this post was submitted on 14 Feb 2024
263 points (88.8% liked)

Technology

58011 readers
3147 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
263
Passkeys might really kill passwords (www.theverge.com)
submitted 7 months ago by [email protected] to c/[email protected]
180 comments fedilink hide all child comments
 

Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing... that lives on my phone? What if I lose my phone? What if you steal my phone?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 28 points 7 months ago (5 children)

Passkeys feel so much more worse. It becomes one central point to lose everything.

[–] [email protected] 23 points 7 months ago (2 children)

it's objectively a downgrade to have to get my phone out just to sign into youtube. i broke my phone screen and couldn't sign into my damn bank until i got it fixed because they making me verify with a text. bullshit world these days

[–] [email protected] 12 points 7 months ago

And than there’s Google itself, notorious for blocking people’s accounts for nothing and offering zero recourse to get it back.

[–] [email protected] 2 points 7 months ago (1 children)

Exactly, which is why passkeys are so good.

[–] [email protected] 8 points 7 months ago

Exactly. You could have access to your password manager on your computer or a backup hardware security key instead. It doesn't have to all be tied to just one phone, just like you don't have to have just one house or car key.

[–] [email protected] 7 points 7 months ago

It certainly feels dangerous if forced upon users not aware of the trade-offs. For people already accustomed to using hardware keys, it's very much an improvement, as more services will support them too. The problem is in the awareness. On the other hand, people already treat regular passwords as throwaway data and expect services to just let them in, or even never log them out. In this scenario, maybe passkeys can still be an improvement: roughly just as much as enforcing using a password manager.

[–] [email protected] -1 points 7 months ago (2 children)

If you already have a central point to lose everything in the form of a password manager, is it any worse? What's the difference between a random password stored in your password manager that you don't remember versus a private key stored in your password manager that you're not expected to remember? You've always needed to make backups or have alternative ways to get in (recovery codes, customer support channels, etc), nothing about that has changed when going from passwords to passkeys. When passkeys are supported on sites, there can be no autofill issues (password or TOTP), no password complexity requirements, no worries about how they are hashing them on the server side, no phishing issues, etc. That's an improvement over the system we have now.

And for those that don't have a password manager, they are likely reusing passwords. Passkeys prevent the risk of password reuse and the risk of phishing.

[–] [email protected] 10 points 7 months ago

I use a password manager and the database is automatically synchronized to multiple devices. I use syncthing for that, but a public cloud would be fine as well, because it's encrypted (well, as long as the master password is strong enough)

[–] [email protected] 8 points 7 months ago (1 children)

I export my passwords from my manager regularly and keep them on paper in a secure place. At worst, it would be massively annoying if the password manager somehow blew up. But you can't hack a paper. On the other hand, like some other person wrote, it's incredibly easy to break your phone screen and then you're screwed until you can fix it.

[–] [email protected] 1 points 7 months ago

The person who broke their phone screen wasn't mad about not being able to access the data on it in this case, but rather that they couldn't receive a text message as the second factor to log in to their bank. Having a backup wouldn't have mattered, they couldn't receive the text. Like it or not, having two-factor authentication on accounts is a necessity with the phishing and malware problems out there. Having multiple (secure) factors attached to your account is the best protection against getting locked out.

The breaking of a phone and loss of the data on it can still be protected against by having backups in other locations or offline, like you have.

[–] [email protected] -4 points 7 months ago (1 children)

A huge amount of people use the same password everywhere.

It's much easier for someone to get your password than your phone.

[–] [email protected] 6 points 7 months ago (1 children)

And it’s much easier for me to lose or break my phone than it is to lose my password.

[–] [email protected] -2 points 7 months ago* (last edited 7 months ago) (1 children)

It's automatically backed up. This is no different than MFA in that regard. Which I hope you're using.

[–] [email protected] 6 points 7 months ago

Backed up to where and to who?