Passkeys might really kill passwords

Submitted ⁨⁨8⁩ ⁨months⁩ ago⁩ by ⁨Ninjazzon@infosec.pub⁩ to ⁨technology@lemmy.world⁩

https://www.theverge.com/24071753/passkeys-password-manager-wearables-vergecast

Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing… that lives on my phone? What if I lose my phone? What if you steal my phone?

source

Comments

Sort:hotnew top

Heavybell@lemmy.world ⁨8⁩ ⁨months⁩ ago
Until someone can explain to me how I can transfer, manage and control my passkeys without syncing them to some hostile corporation’s cloud infrastructure, passkeys will remain a super hard sell for me.

source
- TreeGhost@lemm.ee ⁨8⁩ ⁨months⁩ ago
  You can use Bitwarden to store passkeys. Not sure if the self hosted solution has support for it yet though.
  
  source
  - sailingbythelee@lemmy.world ⁨8⁩ ⁨months⁩ ago
    I must admit that, despite reading about passkeys a bit, I still don’t understand the actual practicalities. I seem to recall that Bitwarden can store keys, but can’t generate them. If that’s true, who generates the passkey?
    
    source
    -> View More Comments
  - TheOneCurly@lemm.ee ⁨8⁩ ⁨months⁩ ago
    Vaultwarden does at least, I’ve been using it with passkeys for the last couple months and it’s been great.
    
    source
  - csolisr@communities.azkware.net ⁨8⁩ ⁨months⁩ ago
    VaultWarden user here - yes you can now use your own self-hosted server to store passkeys and that’s a gigantic game-changer. Just install the BitWarden add-on on a recent version of Firefox and voilà
    
    source
  - subtext@lemmy.world ⁨8⁩ ⁨months⁩ ago
    2024.1.2 released with self-hosted server passkey support.
    
    TBH though I would not trust myself to self host my keys to my digital life when the alternative is $40/year for the whole family. You may have a different perspective though.
    
    source
    -> View More Comments
- DemBoSain@midwest.social ⁨8⁩ ⁨months⁩ ago
  I currently use Syncthing to keep my Keepass database updated on my phone, laptop, and home server. Any change anywhere is instantly sent directly to the other 2 devices.
  
  source
  - drengbarazi@lemmy.world ⁨8⁩ ⁨months⁩ ago
    this is the way
    
    you can even tweak folders to either send or receive only on some devices
    
    plus if you really want to be safe you can set file versioning and ignore deletes on a folder to make it strictly backup on more than one device
    
    no internet connection required, you can set it all on lan
    
    I think it is my favorite open-source project after Torvalds’ creations
    
    source
  - Heavybell@lemmy.world ⁨8⁩ ⁨months⁩ ago
    Yeah, I do the same but with nextcloud.
    
    source
    -> View More Comments
  - boatswain@infosec.pub ⁨8⁩ ⁨months⁩ ago
    Does KeePass support passkeys?
    
    source
    -> View More Comments
  - csolisr@communities.azkware.net ⁨8⁩ ⁨months⁩ ago
    Can you use SyncThing along with Nextcloud? I currently use Nextcloud to store my data, but the one part where it still lags a bit behind is on Android specifically (you need to manually sync certain changes).
    
    source
    -> View More Comments
- Landless2029@lemmy.world ⁨8⁩ ⁨months⁩ ago
  KeePass
  
  Self hosted password keeper
  
  source
  - Heavybell@lemmy.world ⁨8⁩ ⁨months⁩ ago
    I already use KeePass, but as far as I know it doesn’t do passkeys, only passwords?
    
    source
    -> View More Comments
- Flying_Hellfish@lemmy.world ⁨8⁩ ⁨months⁩ ago
  Depends on where the line is as far as evil goes. Most of the popular password managers are now starting to support passkey login.
  
  source
  - EngineerGaming@feddit.nl ⁨8⁩ ⁨months⁩ ago
    I draw the line at the password manager being fully local.
    
    source
- Tau@sopuli.xyz ⁨8⁩ ⁨months⁩ ago
  Browsers can save them and extensions like, KeepassXC, can behave like a passkey provider
  
  source
  - Heavybell@lemmy.world ⁨8⁩ ⁨months⁩ ago
    That’s something, but isn’t half the benefit meant to be storing them in the TPM? Also, that won’t help if you’re logging into a game or app, surely? Would love to be wrong on that, of course.
    
    source
    -> View More Comments
- johannesvanderwhales@lemmy.world ⁨8⁩ ⁨months⁩ ago
  You can create passkeys on individual devices without cloud syncing them.
  
  source
- frizop@lemmy.world ⁨8⁩ ⁨months⁩ ago
  Enpass stores the passkey in their db, can be used cross platform and has browser extensions and local (or WiFi) syncing.
  
  source
drmoose@lemmy.world ⁨8⁩ ⁨months⁩ ago
I didn’t like that they interviewed a corporate PR person instead of a real security expert. Sorry but that lady is just deflecting and spinning and missing so many important details to promote 1password.

Generally like the verge but this one was a bit lazy ngl - was there really no neutral or open source expert available?

source
- Sabata11792@kbin.social ⁨8⁩ ⁨months⁩ ago
  
  corporate PR person instead of a real security expert
  
  That's called an advertisement.
  
  source
aksdb@lemmy.world ⁨8⁩ ⁨months⁩ ago
If only companies wouldn’t be patronizing ass hats about it. A few sites deny storing passkeys in software wallets because of “security”. So what, keep using my password is safer now? Fucktards.

source
- narc0tic_bird@lemm.ee ⁨8⁩ ⁨months⁩ ago
  Many websites only allow creating a passkey on mobile for example. I also created passkeys on quite a few sites that straight up removed the feature a few days after. I also never found a site that let you completely remove password authentication after adding a passkey.
  
  source
  - aksdb@lemmy.world ⁨8⁩ ⁨months⁩ ago
    Even on mobile they are asshats. I have my password manager registered as the passkey wallet in iOS, so creating a passkey in PayPal for example fails.
    
    source
    -> View More Comments
  - Kusimulkku@lemm.ee ⁨8⁩ ⁨months⁩ ago
    Didn’t allow me to create one because it doesn’t meet the Google’s security thing (unlocked bootloader).
    
    Fun
    
    source
wahming@monyet.cc ⁨8⁩ ⁨months⁩ ago
Can somebody help me understand the advantages of passkeys over a password manager? Googling just brings up tons of advertising and obvious self promotion, or ELI5s that totally ignore best passwords practices using managers.

source
- EncryptKeeper@lemmy.world ⁨8⁩ ⁨months⁩ ago
  Passkeys work like a public/private key pair you’d use to secure SSH access to a server. You give the website a public key that corresponds to a private key generated on your local device. Unlike a password it’s not feasible to brute force and there’s nothing you have to remember which makes it more convenient for you to use.
  
  It’s not really an alternative to a password manager, because you can use a password manager to generate and sync a single passkey between all your devices. In fact 1Password is a big proponent of passkeys and even maintain a big directory of sites that use passkeys.
  
  source
  - leftzero@lemmynsfw.com ⁨8⁩ ⁨months⁩ ago
    
    there’s nothing you have to remember which makes it more convenient for you to use
    
    Unlike my devices, I always have my brain on me. Devices are much more easily lost or stolen than memories. I often might want to access sites using my account from third party devices which I don’t want to be able to use my accounts when I’m not using them.
    
    I just can’t understand how using passkeys (or password managers, for that matter, massive single points of failure that they are) is supposed to be in any way shape or form more convenient than simply remembering a passphrase (which can easily be customisable for each site using some simple formula so that no two sites will share the same but it’ll still be trivial to remember).
    
    Both password managers and passkeys seem like colossal inconveniences and security risks to me when compared to passphrases, frankly. And if you want extra security there’s always two factor authentication (with multiple alternatives in case you don’t have access to one of them, of course; otherwise you might as well delete your account).
    
    source
    -> View More Comments
- Spotlight7573@lemmy.world ⁨8⁩ ⁨months⁩ ago
  Passwords are known (or accessible in a password manager) by the user and the user gives one to a site to prove they are who they say they are. The user can be tricked into giving that password to the wrong site (phishing).The site can also be hacked and have the passwords (or hashes of the passwords leaked), exposing that password to the world (a data breach).
  
  With passkeys, the browser is the one checking that it’s talking to the right site before talking by making sure the domain name matches. Passkeys also don’t send a secret anywhere but instead use math to sign a message that proves they are the returning user. This security is possible because there is a public key and a private key. The user is the only one with a public key. The authenticity of the message is guaranteed by math by checking it with the public key that the user provided to the site when they registered their passkey. The site doesn’t need access to the private key that the user has to verify the message so there’s nothing sensitive for the site to leak.
  
  In practical terms, instead of having to have your password manager autofill the username and password and then do some kind of second factor, it just signs a message saying “this is me” and the site logs you in.
  
  source
  - doubletwist@lemmy.world ⁨8⁩ ⁨months⁩ ago
    So it sounds like basically it’s just client certificates?
    
    source
    -> View More Comments
dustyData@lemmy.world ⁨8⁩ ⁨months⁩ ago
We shouldn’t be getting rid of passwords, or one time passwords, or two factor authentication, or single use codes. The point of security is overlapping features is what brings convenience and deterrence.

source
- Spotlight7573@lemmy.world ⁨8⁩ ⁨months⁩ ago
  It’s probably overkill for most people but I would love to have a system that lets me choose what combination of factors together work to login rather than just ‘password and something else’. Something like A,B,C are on the account and you can use A+B or B+C to login. It’d be great for those who don’t necessarily want to trust SMS-based one-time passwords (due to SIM swapping, theft, etc) if we could require something else along with it.
  
  That said, the way passkeys are typically used satisfy multiple factors at once:
  
  Password to unlock your password database that stores your passkey: something you know, the password + something you have, the database
  
  Biometric to unlock your phone that has your passkey: something you are, fingerprint or face + something you have, the phone
  
  source
  - scorpionix@feddit.de ⁨8⁩ ⁨months⁩ ago
    Forget about biometrics, they are way too insecure.
    
    Our cameras have reached a stage where we can replicate fingerprints from photos. ‘What you are’ is useless when we leave part of us everywhere. And furthermore, in parts of the world, authorities can force you to unlock your device with biometrics but not with passwords.
    
    source
    -> View More Comments
  - shortwavesurfer@monero.town ⁨8⁩ ⁨months⁩ ago
    SMS second factor is so bad! The really dumb thing in my opinion is the place that uses SMS to factor the most is banks. Now how dumb is that?
    
    source
    -> View More Comments
- IphtashuFitz@lemmy.world ⁨8⁩ ⁨months⁩ ago
  Years ago I worked for a company whose servers were in a highly secure facility. I had to pass through a “person trap” to get in, which required three independent things to get through: something you have, something you know, and something you are.
  
  Imagine a booth about the size of a phone booth, with doors on both sides. To open the outer door you need a card key. Once inside the outer door closes. To open the inner door you need to put your hand on a hand scanner, then enter a PIN. Only then will the inner door unlock and let you inside. I was told that the booth also weighed you and would refuse to let you through if your weight was something like 10% different from your last pass through. That was to prevent other people from piggybacking through with you.
  
  Lots of people think that’s all overkill until I explain that it’s all to ensure an authorized person, and nobody else, could get through. A bad actor could steal my card key & might guess my PIN, but getting around my hand scan & weight would be extremely difficult.
  
  The closer we get to this sort of multi-layer authentication with websites the happier I am. I want my bank account, etc. protected just as well as that data center…
  
  source
  - asbestos@lemmy.world ⁨8⁩ ⁨months⁩ ago
    Honestly that’s cool as heck
    
    source
  - jqubed@lemmy.world ⁨8⁩ ⁨months⁩ ago
    Was it like this?
    
    get smart
    
    source
    -> View More Comments
monko@lemmy.zip ⁨8⁩ ⁨months⁩ ago
Good talk, glad this is being discussed. Having worked adjacent to the authentication market, I have mixed feelings about it, though.

There are a few problems with passkeys, but the biggest one is that no matter what, you will always need a fallback. Yes, Apple promises a cloud redundancy so you can still log in even if you lose every device.

But that’s just Apple’s ecosystem. Which, for what its worth, is still evolving. So the passkey itself is phishing-resistant, but humans still aren’t. Fallbacks are always the weakest link, and the first target for bad actors. Email, or sometimes phone and SMS, are especially vulnerable.

Passkeys in their current iteration are “better” than passwords only in that they offload the fallback security to your email provider. Meanwhile, SIM swapping is relatively ready easy for a determined social engineer, and mobile carriers have minimal safeguards against it.

Usability? Great, better than knowledge-only authentication. Security? Not actually that much better as long as a parallel password, email, or SMS can be used as a recovery or fallback mechanism.

I’m not saying passkeys are bad, but I’m tired of the marketing overstating the security of the thing. Yes, it’s much more user-friendly. No one can remember reasonably complex passwords for all 100 of their online accounts. But selling this to the average consumer as a dramatic security upgrade, especially when so many still run passwords in parallel or fall back to exploitable channels, is deceptive at best.

source
- pop@lemmy.ml ⁨8⁩ ⁨months⁩ ago
  
  But that’s just Apple’s ecosystem
  
  Apple isn’t the only one allowing redundancy, most popular password managers allow you to lose all your devices and still have it securely stored in the cloud. And people who don’t even know that password managers exists, aren’t going to the early adopters of passkeys.
  
  source
  - monko@lemmy.zip ⁨8⁩ ⁨months⁩ ago
    I’d anticipate that most providers will do something similar. I just mentioned Apple because they’ve been pushing their “cloud backup” hard while still using SMS as a fallback.
    
    I’d be interested to hear which provider, if any, has managed to get around the usual (vulnerable) channels for recovery.
    
    source
    -> View More Comments
- EngineerGaming@feddit.nl ⁨8⁩ ⁨months⁩ ago
  For me, it is the opposite. I would need passkeys to be like my SSH keys - not dependent on some proprietary software and never touching any cloud. For now I am a little bit afraid lock-in might happen at some point, so I wait until the technology matures enough until I can use KeepassXC for it confidently.
  
  source
- Pulptastic@midwest.social ⁨8⁩ ⁨months⁩ ago
  So you really need two independent services with their own passkeys to back each other up.
  
  source
  - monko@lemmy.zip ⁨8⁩ ⁨months⁩ ago
    Not sure exactly what you’re getting at, but any authentication model must be designed with the assumption that a user can lose all their devices, passkeys included. That’s where fallbacks come into play. Even with Apple’s system, you can recover your keychain through iCloud Keychain escrow, which (according to their help page) uses SMS:
    
    To recover your keychain through iCloud Keychain escrow, authenticate with your Apple ID on a new device, then respond to an SMS sent to a trusted phone number.
    
    While SIM swaps aren’t super common, they’re not the most difficult attack. Passkeys are strong against direct attacks, for sure. But if I can reset your account using a text message sent to a device I control, is it really that much more secure?
    
    source
    -> View More Comments
- Flumpkin@slrpnk.net ⁨8⁩ ⁨months⁩ ago
  My view is that for most people who still use bad passwords it will be a huge upgrade. So even though I use super strong passwords, every service and bank has extra security features because they must cater to simple passwords. So you have to check your email for a stupid code and shit. Or worse, give them your phone number!! Which is an outrage because it’s linked to my government id!!!
  
  Passkeys raise the lowest security ceiling, meaning there should be less checks needed. That’s what I’m excited about lol.
  
  source
Feathercrown@lemmy.world ⁨8⁩ ⁨months⁩ ago
Ok so 2fa is based on things you know (passwords) things you have (devices), and things you are (biometrics).

I could see passkeys replacing the phone portion of a 2fa, but replacing a password? That can both invalidate the point of 2fa (verifies you have a device twice) and kill the benefits of having a password (if I lose my device I can still login, if it’s stolen the attacker can’t access all of my accounts).

source
- Spotlight7573@lemmy.world ⁨8⁩ ⁨months⁩ ago
  Passkeys are protected by either your device’s password/passcode (something you know) or your device’s biometrics (something you are). That provides two factors when combined with the passkey itself (something you have).
  
  The benefit of the password is only available if you know your password for your accounts or if you have a password manager. People can only remember a limited number of passwords without resorting to systems or patterns. Additionally, with many accounts now knowing the password is not enough to log in, you must either be logging in from an existing device or perform some kind of 2FA (TOTP, SMS, hardware security key, etc). So you already need to have a backup device to log in anyways. Same with a password manager: if you can have a copy of your vault with your password on another device then you can have a copy of your vault with your passkey on another device. Nothing gets rid of the requirement to have a backup device or copy of your passwords/passkeys if you want to avoid being locked out.
  
  source
  - Giooschi@lemmy.world ⁨8⁩ ⁨months⁩ ago
    
    People can only remember a limited number of passwords without resorting to systems or patterns.
    
    People also don’t have a backup device though.
    
    source
    -> View More Comments
- fcuks@lemmy.world ⁨8⁩ ⁨months⁩ ago
  wouldn’t it be 3fa with biometrics also ? Thanks for your explanation btw
  
  source
  - shalafi@lemmy.world ⁨8⁩ ⁨months⁩ ago
    Ideal MFA:
    
    Something you have.
    
    Something you know.
    
    Something you are.
    
    If getting married, add:
    
    Something blue.
    
    source
    -> View More Comments
Deceptichum@kbin.social ⁨8⁩ ⁨months⁩ ago
Passkeys feel so much more worse. It becomes one central point to lose everything.

source
- _number8_@lemmy.world ⁨8⁩ ⁨months⁩ ago
  it’s objectively a downgrade to have to get my phone out just to sign into youtube. i broke my phone screen and couldn’t sign into my damn bank until i got it fixed because they making me verify with a text. bullshit world these days
  
  source
  - Deceptichum@kbin.social ⁨8⁩ ⁨months⁩ ago
    And than there’s Google itself, notorious for blocking people’s accounts for nothing and offering zero recourse to get it back.
    
    source
  - towerful@programming.dev ⁨8⁩ ⁨months⁩ ago
    Exactly, which is why passkeys are so good.
    
    source
    -> View More Comments
- Spotlight7573@lemmy.world ⁨8⁩ ⁨months⁩ ago
  If you already have a central point to lose everything in the form of a password manager, is it any worse? What’s the difference between a random password stored in your password manager that you don’t remember versus a private key stored in your password manager that you’re not expected to remember? You’ve always needed to make backups or have alternative ways to get in (recovery codes, customer support channels, etc), nothing about that has changed when going from passwords to passkeys. When passkeys are supported on sites, there can be no autofill issues (password or TOTP), no password complexity requirements, no worries about how they are hashing them on the server side, no phishing issues, etc. That’s an improvement over the system we have now.
  
  And for those that don’t have a password manager, they are likely reusing passwords. Passkeys prevent the risk of password reuse and the risk of phishing.
  
  source
  - Hexagon@feddit.it ⁨8⁩ ⁨months⁩ ago
    I use a password manager and the database is automatically synchronized to multiple devices. I use syncthing for that, but a public cloud would be fine as well, because it’s encrypted (well, as long as the master password is strong enough)
    
    source
  - KlavKalashj@lemmy.world ⁨8⁩ ⁨months⁩ ago
    I export my passwords from my manager regularly and keep them on paper in a secure place. At worst, it would be massively annoying if the password manager somehow blew up. But you can’t hack a paper. On the other hand, like some other person wrote, it’s incredibly easy to break your phone screen and then you’re screwed until you can fix it.
    
    source
    -> View More Comments
- TheEntity@kbin.social ⁨8⁩ ⁨months⁩ ago
  It certainly feels dangerous if forced upon users not aware of the trade-offs. For people already accustomed to using hardware keys, it's very much an improvement, as more services will support them too. The problem is in the awareness. On the other hand, people already treat regular passwords as throwaway data and expect services to just let them in, or even never log them out. In this scenario, maybe passkeys can still be an improvement: roughly just as much as enforcing using a password manager.
  
  source
- Lmaydev@programming.dev ⁨8⁩ ⁨months⁩ ago
  A huge amount of people use the same password everywhere.
  
  It’s much easier for someone to get your password than your phone.
  
  source
  - Deceptichum@kbin.social ⁨8⁩ ⁨months⁩ ago
    And it’s much easier for me to lose or break my phone than it is to lose my password.
    
    source
    -> View More Comments
- Kaldo@kbin.social ⁨8⁩ ⁨months⁩ ago
  How is that different from a password manager (and those are excellent tools everyone should be using)?
  
  In fact, the few passkeys I have are stored in my password manager.
  
  source
johannesvanderwhales@lemmy.world ⁨8⁩ ⁨months⁩ ago
I highly recommend using something like Bitwarden or 1password (which can manage both passwords and passkeys), and then generating a passphrase using a method like Diceware. If you’re paranoid you might prefer rolling your own with Keepass but for most people that’s going to be a lot of work. I think 1password’s model is about as secure as you could hope for while still trusting a 3rd party. Definitely avoid Lastpass. In addition to widely reported breaches, they don’t even fully encrypt your data; only the password portion is encrypted while usernames and site data are plaintext.

source
- Codilingus@sh.itjust.works ⁨8⁩ ⁨months⁩ ago
  Just a heads up for anyone, bitwarden can be self hosted using vaultwarden. All of the bitwarden apps and extensions will work.
  
  Also, for anyone already using their stuff, Proton Mail rolled out their password manager. I like it so far, the free edition is good.
  
  source
  - subtext@lemmy.world ⁨8⁩ ⁨months⁩ ago
    I just don’t trust myself enough to self host Bitwarden. It’s just too critical of a service for me to be willing to accept any mistake I might make in hosting it. Absolutely worth the $10/year (or $40/year for the whole family), to have some IT professionals and Azure doing the hosting.
    
    source
    -> View More Comments
- morbidcactus@lemmy.ca ⁨8⁩ ⁨months⁩ ago
  Is keepass really a lot of work though? If you use xc you have a client that works in windows or Linux, the file itself can be hosted anywhere, I ran for years with it on a USB key. There’s no accounts to create, you just download and go.
  
  source
  - johannesvanderwhales@lemmy.world ⁨8⁩ ⁨months⁩ ago
    It’s definitely more work than just buying the service from someone that has a ready made app. I don’t think it’s a thing I would recommend to, for example, my parents.
    
    source
    -> View More Comments
  - ebc@lemmy.ca ⁨8⁩ ⁨months⁩ ago
    KeepassXC works on Mac, too and there’s KeepassDX for Android.
    
    source
    -> View More Comments
- podperson@lemm.ee ⁨8⁩ ⁨months⁩ ago
  Since 1P switched to subscription only (which is a dealbreaker for me), I switched to Strongbox. It’s based on keepass, you can store/backup/host your own vault, and it also supports both passkeys and passwords. The UX is almost as good as 1P (few little minor annoying things, but no showstoppers for me). Been great so far.
  
  source
mvirts@lemmy.world ⁨8⁩ ⁨months⁩ ago
No.

source
- lolcatnip@reddthat.com ⁨8⁩ ⁨months⁩ ago
  That adds nothing to the conversation.
  
  source
0nekoneko7@lemmy.world ⁨8⁩ ⁨months⁩ ago
People are making things more complicated than they already are. I keep my passwords and passphrases inside my memory.

P.S. My password is not ‘Password123456’

source
- LastYearsPumpkin@feddit.ch ⁨8⁩ ⁨months⁩ ago
  There’s no way for the average person to keep up with remembering unique, strong passwords for all the sites that require them.
  
  You either have to write it down, save it in a password manager, reuse passwords, or have simplified passwords or patterns.
  
  source
- Darkassassin07@lemmy.ca ⁨8⁩ ⁨months⁩ ago
  How do you remember 70+ different password+username combinations?
  
  Or do you just re-use passwords…
  
  source
- ryathal@sh.itjust.works ⁨8⁩ ⁨months⁩ ago
  The real solution is to only remember one or two passwords and have widespread oauth adoption. Instead of having to sign up with every possible website and app, I should only need a couple of google/Facebook/apple/steam/github/Amazon/PayPal/whatever.
  
  source
Engywuck@lemm.ee ⁨8⁩ ⁨months⁩ ago
Eh… No, thanks.

source
ElectroVagrant@lemmy.world ⁨8⁩ ⁨months⁩ ago
For some reason I thought The Verge was better about having transcripts for their podcasts. I was kinda interested but not around 28 minutes of audio interested. 😞

source
Reverendender@sh.itjust.works ⁨8⁩ ⁨months⁩ ago
Tuta mail keeps prompting me for a passkey, and I don’t know where to get what it wants. So I basically can’t use it.

source
smileyhead@discuss.tchncs.de ⁨8⁩ ⁨months⁩ ago
Will I be able to export/import a PassKey from a device?

source
autotldr@lemmings.world [bot] ⁨8⁩ ⁨months⁩ ago
This is the best summary I could come up with:

It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly.

But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys.

On this episode of The Vergecast, we bring in an expert: Anna Pobletts, the head of passwordless (best title ever?)

She’s convinced that passkeys are the future but also has some ideas on the right (and not-so-right) way to get started.

Vee weighs in on Fossil’s exit from the market, the rise of the smart ring, and much more.

If you want to read more on everything we discuss in this episode, here are some links to start with, beginning with passkeys:

The original article contains 241 words, the summary contains 131 words. Saved 46%. I’m a bot and I’m open source!

source
shortwavesurfer@monero.town ⁨8⁩ ⁨months⁩ ago
The way I intend to handle this is with my keypass password manager since the file database has to be synced manually. The way I handle this is one copy of the database lives on my phone, which is my primary device. Then I copy this database to a flash drive, and then copy it to my laptop. The update process goes something like update the credential on my phone and then a few months later, during my scheduled backup routine, copy the database to the flash drive and then copy the database over to the laptop. So the most I could lose is a few months worth of data instead of all of it. If my phone is ever stolen, I still have a copy of the database on both the flash drive and the laptop, which at most might be a few months out of date, but nothing severe.

source
fosstulate@iusearchlinux.fyi ⁨8⁩ ⁨months⁩ ago
Vendors will use passkey implementations as vectors for lock-in. Guaranteed. Workplaces need to accept BYO.

source