From passwords to passkeys
21 points by wlcx
21 points by wlcx
A thing I keep thinking about is a lot of services use SMS for 2FA now, but it's normal for people without money to go month to month on their phone and let it lose service when money is tight. How are you supposed to participate in society if you only have intermittent access to devices?
That's the neat part - you don't! It's another example of the US "kill line" -- the many monthly payments you absolutely have to keep on top of to avoid a nearly-unrecoverable downward spiral.
Wake me up again once passwords don't allow vendors to lock me out via attestation and e.g. force me to buy certain hardware.
No thank you, password managers work very well.
Passkeys are fine but still not usable as the only means of authentication without also having username/password as an option too.
I am perfectly fine with passkeys without password fallbacks, and so must be the double-digit percentage of users that do a password reset on every login.
Reality is shockingly different from the imagination of most tech-savvy people.
So you mean passkeys + email reset when lost?
But email is so unsecure. We implemented Passkeys + eid, but in the nordics we have the infra for that. So no login via email, only via strong authentication (passkeys, government digital id or similar)
The email has been and still is our online ID. Might be old and insecure (why other SSL channels are more secure again?) but it’s still our online ID. IMO every modern or somewhat modern country should hand out emails to its citizens the moment they are born or got the citizenship and use them for communication with the state, offices, etc. The fact that state services use gmail addresses boggles the mind.
I came across an accountant who did not want to use Gemini for privacy but uses Gmail to communicate with clients. So all the data from his clients tax docs back and forth, lives in Gmail. But Gemini? God forbid!
...and if you have to have a username/password that's your baseline security posture.
I don't like passkeys. I don't want to lock authentication to a specific device. I don't want to rely on bio-metrics. I might want my spouse to log on in my stead from a different device. Etc etc etc.
I'd be much happier with an ssh type private key/public key type of solution that I control. Want an account on a new site, fine create it an provide your public key. I'm responsible for the private key, I can lock it up anyway/anywhere I choose.
Yes, browsers would have to know how to interact with an agent. But I've been told in the past that that is apparently too hard/complicated for the general public (compared to passkeys which are essentially magic to laymen).
Passkeys are essentially magic to everyone, not only laymen.
Security can benefit either of the two sides who participate: the service provider and the user. On each side, it should fulfil Confidentiality, Integrity, and Availability (if we follow this specific model).
For me, the user, passkeys violate availability and data sovereignty. I can't get them on a tape backup in my safe, as I can with SSH private keys. I find cloud backups which I can't even theoretically audit highly suspect (potential confidentiality violation, since one provider accumulates passkeys across unrelated services, creating a centralised point of compromise). Many recovery procedures have issues: recovery keys appear to be weaker than a private key (ergo could violate the confidentiality requirement), while other identification procedures fall victim to long delays (human review) and goodwill (ergo: violate availability: I don't need someone else to confirm that I am myself).
What we see is a widening divide between IT for the technically knowledgeable (SSH and the SSH agent, Kerberos, SASL, TOTP in KeePass and so on) and consumer devices (smartphone authenticators which black-hole TOTP seeds, passkeys with their cloud backups and so on).
Maybe we should start splitting the infrastructure, as it becomes slowly incompatible: one device for interactions in the consumer world, another one for engineering (software development and so on).
Maybe we should start splitting the infrastructure, as it becomes slowly incompatible: one device for interactions in the consumer world, another one for engineering (software development and so on).
I'm already almost to the point of this in the form of having two phones. Haven't pulled the trigger yet.