Do you people trust companies with passkeys?

I feel like big tech have started pushing for passkeys really hard lately. Microsoft has been asking me if I want to switch to passkeys pretty consistently. Google just automatically brings up the passkey registration fingerprint scan system dialogue every single time I’ve been signing in on Android. Without even asking if I want a passkey or not, it just does it without saying anything. I think the intention is pretty clear, an unknowing person sees the completely random fingerprint scan dialogue, doesn’t think much of it, scans their fingerprint, a passkey gets created automatically.

Well, I fell for their trick. I’ve been avoiding the passkey dialogue pretty consistently for a while now, but just now I was signing in while distracted and accidentally tapped my finger on the scanner by reflex on the prompt. I guess I have a passkey now. Yay.

I did some digging on my Google account settings and the internet, and I couldnt find a way to completely remove the passkey. It seems you can only disable the use of passkeys, but the passkey itself remains. There is also a setting called “Skip password when possible”, which is clearly what has been causing the non-stop passkey prompts. It’s on by default. It’s a shame I’m only aware of it now that its too late.

Theoretically, the passkey standart itself should be private and secure. Throughout the process, the biometric information used for the cryptographic challenges never leaves the device, and the server only gets access to a signature that has been signed with the client’s private keys that it can use to authenticate but can’t derive the private keys back from because of complicated math I didn’t spend enough energy to understand. Google automatically syncs the passkeys with its private keys with E2EE in the Google Password Manager tied to the account, which is where I start to get uncomfortable because I can’t bring myself to trust Google with E2EE.

What do you people think?

OQB @MrKoyun@lemmy.world

  • ∃∀λ@programming.dev
    8·
    21 hours ago

    Yeah, I trust them. I don’t think they want access to your credentials. They have the expertise to do E2EE properly. They don’t want to be humiliated in a DEF CON talk.

    They’re pushing passkeys because passkeys are a massive improvement over passwords. They would be negligent not to be pushing passkeys.

    • Ascrod@midwest.socialEnglish
      11·
      20 hours ago

      Big tech is pushing them hard as another form of platform lock-in. Passkeys are just passwords with landlords.

      • WaxRhetorical@lemmy.world
        6·
        20 hours ago

        … What? They provide better security.

        “Passwords with landlords” - Because you reuse a single password across all your services, or? I don’t see the logic here

        • Ascrod@midwest.socialEnglish
          6·
          16 hours ago

          “Passwords with landlords” because you do not control them or own them. They live in encrypted storage you don’t have the keys for, or in cloud storage that you are borrowing from a private company.

          Have you read the nightmare stories about people being suddenly locked out of their Google and Apple accounts with no notice or provocation? Imagine that but with your passwords; now it’s not just your Apple account, it’s all of the accounts you trusted them with.

          Just use a password manager that generates and stores sufficiently long passwords for you, along with TOTP or hardware keys. That gets you the best security without handing your life over to large corporations.

          • Gawdl3y@pawb.social
            9·
            15 hours ago

            You can store passkeys in most modern password managers. You don’t have to use Microsoft, Apple, Google, etc. storage for them.

            • Ascrod@midwest.socialEnglish
              3·
              14 hours ago

              You can, but you still depend on the site to let you use that option instead of a major provider.

              When passkeys were first introduced they were not transferrable or even useable outside of the big providers, because the platforms wanted that sweet sweet lock-in. I wrote off passkeys when I realized this. Perhaps things have changed more recently.

              • snowe@programming.dev
                8·
                13 hours ago

                You have a vast misunderstanding of why passkeys aren’t transferrable or usable outside of those providers. It had nothing to do with lock-in, but because every implementation was different. And no, you do not ‘depend on the site’ to let you use that option instead of a major provider. There’s a standard now and everyone is following it. If you can use a passkey you can use your password manager to manage that passkey.