Technology

Okay, so long as a passkey is something I can memorise. Otherwise, it's significantly worse than a regular password (assuming you use good passwords and don't reuse passwords etc).

It seems like they want to tie it to a physical computer (like the one in your pocket), which sucks big time. What happens if I don't have access to that computer at all times, or it breaks, or is lost?

I'm planning on getting rid of my smartphone for something that just does calls and texts for example, because I'm sick of how unhealthily reliant I, and everyone, have become on this thing, and I want to be more connected to the real world. What then?

My brain is the best place to store passkeys, it can't be hacked, stolen, lost, etc, unlike every other option. It's easily capable of storing lots of randomised unique passwords for each service (surely I'm not the only one that can do this?). It's the clear winner.

Nope.

Hardly anyone supports it: https://www.passkeys.io/who-supports-passkeys

So to use it I will have to log in with my google/microsoft account everywhere? Thanks but no thanks.

seems like too much messing around to make it a widespread solution.

All I know is a few months back someone setup a passkey on a shared google account at my job and now nobody but knows what the password for our email is. I can use the passkey to sign in with my phone, but only I can do that.

It’s the never ending battle between what’s secure and what’s practical. In order to have widespread adoption, it has to be easy. In order to be secure it requires layers of complication.

It’s a yin/yang battle.

A bank vault with walls 2 feet thick, 24/7 surveillance and requiring a two key unlock mechanism is secure compared to a house door lock on a regular suburban bungalow, but is it very practical?

The level of digital security generally attainable is limited by how likely someone is to use it.

2FA using keys is the closest I’ve seen to a happy medium, but it has to be implemented correctly. If the private keys are sitting on a cloud server somewhere and it gets hacked, is it more secure? Maybe not.

Just like real defence, the walls are only as good as the foundation or weakest point.

hot take: end users will be more likely to adopt security keys (or device attested passkey which = security key). Physical security, out-of-bounds cryptography to defeat AitM attacks (fake landing pages where six digit codes are stolen and silently used in perpetuity by the bad actor)

source: my job is to try to get end users to put strong MFA on all the things.

My company’s online product uses passkeys (I implemented it) more as a convenience method for login. 2FA is the base standard, and authenticated users can create a passkey for each device they want to use. Subsequent logins can then use the passkey or 2FA. Rather than having to dig out my phone, open the authenticator app, and put in the digits, I can simply use the fingerprint reader and I’m right in.

What am I dependent on to access by stuff if I use a passkey? A smart phone?

I like passkeys but ONLY as the second factor. Using them as the primary makes no sense in majority of cases.