Passkeys are one exception to the familiar pattern of "we give you more SeCuRiTY so we can spy on you more and control your behaviour better". They actually are more secure. Problem is, a lot of technical issues with it still, a ton of stuff not working correctly yet
Uhhh... Can someone ELI18 to me the problem with passkeys? I use them wherever available and find them very convenient.
There's been a lot of pain in the attempt to portray it as "Just click the passkey button, and that's it! Your login is secured for life!"
No - Buddy. It is secured for this one specific device that I have biometric authentication for. What about my computer? What about my other computer that isn't on the same operating system? I have a password manager that stores these things, why didn't you save to that when I registered? Why is it trying to take this shit from my Apple Keychain when it's in Bitwarden?
And, the next ultra-big step: How would a non-techie figure this shit out?
For some people it is that easy.
When it is saved to a cross-platform password manager, it is secured on all devices that password manager runs on including your computer on other operating systems. You can also choose other in the OS prompt & redirect to a device with your passkey or use a hardware security key (I don't). If your preferred password manager isn't the primary one on all your devices, then fix that or use the other option mentioned before.
How would a non-techie figure this shit out?
The same way they figure out passwords & multifactor. Their pain isn't ours for those who've figured this out & have a smooth experience.
I just wish Google would stop overriding my passkey on Android for specific apps including their own.
You can change the provider to bitwarden.
I do have it overridden but Google Play Services isn't respecting my passkey default.
What's wrong with passkeys? I'm in love with passwordless sign-in with yubikey, so much easier and faster than password + totp
It’s shitty user experience when forced to dig out my phone to authenticate myself to a site I barely give half a shit about.
Like I wouldn’t even have an account if it wasn’t forced, and now you assholes want my phone too?
I think you're describing SMS passcode, totp or other such factors.
Passcode doesn't require phone necessarily, but you can use it too
A lot of the stuff that has implemented passkeys so far are on mobile. And I mean the apps serving them out, not things you authenticate to.
BitWarden has a desktop extension and it also handles 2FA. No reason to be using a password, which is way less secure and can be extracted from a website DB via a hack.
Doesn't the 2FA protect users still, if they only got the password?
In practice, yes. IF IMPLEMENTED PROPERLY it would be extremely unlikely for an attacker to get in.
For example with a proper implementation of TOTP it would require an attacker to guess the correct number between 0 and 999999 in less than half a minute. Most services make you wait a little bit (often less than humans notice) between attempts and don't allow infinite attempts, so an attacker would have to be unimaginably lucky.
There are sadly lots of huge companies that DON'T IMPLEMENT 2FA PROPERLY. Sony Entertainment (account for PlayStation) for example. So a unique and long password is still important.
Has this energy...
I have no idea what a passkey is and I will probably only learn what it is when they become mandatory
I will just use passwords + 2FA for the moment
Here is a demo you can try if you're so inclined
I see, thanks. It mentions biometrics on that page. Maybe if my next laptop has a fingerprint reader then I should look into passkeys more.
I don't use the biometric authentication on my laptop and am able to complete the demo on it. Chrome asks me for a PIN that I save and provide when it asks on my laptop. I don't think biometrics are a requirement for passkeys.
Ah okay. Maybe I will just stick with a password + 2FA for now though. I'm sure I will eventually learn more about passkeys when I make the effort to read more about them.
Passkey is essentially a branding of webauthn. Instead of typing some code that changes, you just do something with some sort of device or key manager.
Plug in a yubikey and touch the button to authenticate. Easier.
Interesting thanks. I will probably just stick with passwords + 2FA for the moment because I'm lazy. It would be cool to have something like a hardware key though.
The amount of people in this thread that don't understand passkeys surprises me. This is Lemmy. Aren't we the technical Linux nerds of the Internet?
brb opening and feature request for passkeys in Lemmy
edit: nevermind
2FA is just dead simple. I contact you, you contact me, handshake achieved. If you call me out of the blue I raise the alarm. If you get a login attempt with a failed handshake you raise the alarm.
Putting it all behind a pop up screen just isn't trustworthy to the human brain.
Passkey is multifactor: something the user has (key), something the user is (biometric) or knows (password) to unlock the key. Yes, dead simple.
A collection of some classic Lemmy memes for your enjoyment
