Comment on Passkeys Explained: The End of Passwords
CompactFlax@discuss.tchncs.de 20 hours agoYeah this is my situation. My personal computer is really infrequently used and as such I’m already in a dangerous situation when it comes to sign-in risk detection kicking off and asking for further authn proofs. I’ve had my phone die (and come to life when its replacement arrived) and that was a harrowing situation because all the MFA is stored there. Passkeys seem to make it worse, unless I subscribe to a sync service, which I need to infallibly trust (and I’m iffy on that; 1Password has a good security model and all that but passkeys are a different level of trust).
Triumph@fedia.io 19 hours ago
Think of passkeys like they’re backups.
If you have one, you have none. If you have two, you have one. If you have three, at least one of them has to live offsite.
There are a ton of people who can’t reliably meet the “three” threshold, and plenty who can’t meet the two.
CompactFlax@discuss.tchncs.de 18 hours ago
Good way of putting it. How many people have three devices they can use for storing passkeys? I don’t and I’m a nerd.
Triumph@fedia.io 18 hours ago
I do; or at least I can. But really, Device #2 should be in a fire safe, and Device #3 should be in a safe deposit box. These should be "set and forget" devices, not just "the laptop that I use and the phone that I use". Those are additional costs, additional planning, additional effort, additional administration (because you need to also be checking that these cold devices still work on a scheduled basis), maybe additional required skill (depending on what you want these set and forget devices to be). You need to have an appropriate place to keep that fire safe. And when one of those cold devices doesn't work anymore, you have to figure out why and likely replace it.
To do it right, you really have to have your shit together. That I don't.