Not once in that article did they explain what a passkey is.
Edit: don’t explain passkeys to me; I’m criticizing the article for making a claim without explaining to the general audience what it is.
Funktapus on
Tl;dr: more passkeys
leaky_wand on
I worry sometimes with MFA that if I lost my phone I would not be able to log into anything. My digital life would be at a standstill.
It seems like a massive single point of failure.
alrun on
I am on the fence on passkey.
# 1) Syncing (that this article seems to address)
The current passkeys work as standalone hardware – If you loose one, all its credentials are gone. -> You need to curate at least two – one for daily use and one for backup. Meaning Creating accounts is kinda limited – as you should have access to both (or you will forget to add your backup Passkey, loose the first and …).
# 2) You need to trust hardware you cannot disect.
A password, a key, … I can at least optically inspect and test. If the passkey is scecure – I cannot test. One attack vector would be to add a backdoor to the chip in the production process – and there are players in the world that can do it.
During 32C3 there was a talk about the feasability of [hardware trojan (eng translation)](https://www.youtube.com/watch?app=desktop&v=eQA0UBoJ4eo), that is very expensive, but hardly detectable if you compromose the supply chain – as it is very complicated with the current complexity of modern Chips to monitor them for third party changes.
Passkeys suck because they don’t replace passwords. 11 years ago on my Moto X I had the ability to disable the lock screen if I trusted network or Bluetooth device was connected. I could unlock the phone with an NFC tag. These were all very convenient.
I don’t have the imagination or expertise to solve this very complicated problem, I just know that the past key system is less convenient than a password manager which can only be accessed by FaceID, Fingerprint, or system password. I wanted to auto fill and automatically sign me in, but I want to be logged off every time I close the browser.
Happy_Phantom on
N3v3r g0nn5 h5pp3n
ThatFireGuy0 on
Passkeys sound good in theory, but I don’t want my MFA provider knowing every site I log onto and when it happens. With current Passkey technology, Google would have that info
fellipec on
Nah. Too many drawbacks
caius_maximus on
Given that inputting passwords/keys requires a physical device, wouldn’t it be easiest if all devices could perform a biometric check (iris, fingerprint, voice) for all passwords as an MFA requirement?
9 Comments
Not once in that article did they explain what a passkey is.
Edit: don’t explain passkeys to me; I’m criticizing the article for making a claim without explaining to the general audience what it is.
Tl;dr: more passkeys
I worry sometimes with MFA that if I lost my phone I would not be able to log into anything. My digital life would be at a standstill.
It seems like a massive single point of failure.
I am on the fence on passkey.
# 1) Syncing (that this article seems to address)
The current passkeys work as standalone hardware – If you loose one, all its credentials are gone. -> You need to curate at least two – one for daily use and one for backup. Meaning Creating accounts is kinda limited – as you should have access to both (or you will forget to add your backup Passkey, loose the first and …).
# 2) You need to trust hardware you cannot disect.
A password, a key, … I can at least optically inspect and test. If the passkey is scecure – I cannot test. One attack vector would be to add a backdoor to the chip in the production process – and there are players in the world that can do it.
During 32C3 there was a talk about the feasability of [hardware trojan (eng translation)](https://www.youtube.com/watch?app=desktop&v=eQA0UBoJ4eo), that is very expensive, but hardly detectable if you compromose the supply chain – as it is very complicated with the current complexity of modern Chips to monitor them for third party changes.
An off-topic example would be an [apple charging cable with built-in Wifi attack abilities](https://techcrunch.com/2019/08/12/iphone-charging-cable-hack-computer-def-con/).
Passkeys suck because they don’t replace passwords. 11 years ago on my Moto X I had the ability to disable the lock screen if I trusted network or Bluetooth device was connected. I could unlock the phone with an NFC tag. These were all very convenient.
I don’t have the imagination or expertise to solve this very complicated problem, I just know that the past key system is less convenient than a password manager which can only be accessed by FaceID, Fingerprint, or system password. I wanted to auto fill and automatically sign me in, but I want to be logged off every time I close the browser.
N3v3r g0nn5 h5pp3n
Passkeys sound good in theory, but I don’t want my MFA provider knowing every site I log onto and when it happens. With current Passkey technology, Google would have that info
Nah. Too many drawbacks
Given that inputting passwords/keys requires a physical device, wouldn’t it be easiest if all devices could perform a biometric check (iris, fingerprint, voice) for all passwords as an MFA requirement?