Do you people trust companies with passkeys?
I feel like big tech have started pushing for passkeys really hard lately. Microsoft has been asking me if I want to switch to passkeys pretty consistently. Google just automatically brings up the passkey registration fingerprint scan system dialogue every single time I’ve been signing in on Android. Without even asking if I want a passkey or not, it just does it without saying anything. I think the intention is pretty clear, an unknowing person sees the completely random fingerprint scan dialogue, doesn’t think much of it, scans their fingerprint, a passkey gets created automatically.
Well, I fell for their trick. I’ve been avoiding the passkey dialogue pretty consistently for a while now, but just now I was signing in while distracted and accidentally tapped my finger on the scanner by reflex on the prompt. I guess I have a passkey now. Yay.
I did some digging on my Google account settings and the internet, and I couldnt find a way to completely remove the passkey. It seems you can only disable the use of passkeys, but the passkey itself remains. There is also a setting called “Skip password when possible”, which is clearly what has been causing the non-stop passkey prompts. It’s on by default. It’s a shame I’m only aware of it now that its too late.
Theoretically, the passkey standart itself should be private and secure. Throughout the process, the biometric information used for the cryptographic challenges never leaves the device, and the server only gets access to a signature that has been signed with the client’s private keys that it can use to authenticate but can’t derive the private keys back from because of complicated math I didn’t spend enough energy to understand. Google automatically syncs the passkeys with its private keys with E2EE in the Google Password Manager tied to the account, which is where I start to get uncomfortable because I can’t bring myself to trust Google with E2EE.
What do you people think?
I use passkeys via KeepassXC (on Windows & Linux) and KeepassDX (Android), in which case Passkeys are essentially an upgrade:
- Since I use a password manager anyways, the difference in where they are stored is nil.
- As I use KeePass databases I remain in control.
- Auto-fill is in my experience more flaky than passkey prompts, though it would be nice if KeePassXC could be a native provider, like KeePassDX is on Android nowadays.
- Passkeys are generally more secure, as the key itself never leaves the device (only a challenge is performed to verify ownership of said key) unlike passwords. Passkeys also tend to be longer than passwords.
The only downside is that you need access to the database to login - unlike with passwords where it is cumbersome, but still reasonably possible to enter it manually.
I wouldn’t want my keys to be wholly linked to my device (problematic if I lose it, or it breaks) or be reliant on Google’s - or other big tech - password managers either.
Passkeys are a major improvement over passwords. It’s crazy how many people here are afraid of everyday cryptography.
Not of cryptography but tracking.
What do passkeys allow someone to track that a password login wouldn’t?
Passkeys are a potentially good technology, that is frequently implemented in an insecure and user-hostile way.
Good: a standard way for authentication that can be implemented in common on client and server, such that the user doesn’t need to know a secret.
Bad: Most OS and platform vendors breathlessly implemented this standard using their proprietary APIs and making it practically infeasible (read: impossible for typical end-users, therefore they won’t, therefore insecure) to attempt syncing your passkeys outside their walled garden.
It is entirely feasible to implement passkeys in a way that users are in control and can freely move between devices and operating systems. But many implementations make that impossible, while still calling their implementation “passkey”.
So, we need to reject any implementation which puts any barrier to the user freely migrating and syncing all their devices regardless of platform.
I thought the whole point was that a passkey belonged to a device. You have multiple devices, you register multiple passkeys with your account. That way you can remove them if you lose a device. Doesn’t iOS go so far as to lock them in the TPM?
No, it’s the opposite. Apple argued strongly that passkeys are intended to be a replacement for passwords and so must be syncable. And that’s how it’s implemented on Apple OSes. It syncs to iCloud Keychain or your password manager, and so that same passkey is available on all your devices. It’s not even locked into Apple’s ecosystem because of cross-platform password managers.
For once I am with apple on this one. The bad thing about passwords is their randomness. Humans are not very good at remembering very big entropy
That’s my understanding as well
passkeys can also be stored in your own password manager, but i still dont trust the process. i used to help out my dad in a countryside office, and they had a weird room halfway under the ground. this meant pleasant tempratures all year, but pisspoor internet for my phone. which meant the local totp generating was just perfect. since then i just only trust offline generated codes, biometric logins, long ass 20 character passwords, and the combination of these.
Yeah, I trust them. I don’t think they want access to your credentials. They have the expertise to do E2EE properly. They don’t want to be humiliated in a DEF CON talk.
They’re pushing passkeys because passkeys are a massive improvement over passwords. They would be negligent not to be pushing passkeys.
Big tech is pushing them hard as another form of platform lock-in. Passkeys are just passwords with landlords.
… What? They provide better security.
“Passwords with landlords” - Because you reuse a single password across all your services, or? I don’t see the logic here
“Passwords with landlords” because you do not control them or own them. They live in encrypted storage you don’t have the keys for, or in cloud storage that you are borrowing from a private company.
Have you read the nightmare stories about people being suddenly locked out of their Google and Apple accounts with no notice or provocation? Imagine that but with your passwords; now it’s not just your Apple account, it’s all of the accounts you trusted them with.
Just use a password manager that generates and stores sufficiently long passwords for you, along with TOTP or hardware keys. That gets you the best security without handing your life over to large corporations.
You can store passkeys in most modern password managers. You don’t have to use Microsoft, Apple, Google, etc. storage for them.
You can, but you still depend on the site to let you use that option instead of a major provider.
When passkeys were first introduced they were not transferrable or even useable outside of the big providers, because the platforms wanted that sweet sweet lock-in. I wrote off passkeys when I realized this. Perhaps things have changed more recently.
You have a vast misunderstanding of why passkeys aren’t transferrable or usable outside of those providers. It had nothing to do with lock-in, but because every implementation was different. And no, you do not ‘depend on the site’ to let you use that option instead of a major provider. There’s a standard now and everyone is following it. If you can use a passkey you can use your password manager to manage that passkey.
I’m suspicious of anything that gets pushed too hard too suddenly.
To add to that, let’s analyze what Microsoft themselves say:
No typing, no guessing, no “forgot password” drama.
If you don’t type your passwords, you forget them, which Microsoft themselves say in the same paragraph:
With passkeys, you don’t need to create and remember passwords.
This would take away agency of the user for his/her passwords, and towards Microsoft.
Considering the company seems to be supportive of “you will own nothing and be happy”, at least by how they operate, this seems suspiciously aligned.
Also:
Instead of typing a password, you use your phone or device to confirm it’s really you, using your face or a fingerprint.
…Oh, hey, facial recognition. Because big bro Microsoft must know the human behind the 0s and 1s too.
Passkeys are incredibly easy to use and intuitive, eliminating the need for complicated password creation processes and the hassle of remembering them.
“The users are dumb therefore we must take agency away from them. And they will be happy.”
Also https://xkcd.com/936/ comes to mind. Engineered problem perhaps?
Also the article mentions PINs besides face identification and fingerprinting, two things that are generally constant for an individual unless enough time passes, they go through surgeries, and/or some terrible accident happens.
But about PINs, I’m not too familiar with them, but if they’re constant (“hardware keys”?), using them would say to the service it’s the actual person logging in, or someone the person was physically close to. Basically a means to physically track the user based on logging in.
And if the PIN is one of those that changes every few seconds/minutes, from what I would follow on the matter, the more reliable ones at least on Android are those that do Google Play’s verification. Or at least the ones that are the most commonly supported. Also throughout the article, Microsoft mentions in a few key moments their services, which added to the ad-style tone of the article and the company’s usual modus operandi, it sounds a lot like they are pushing even more to centralization, towards themselves if possible.
Other companies don’t seem to leave as obvious documents of pushing for passkeys, so thanks Bill Gates, I guess?
And talking about Bill Gates, since apparently he is involved in other population control scandals outside of the realm of technology, the chain of trust seems to indicate a bigger problem at hand.
Passkeys are basically passwords + tfa combined. You can save them in a password manager, so you have full control over them, including how to unlock them.
And companies are pushing them, because they are significantly stronger than the passwords most users use.
the amount of people that do not understand how big of an improvement passkeys are is really saddening. They think that somehow these tech companies are utilizing this in some nefarious way, rather than the very very simple explanation that … tech companies don’t want to be responsible for more breaches.
Passkeys are so simple and such a huge improvement that it’s literally all upsides and no downsides. Either you use their passkey managers like you would their password managers and it’s safer for them, or you use your own password manager with passkeys in it and it’s still safer for them.
