Comment

Comment on Passkeys might really kill passwords

Deceptichum@kbin.social ⁨8⁩ ⁨months⁩ ago

Passkeys feel so much more worse. It becomes one central point to lose everything.

source

Sort:hotnew top

_number8_@lemmy.world ⁨8⁩ ⁨months⁩ ago
it’s objectively a downgrade to have to get my phone out just to sign into youtube. i broke my phone screen and couldn’t sign into my damn bank until i got it fixed because they making me verify with a text. bullshit world these days

source
- Deceptichum@kbin.social ⁨8⁩ ⁨months⁩ ago
  And than there’s Google itself, notorious for blocking people’s accounts for nothing and offering zero recourse to get it back.
  
  source
- towerful@programming.dev ⁨8⁩ ⁨months⁩ ago
  Exactly, which is why passkeys are so good.
  
  source
  - Spotlight7573@lemmy.world ⁨8⁩ ⁨months⁩ ago
    Exactly. You could have access to your password manager on your computer or a backup hardware security key instead. It doesn’t have to all be tied to just one phone, just like you don’t have to have just one house or car key.
    
    source
Spotlight7573@lemmy.world ⁨8⁩ ⁨months⁩ ago
If you already have a central point to lose everything in the form of a password manager, is it any worse? What’s the difference between a random password stored in your password manager that you don’t remember versus a private key stored in your password manager that you’re not expected to remember? You’ve always needed to make backups or have alternative ways to get in (recovery codes, customer support channels, etc), nothing about that has changed when going from passwords to passkeys. When passkeys are supported on sites, there can be no autofill issues (password or TOTP), no password complexity requirements, no worries about how they are hashing them on the server side, no phishing issues, etc. That’s an improvement over the system we have now.

And for those that don’t have a password manager, they are likely reusing passwords. Passkeys prevent the risk of password reuse and the risk of phishing.

source
- Hexagon@feddit.it ⁨8⁩ ⁨months⁩ ago
  I use a password manager and the database is automatically synchronized to multiple devices. I use syncthing for that, but a public cloud would be fine as well, because it’s encrypted (well, as long as the master password is strong enough)
  
  source
- KlavKalashj@lemmy.world ⁨8⁩ ⁨months⁩ ago
  I export my passwords from my manager regularly and keep them on paper in a secure place. At worst, it would be massively annoying if the password manager somehow blew up. But you can’t hack a paper. On the other hand, like some other person wrote, it’s incredibly easy to break your phone screen and then you’re screwed until you can fix it.
  
  source
  - Spotlight7573@lemmy.world ⁨8⁩ ⁨months⁩ ago
    The person who broke their phone screen wasn’t mad about not being able to access the data on it in this case, but rather that they couldn’t receive a text message as the second factor to log in to their bank. Having a backup wouldn’t have mattered, they couldn’t receive the text. Like it or not, having two-factor authentication on accounts is a necessity with the phishing and malware problems out there. Having multiple (secure) factors attached to your account is the best protection against getting locked out.
    
    The breaking of a phone and loss of the data on it can still be protected against by having backups in other locations or offline, like you have.
    
    source
TheEntity@kbin.social ⁨8⁩ ⁨months⁩ ago
It certainly feels dangerous if forced upon users not aware of the trade-offs. For people already accustomed to using hardware keys, it's very much an improvement, as more services will support them too. The problem is in the awareness. On the other hand, people already treat regular passwords as throwaway data and expect services to just let them in, or even never log them out. In this scenario, maybe passkeys can still be an improvement: roughly just as much as enforcing using a password manager.

source
Lmaydev@programming.dev ⁨8⁩ ⁨months⁩ ago
A huge amount of people use the same password everywhere.

It’s much easier for someone to get your password than your phone.

source
- Deceptichum@kbin.social ⁨8⁩ ⁨months⁩ ago
  And it’s much easier for me to lose or break my phone than it is to lose my password.
  
  source
  - Lmaydev@programming.dev ⁨8⁩ ⁨months⁩ ago
    It’s automatically backed up.
    
    source
    Deceptichum@kbin.social ⁨8⁩ ⁨months⁩ ago
    Backed up to where and to who?
    
    source
Kaldo@kbin.social ⁨8⁩ ⁨months⁩ ago
How is that different from a password manager (and those are excellent tools everyone should be using)?

In fact, the few passkeys I have are stored in my password manager.

source