Comment

Comment on Passkeys Explained: The End of Passwords

<- View Parent

Brokkr@lemmy.world ⁨18⁩ ⁨hours⁩ ago

They were surpassed by password managers and 2fa.

source

Sort:hotnew top

psycotica0@lemmy.ca ⁨18⁩ ⁨hours⁩ ago
Technically they are the 2fa. The second factor is something you have. I store all my passkeys in my password manager too, so I’m not faulting you, but technically that’s just undoing the second factor, because now my two factors are “two things that are both unlocked by the same one thing I know”. Which is one complicated factor spread across two boxes.

source
jj4211@lemmy.world ⁨17⁩ ⁨hours⁩ ago
Password managers are a workaround, and broadly speaking the general system is still weak because password managers have relatively low adoption and plenty of people are walking around with poorly managed credentials. Also doesn’t do anything to mitigate a phishing attack, should the user get fooled they will leak a password they care about.

2FA is broad, but I’m wagering you specifically mean TOTP, numbers that change based on a shared secret. Problems there are: -Transcribing the code is a pain -Password managers mitigate that, but the most commonly ‘default’ password managers (e.g. built into the browser) do nothing for them -Still susceptible to phishing, albeit on a shorter time scale

Pub/priv key based tech is the right approach, but passkey does wrap it up with some obnoxious stuff.

source
- Rooster326@programming.dev ⁨9⁩ ⁨hours⁩ ago
  
  password managers have relatively low adoption and plenty of people are walking around with poorly managed credentials
  
  All of the modern browsers have built in password managers so I doubt that very much.
  
  Are they as secure as your self-hosted bit warden that is not accessible via the Internet? No.
  
  But it does still keep track of your usernames and even alerts you if you have a breach.
  
  source
- xthexder@l.sw0.com ⁨10⁩ ⁨hours⁩ ago
  Lack of adoption doesn’t really make password managers a workaround. What’s being worked around? People’s laziness?
  
  Password managers actually do solve the phishing problem to an extent, since if you’re using it properly, you’ll have a unique password for every service, limiting the scope of the problem.
  
  Putting TOTP 2fa codes in your password manager behind the same password as everything else actually destroys any additional security added by 2fa, since it puts you back to a single auth factor.
  
  source