What’s wrong with passkeys? I’m in love with passwordless sign-in with yubikey, so much easier and faster than password + totp
Until sites start disallowing youbikeys because it doesn’t make it impossible for you to backup your keys…
What is planned to happen.
Shouldn’t you still need 2fa, and use the passkey as the second auth?
The passkey is still protected with another factor, such as pin code or biometrics
Like when I login to my account, I put the yubikey to usb port, then browser asks me to unlock it using pin code, then I’ll touch the yubikey to confirm I’m in physical access to it, and only then it allows the authentication
In practice this takes about 2 seconds
There’s been a lot of pain in the attempt to portray it as “Just click the passkey button, and that’s it! Your login is secured for life!”
No - Buddy. It is secured for this one specific device that I have biometric authentication for. What about my computer? What about my other computer that isn’t on the same operating system? I have a password manager that stores these things, why didn’t you save to that when I registered? Why is it trying to take this shit from my Apple Keychain when it’s in Bitwarden?
And, the next ultra-big step: How would a non-techie figure this shit out?
I have my passkeys saved in 1password. (With a yubikey as backup for important things).
This was roughly the state of affairs before but the state of things have relented where software password managers are now allowed to serve the purpose.
So if a hardened security guy wants to only use his dedicated hardware token with registering backups, that’s possible.
If a layman wants to use Google password manager to just take care of it, that’s fine too.
Also much in between, using a phone instead of a yubikey like, using an offline password manager, etc.
And, the next ultra-big step: How would a non-techie figure this shit out?
They don’t have a computer, another computer with a different OS, or bitwarden.
Passkeys are light years ahead of 2fA in user experience. Why do you dislike them?
Security based on devices is one of the positive innovations of smartphones and perhaps the only area where they’ve improved over the desktop experience.
It’s not for your security, it’s for the company’s. People suuuuuuuuck when it comes to credentials.
My company insists on expiring passwords every 28 days, and prevents reuse of the last 24 passwords. Passwords must be 14+ characters long, with forced minimum complexity requirements. All systems automatically lock or logout after 10 minutes of inactivity, so users are forced to type in their credentials frequently throughout the day.
Yes people suck with creating decent credentials, but it’s the company’s security policies breeding that behavior.
And yet admin, 1234, test, etc. remain the most commonly ‘hacked’ passwords. Your company’s policies may be annoying, but they certainly don’t make you use unsafe passwords.
sure, you can use a passkey as a primary authentication, but only “a device” or “system”(keypass/1pass etc) knows the passkey detail. with only passkey, if my passkey provider/ device is compromised then everything is lost. having single factor auth seems like a bad idea.
a password is something that I can know, so is still useful as a protection mechanism. having two factor auth should include password and passkey, which seems entirely reasonable whilst also providing an easier path forward for people used to TOTP.
Passkey is “something you own” right?
I have something I own, it’s a Yubikey
I thought passkeys were supposed to be more secure?
Y’all are my people.
Coincidence or did you get that email from eBay today, too?
They probably got hacked and we’ll find out about it next year.
