10
Take your passkey and shove it where the sun don't shine (lemmy.world)
submitted 4 months ago by cm0002@lemmy.world to c/memes@lemmy.world
62 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[-] Katana314@lemmy.world 2 points 4 months ago

There's been a lot of pain in the attempt to portray it as "Just click the passkey button, and that's it! Your login is secured for life!"

No - Buddy. It is secured for this one specific device that I have biometric authentication for. What about my computer? What about my other computer that isn't on the same operating system? I have a password manager that stores these things, why didn't you save to that when I registered? Why is it trying to take this shit from my Apple Keychain when it's in Bitwarden?

And, the next ultra-big step: How would a non-techie figure this shit out?

[-] ICastFist@programming.dev 1 points 4 months ago

And, the next ultra-big step: How would a non-techie figure this shit out?

They wouldn't, because the people calling the shots in the tech world create UX with a focus on it sucking for everyone

[-] lmmarsano@lemmynsfw.com 1 points 4 months ago

For some people it is that easy.

When it is saved to a cross-platform password manager, it is secured on all devices that password manager runs on including your computer on other operating systems. You can also choose other in the OS prompt & redirect to a device with your passkey or use a hardware security key (I don't). If your preferred password manager isn't the primary one on all your devices, then fix that or use the other option mentioned before.

How would a non-techie figure this shit out?

The same way they figure out passwords & multifactor. Their pain isn't ours for those who've figured this out & have a smooth experience.

[-] Katana314@lemmy.world 1 points 4 months ago

I mentioned Bitwarden in my comment, and my frustration specifically comes from occasions that I had Account X ready in Bitwarden, started up an app that relied on Account X, but loaded an HTML login page that had no discernable controls to use that Bitwarden passkey; expecting entirely for it to exist in my Apple keychain, which I never use.

I think it's very easy to claim this specific app / account was not implementing passkeys well. But if that's the case, how can I guarantee any other accounts I move over won't fuck it up somewhere? I haven't seen anyone get the concept of passwords wrong, and even if they don't understand how managers work, I have control of the copy-paste function and can even type a password myself if needed.

[-] IrateAnteater@sh.itjust.works 1 points 4 months ago

Passkeys are a great idea, but everyone involved seems like they want the process to be as much of a pain in the dick as possible. So until the industry pulls it's collective head out of its collective ass (not going to hold my breath on that one), it'll be passwords+2FA for me.

[-] casmael@lemm.ee 1 points 4 months ago

I hate 2fa so much, I never thought they would come up with anything more irritating. Little did I know.

[-] Kusimulkku@lemm.ee 1 points 4 months ago

It feels like everyone is trying to tie people to their platform. Oh, and also use the opportunity to force shit like "no custom ROMs or bootloader unlocking" on Android at the same time.

[-] mke@programming.dev 0 points 4 months ago

Are custom ROMs or bootloader unlocking an issue for the passkey ecosystem? Not something I'd seen commented on yet.

[-] HappyTimeHarry@lemm.ee 1 points 4 months ago

You cant use it with grapheneOS, ive tried. I mainly use bitwarden for passkeys but some (most?) services only work with googles version

load more comments (2 replies)
[-] bennypr0fane@discuss.tchncs.de 1 points 4 months ago

Passkeys are one exception to the familiar pattern of "we give you more SeCuRiTY so we can spy on you more and control your behaviour better". They actually are more secure. Problem is, a lot of technical issues with it still, a ton of stuff not working correctly yet

[-] SleafordMod@feddit.uk 1 points 4 months ago

I have no idea what a passkey is and I will probably only learn what it is when they become mandatory

I will just use passwords + 2FA for the moment

load more comments (6 replies)
[-] Kirk@startrek.website 1 points 4 months ago

Uhhh... Can someone ELI18 to me the problem with passkeys? I use them wherever available and find them very convenient.

[-] recall519@lemm.ee 1 points 4 months ago

I just wish Google would stop overriding my passkey on Android for specific apps including their own.

[-] throwback3090@lemmy.nz 0 points 4 months ago

You can change the provider to bitwarden.

[-] recall519@lemm.ee 2 points 4 months ago

I do have it overridden but Google Play Services isn't respecting my passkey default.

[-] JayGray91@fedia.io 1 points 4 months ago

how to do that?

[-] hemko@lemmy.dbzer0.com 0 points 4 months ago

What's wrong with passkeys? I'm in love with passwordless sign-in with yubikey, so much easier and faster than password + totp

[-] deegeese@sopuli.xyz 1 points 4 months ago

It’s shitty user experience when forced to dig out my phone to authenticate myself to a site I barely give half a shit about.

Like I wouldn’t even have an account if it wasn’t forced, and now you assholes want my phone too?

[-] hemko@lemmy.dbzer0.com 0 points 4 months ago

I think you're describing SMS passcode, totp or other such factors.

Passcode doesn't require phone necessarily, but you can use it too

[-] Kusimulkku@lemm.ee 0 points 4 months ago* (last edited 4 months ago)

A lot of the stuff that has implemented passkeys so far are on mobile. And I mean the apps serving them out, not things you authenticate to.

[-] 4am@lemm.ee 0 points 4 months ago

BitWarden has a desktop extension and it also handles 2FA. No reason to be using a password, which is way less secure and can be extracted from a website DB via a hack.

[-] Kusimulkku@lemm.ee 0 points 4 months ago

Doesn't the 2FA protect users still, if they only got the password?

[-] perfectly_boiled_pizza@lemmy.world 1 points 4 months ago* (last edited 4 months ago)

In practice, yes. IF IMPLEMENTED PROPERLY it would be extremely unlikely for an attacker to get in.

For example with a proper implementation of TOTP it would require an attacker to guess the correct number between 0 and 999999 in less than half a minute. Most services make you wait a little bit (often less than humans notice) between attempts and don't allow infinite attempts, so an attacker would have to be unimaginably lucky.

There are sadly lots of huge companies that DON'T IMPLEMENT 2FA PROPERLY. Sony Entertainment (account for PlayStation) for example. So a unique and long password is still important.

[-] Jackthelad@lemmy.world 0 points 4 months ago

Yes, extra security for your personal information is so irritating.

[-] deegeese@sopuli.xyz 1 points 4 months ago

Security for who exactly?

If I don’t even want an account, it’s the “security” of the sites ad targeting data that IDGAF.

load more comments (3 replies)
[-] yesman@lemmy.world 0 points 4 months ago

Passkeys are light years ahead of 2fA in user experience. Why do you dislike them?

Security based on devices is one of the positive innovations of smartphones and perhaps the only area where they've improved over the desktop experience.

[-] IrateAnteater@sh.itjust.works 1 points 4 months ago

I very specifically don't want my security tied to my device. Trying to migrate to new phones, and keeping things synced between a phone, desktop, and laptop is why I long ago moved to a password manager. Now, especially in the phone space, getting passkeys to function fully with a password manager ranges from "pain in the ass" to "not actually possible".

[-] thesohoriots@lemmy.world 1 points 4 months ago

I had a botched phone battery replacement once resulting in the phone getting replaced very unexpectedly. It was a nightmare trying to get everything back together because I stupidly used google authenticator, which is tied to the specific phone it’s on. Not tying it to the device is the way to go.

load more comments (2 replies)
[-] Wanderer@lemm.ee 1 points 4 months ago

Heard of so many people losing their phone. Then they try to log into something and the company (quite often google) says "I don't give a fuck if you know your passwords I'm never letting you log into your account get fucked, don't call I won't answer"

load more comments (2 replies)
load more comments (3 replies)
[-] whoisearth@lemmy.ca 0 points 4 months ago* (last edited 4 months ago)

I'll use banks as an example

If they cared about your security there would not be a mobile app or website.

Hell, credit cards would still require a signature.

It's about cost first and foremost and then convenience.

Has nothing about you as a consumer. They don't give 2 shits about you as a consumer.

[-] candybrie@lemmy.world 1 points 4 months ago

Do you think signatures were at all secure? If they cared about security they'd do chip+pin like most civilized countries.

[-] Quexotic@infosec.pub 0 points 4 months ago

Has this energy...

load more comments
view more: next ›
this post was submitted on 28 Feb 2025
10 points (100.0% liked)

memes

16308 readers
1133 users here now

Community rules

1. Be civilNo trolling, bigotry or other insulting / annoying behaviour

2. No politicsThis is non-politics community. For political memes please go to !politicalmemes@lemmy.world

3. No recent repostsCheck for reposts when posting a meme, you can only repost after 1 month

4. No botsNo bots without the express approval of the mods or the admins

5. No Spam/AdsNo advertisements or spam. This is an instance rule and the only way to live.

A collection of some classic Lemmy memes for your enjoyment

Sister communities

founded 2 years ago
MODERATORS
Tenthrow@lemmy.world
The_Picard_Maneuver@lemmy.world
The_Picard_Maneuver@startrek.website