#Passkeys truly are the new lock in for password managers. I'm trying to be a good citizen and use passkeys wherever I can, but now I can't properly try other password managers without needing to create dozens of new keys. I'm trying Proton Pass now, and it's a major pain.
Extrapolate this out to a world where passkeys are the norm and effectively all of my accounts authenticate this way, and moving your data becomes impossible. :dumpster:
Bist du es leid, dir unzählige #Passwörter zu merken? Die neueste Technologie der #Passkeys verspricht eine einfache Lösung.
Aber wie nah sind wir wirklich an dieser Zukunft? In meinem neuesten Blogbeitrag werfe ich einen kritischen Blick auf die aktuellen Herausforderungen von Passkeys.
Erfahre mehr über die Zukunft der digitalen Authentifizierung. 🚀💻
Google's passkeys, introduced in 2022, have become a popular and secure alternative to traditional passwords, being used over 1 billion times across 400 million-plus Google accounts. These passkeys, which rely on fingerprints, face scans, or PINs for authentication, are faster and more resistant to phishing than passwords. Google plans to integrate passkeys into its Advanced Protection Program, enhancing security for high-risk users. Additionally, third-party password managers like Dashlane and 1Password can now support passkeys, further expanding their use. The technology is supported by major companies like eBay, Uber, PayPal, and Amazon, indicating a shift towards passkey-based authentication as a more secure and efficient method.
PassKeys seem like a bad idea. Google backs them up to the cloud, so if your Google account is compromised then all your private keys are compromised. I don't see how that's an improvement over password+2FA at all.
Now security keys I get; keep the private key on an airgapped device. That's good. Hell I even keep my 2FA-OTP salts on a YubiKey.
Am I the only one confused by #passkeys? They feel clunky, it's not at all clear what is going on, and honestly doesn't feel any different than a password manager (but somehow worse)
I really don't even understand what is going on under the hood. Are there any good explainers out there? #ux#passkey
I recently implemented Passkey support in one of my apps, and ran into some limitations of the spec. I had no idea it was this bad.
I had assumed I’d be able to get my passkeys out of my Apple devices, but hadn’t put any real thought into that.
“Since then Passkeys are now seen as a way to capture users and audiences into a platform. What better way to encourage long term entrapment of users then by locking all their credentials into your platform, and even better, credentials that can't be extracted or exported in any capacity.”
@firstyear , the author of webauthn-rs, on #passkeys (I don't agree with everything in the article):
»starting to agree - a password manager gives a better experience than passkeys.[…]
Get something like bitwarden or if you like self hosting get vaultwarden. Let it generate your #passwords and manage them. If you really want passkeys, put them in a password #manager you control. But don't use a platform controlled passkey store, and be very careful with security keys.«
"#Apple Keychain has personally wiped out all my #Passkeys on three separate occasions. There are external reports we have received of other users who's #Keychain Passkeys have been wiped just like mine."
"At this point I think that Passkeys will fail in the hands of the general consumer population."
My conclusion would be different though. Instead of going back to classic #passwords, I recommend using #FIDO2 hardware tokens wherever you can as 2nd factor.
What account should I use as my first experimental login to convert to using passkeys?
PayPal?
I know you don't know what systems I use, so this is a bit of a meaningless question. But do you know of any popular systems that a lot of people use that now support passkeys?
Preferably ones that can be stored and used by 1Password 8. Maybe I should do 1Password first if they support passkeys.
Les #passkeys sont enfin désormais supportées par #ProtonPass de @protonprivacy sur tous les appareils compatibles et les types de comptes (autant gratuits que payants). Ne manque plus que la possibilité de classer les données par dossiers ou étiquettes (labels).
#ProtonPass, le gestionnaire de #MotDePasse de @protonprivacy, prend désormais en charge les #PassKeys. Peu de sites utilisent déjà cette technologie, mais le nombre augmente de plus en plus. Une nouvelle couche de #sécurité pour vos connections, plus performante et sûr que la #2FA
#Passkeys: reinventing TLS client certificate authentication that is proxyable and all private keys stored in the cloud and then of course the connection is only on one side TLS authenticated and therefore MITM-able from the other (aka proxyable, yes yes CAs and stuff but ya' know). Does this sound about right?