It could be your web browser, your OS, or some cloud provider that you're now relying on to keep your data safe. I get that for people whose password is "password123" or who aren't savvy enough to avoid phishing maybe this helps. But with decent opsec this overly complicates authentication, IMO.

To my point, later in the article:

Securing your cloud account with strong 2FA and activating biometrics is crucial.

What's that now? The weak point is the user's ability to implement MFA and biometrics? The same users who couldn't be bothered to create different passwords for different sites? You see how we've just inserted another layer into the authentication process without solving for the major weakness?

With my tinfoil hat on I suspect this push toward passkeys is just another corporate data and/or money grab -- snake oil for companies to get their tentacles tighter around your digital existence.

Happy to be proven wrong.

The promise of passkeys when i first grad about them was that it would be quick and easy - that you wouldn’t need to enter a username or use 2fa. The reality appears to be that this is that it’s used ** as** 2fa

Just don’t take away passwords + TOTP 2FA for those of us who are actually using it correctly.

Somehow PieFed is able to make them work but simultaneously many large companies are shifting to "magic links" sent to your email. 😡

You missed some disadvantages. For example the UX and complexity are terrible.

Tried Passkey in the past. I had many problems, especially could not understand why they must use my google account. Now my google account is gone, don't gonna go that rabbit hole again, i am happy with my Bitwarden and Aegis.

I've been resisting using them and decided to set one on my rarely-used and unimportant Piefed account to try it out.

Saved to Bitwarden fine on my desktop browser. When I try to log in with a browser on my phone, it asks for my username and does nothing more after that dialog closes. While I'm not sure if this is a problem with Piefed, Bitwarden, or Firefox, I'm now disinclined to try it with anything important, especially if that thing might then discourage me from logging in with a password.

I recognize the theoretical advantages, but passkeys don't do much to solve problems I actually have. All my passwords look like @A#vVukh9c$3Kw4Cs8NP9xgazEuJ3JWE and are unique. Bitwarden won't autofill the wrong domain. I don't enter credentials in links from emails I didn't trigger myself immediately before. I haven't checked whether I can reliably backup and restore them in my Bitwarden vault.

They’re device-bound certificate based authentication with some shiny bits.

Or they’re portable-via-certain-services certificate based authentication with some shiny bits.

Either way they’re new and try explaining that the user needs a new one for every device (or needs a new app to carry them around in) and that if the device dies, or the app dies, they lose it all. I have quite a few people in my life who can’t wrap their heads around using a password manager.

Personally, I find them irritating. My chosen password manager on iPhone doesn’t support them, so I need to have the iOS password vault turned on (yes, this is a dark pattern Apple has created to try to increase adoption of their password vault) to use them. Adoption needs to be much higher, interoperability needs to be better, and they need to put back the hint for which vault to use (which was removed early on to keep Microsoft and google from forcing chrome/edge vaults, but has the actual effect that chrome/edge tend to win the race over other options and means that the passkey prompt might be for a different app than the one that you prefer, leading to further user confusion)

I don't want to boot up a fucking android VM to run some login app every time I need to log into an unimportant account that realistically I would have used "el-passwordo" for the password if it let me.

It seems like the idea behind having the passkeys synced through cloud platforms is to mitigate the device failure risk as much as possible, as any device logged into the cloud account could be used to access the passkey protected accounts. It seems a little short-sighted as it means that the passkeys are limited to AAL2 (as AAL3 requires it to be non-exportable), and depends on the security of the cloud account. The cloud account can't use anything as secure as a passkey, as it would reintroduce the device failure risk (meaning that your security has been downgraded from AAL3 to AAL2 for no reason).

It should also be noted that if the cloud account is not phishing-resistant (which it can't be for reasons stated above), then the accounts protected by passkeys aren't phishing resistant either, as the cloud account could be phished, which would lead to a compromise of the other accounts.

At AAL2 you could also just use a password and OTP, which doesn't have the vendor lock-in problems with cloud synced passkeys and has a wider adoption already.

In my opinion there is no need for cloud syncing, as device failure risk is negligible if you have a backup security key (as the failure rate of a single security key is already extremely low).

I'm still annoyed that "OPAQUE" never seemed to catch on. Uses a username/password combo as normal, but never actually sends the password to the server, only a proof of knowledge. Even if the server is hacked and the DB leaked the attackers can't actually recover anything resembling a password from it, since the server simply never possesses it.

Passkeys are superior (No password at all), if only the UX around them was better.

Passkeys are cool but you still need 2fa. Which may as well be a passkey itself.

One factor is not great even if it's a passkey.

Okay, so long as a passkey is something I can memorise. Otherwise, it's significantly worse than a regular password (assuming you use good passwords and don't reuse passwords etc).

It seems like they want to tie it to a physical computer (like the one in your pocket), which sucks big time. What happens if I don't have access to that computer at all times, or it breaks, or is lost?

I'm planning on getting rid of my smartphone for something that just does calls and texts for example, because I'm sick of how unhealthily reliant I, and everyone, have become on this thing, and I want to be more connected to the real world. What then?

My brain is the best place to store passkeys, it can't be hacked, stolen, lost, etc, unlike every other option. It's easily capable of storing lots of randomised unique passwords for each service (surely I'm not the only one that can do this?). It's the clear winner.