262

Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing... that lives on my phone? What if I lose my phone? What if you steal my phone?

you are viewing a single comment's thread
view the rest of the comments
[-] dustyData@lemmy.world 37 points 9 months ago

We shouldn't be getting rid of passwords, or one time passwords, or two factor authentication, or single use codes. The point of security is overlapping features is what brings convenience and deterrence.

[-] Spotlight7573@lemmy.world 23 points 9 months ago

It's probably overkill for most people but I would love to have a system that lets me choose what combination of factors together work to login rather than just 'password and something else'. Something like A,B,C are on the account and you can use A+B or B+C to login. It'd be great for those who don't necessarily want to trust SMS-based one-time passwords (due to SIM swapping, theft, etc) if we could require something else along with it.

That said, the way passkeys are typically used satisfy multiple factors at once:

Password to unlock your password database that stores your passkey: something you know, the password + something you have, the database

Biometric to unlock your phone that has your passkey: something you are, fingerprint or face + something you have, the phone

[-] scorpionix@feddit.de 15 points 9 months ago

Forget about biometrics, they are way too insecure.

Our cameras have reached a stage where we can replicate fingerprints from photos. 'What you are' is useless when we leave part of us everywhere. And furthermore, in parts of the world, authorities can force you to unlock your device with biometrics but not with passwords.

[-] frezik@midwest.social 10 points 9 months ago

Biometrics can be fine when they are layered on top of other authentication methods.

[-] IphtashuFitz@lemmy.world 5 points 9 months ago

Exactly. See my reply in another thread where I describe a “person trap” that I used to go through to get into a secure facility. Its biometric check analyzed the geometry of your entire hand. It wasn’t just a fingerprint scanner.

[-] scorpionix@feddit.de 1 points 9 months ago

I strongly disagree. That's like using MD5 and saying 'It's OK, we use SHA256 down the line'. Information encrypted with it might as well be in plain text.

[-] frezik@midwest.social 5 points 9 months ago

That's not how that works. If you were using MD5 and then immediately SHA256 the output and not using it for anything else, that would be fine. You're not accomplishing much in this specific case, but it'd be fine.

When you layer security, the attacker has to pull back each layer. You don't rely on any singular layer. If the attacker needs biometrics AND a code AND a physical key, that's very good security.

[-] Spotlight7573@lemmy.world 3 points 9 months ago

For many people it works well as a trade-off between security and convenience. It may not be for everyone though and that's okay. Nothing stops you from using a password/passcode to secure your passkey instead.

[-] shortwavesurfer@monero.town 13 points 9 months ago

SMS second factor is so bad! The really dumb thing in my opinion is the place that uses SMS to factor the most is banks. Now how dumb is that?

[-] SomethingBurger@jlai.lu 9 points 9 months ago

In the EU they have to use something stronger if available. SMS is only used if requested by the user.

[-] shortwavesurfer@monero.town 5 points 9 months ago

I wish it were that way here in the United States. But sadly, nope.

[-] Spotlight7573@lemmy.world 4 points 9 months ago

Banks are certainly behind the times and 'bank-grade security' is a joke in terms of what authentication methods they offer. I understand that they are slow to change anything though.

[-] shortwavesurfer@monero.town 1 points 9 months ago

My crypto wallet is more secure than my bank because I hold the keys myself and I am not nearly as large a target as a bank. Is it better to go after one person's money or one million people's money?

[-] EngineerGaming@feddit.nl 2 points 9 months ago

I see SMS as a simple deanon rather than a 2FA.

[-] IphtashuFitz@lemmy.world 20 points 9 months ago

Years ago I worked for a company whose servers were in a highly secure facility. I had to pass through a “person trap” to get in, which required three independent things to get through: something you have, something you know, and something you are.

Imagine a booth about the size of a phone booth, with doors on both sides. To open the outer door you need a card key. Once inside the outer door closes. To open the inner door you need to put your hand on a hand scanner, then enter a PIN. Only then will the inner door unlock and let you inside. I was told that the booth also weighed you and would refuse to let you through if your weight was something like 10% different from your last pass through. That was to prevent other people from piggybacking through with you.

Lots of people think that’s all overkill until I explain that it’s all to ensure an authorized person, and nobody else, could get through. A bad actor could steal my card key & might guess my PIN, but getting around my hand scan & weight would be extremely difficult.

The closer we get to this sort of multi-layer authentication with websites the happier I am. I want my bank account, etc. protected just as well as that data center…

[-] asbestos@lemmy.world 2 points 9 months ago

Honestly that’s cool as heck

[-] jqubed@lemmy.world 1 points 9 months ago
[-] IphtashuFitz@lemmy.world 1 points 9 months ago

I never screwed up entering my PIN or failed my hand scan, so the trap door never opened up while I was in it…

this post was submitted on 14 Feb 2024
262 points (88.8% liked)

Technology

59670 readers
1629 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS