#Passkeys truly are the new lock in for password managers. I'm trying to be a good citizen and use passkeys wherever I can, but now I can't properly try other password managers without needing to create dozens of new keys. I'm trying Proton Pass now, and it's a major pain.
Extrapolate this out to a world where passkeys are the norm and effectively all of my accounts authenticate this way, and moving your data becomes impossible. :dumpster:
I know the FIDO Alliance and passkey enthusiasts will say that the passkey standard isn't built to lock users in, and migrating them should be possible.
That's well and good, but we're several years into this and zero of the major players support this. Whether you use Apple, Google, 1Password, or anything else, your passkeys are locked to those accounts today. maybe you can move in a few years, but you can't now. Yay.
Something something, don't get a product today based on hopes and dreams of future software updates…
As an aside, Apple is the only place I've been that makes it impossible to use anything besides their password manager for setting up a passkey. It's maddening.
Bist du es leid, dir unzählige #Passwörter zu merken? Die neueste Technologie der #Passkeys verspricht eine einfache Lösung.
Aber wie nah sind wir wirklich an dieser Zukunft? In meinem neuesten Blogbeitrag werfe ich einen kritischen Blick auf die aktuellen Herausforderungen von Passkeys.
Erfahre mehr über die Zukunft der digitalen Authentifizierung. 🚀💻
PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
Structural security trumps computational security ... or ...
Diffuse structural security trumps amalgamated computational security ...
All your big, strong passkeys in one basket is less secure than your passwords in many individual baskets ...
Trying to explain this to tech bros can resemble pushing a wagon uphill ...
Because they want to sell something, logic is not paramount.
"A password in my brain is generally safer than an app or SMS stream that can be compromised. Although a passphrase may in some cases not be computationally more secure than a token mechanism or two-factor sytem, the simple passphrase is often structurally more secure because that passphrase only links to and exposes one service target."
"I like to compare it to having one basket of eggs in one spot, and many baskets of eggs in many places. If your one basket of eggs has the master key to all the other stronger keys, is it easier to get the one basket, or the many baskets with weaker keys? So in this scenario cipher strength is not the most important factor for security. With a single basket one fox or pick-pocket or one search warrant can own all of your eggs for all your services."
Am I the only one confused by #passkeys? They feel clunky, it's not at all clear what is going on, and honestly doesn't feel any different than a password manager (but somehow worse)
I really don't even understand what is going on under the hood. Are there any good explainers out there? #ux#passkey
@scottjenson The main problem for me is that browser vendors have intentionally made passkeys difficult to use without hardware keys. There are clunky ways to emulate Bluetooth hardware keys purely in software but that just adds to the confusion.
I would've preferred tight integration with something we know, like GPG/PGP, though that stack has its own set of issues (mainly that there are not good secondary implementations, but they might be resolved.)
I recently implemented Passkey support in one of my apps, and ran into some limitations of the spec. I had no idea it was this bad.
I had assumed I’d be able to get my passkeys out of my Apple devices, but hadn’t put any real thought into that.
“Since then Passkeys are now seen as a way to capture users and audiences into a platform. What better way to encourage long term entrapment of users then by locking all their credentials into your platform, and even better, credentials that can't be extracted or exported in any capacity.”
@firstyear , the author of webauthn-rs, on #passkeys (I don't agree with everything in the article):
»starting to agree - a password manager gives a better experience than passkeys.[…]
Get something like bitwarden or if you like self hosting get vaultwarden. Let it generate your #passwords and manage them. If you really want passkeys, put them in a password #manager you control. But don't use a platform controlled passkey store, and be very careful with security keys.«
What account should I use as my first experimental login to convert to using passkeys?
PayPal?
I know you don't know what systems I use, so this is a bit of a meaningless question. But do you know of any popular systems that a lot of people use that now support passkeys?
Preferably ones that can be stored and used by 1Password 8. Maybe I should do 1Password first if they support passkeys.
This new and easy way to secure your accounts removes the need for passwords by authenticating you with your device. Passkeys also provide a higher protection against #phishing attacks.