Bitches don’t know that passkeys are awesome. It’s like ssh key authentication for web apps. Just save the passkeys to my password manager & presto: use same keys on all my devices.
It replaces opening a TOTP app to copy a token with a click to select the passkey in a prompt from my password manager.
Ancient meme
Passkey is “something you own” right?
I have something I own, it’s a Yubikey
I thought passkeys had to be behind biometrics, so “own” + “are”?
I just wish Google would stop overriding my passkey on Android for specific apps including their own.
You can change the provider to bitwarden.
I do have it overridden but Google Play Services isn’t respecting my passkey default.
Passkeys are phishing resistant, or so they say… but the web app still needs to let you in with password + 2FA… So I’m not sure how much that’s really worth.
I guess if the users are typically never seeing a 2FA prompt then it should be more suspicious when they see one?
Passkeys are a replacement for passwords. Passwords don’t solve the problem of a lost password, and passkeys don’t solve the problem of a lost passkey. How a site deals with lost credentials is up to them. It doesn’t need to be password + 2FA.
You can store passkeys in your password manager lol
I’ll use banks as an example
If they cared about your security there would be mobile app or website.
Hell, credit cards would still require a signature.
It’s about cost first and foremost and then convenience.
Has nothing about you as a consumer. They don’t give 2 shits about you as a consumer.
I mean you’re right about banks but your examples make no sense.
Banks generally don’t support 2fa, which is bad. Some banks (fidelity) still have character limits on passwords because they stores it in plaintext until recently so you could use it through the telephone system. They could implement a secure tap to pay system on your phones with enhanced security, rather than relying on Google to handle their job. And for credit cards themselves, switch to chip and pin.
“Banks don’t have mobile apps”?? “Signatures are secure”???🤡
How easy is it to fake a signature for a normal person who has not practiced a person’s signature for the intent purpose of faking it? Have you ever tried faking your parents signature to get out of school? I have.
Now the infrastructure required to adequately check signatures is not practical hence it doesn’t exist. It’s why we moved to pins. Pins are small and 2fa doesn’t exist for banks because again it’s about the bare minimum and they are out to make money and don’t care about customers plus there’s government safeguards in place specific to banking.
I will continue to argue that going back in time signatures are infinitely more secure than a 4 digit pin let alone tap but we have traded security for convenience.
Anyways full admit that I’m batshit crazy.
Do you think signatures were at all secure? If they cared about security they’d do chip+pin like most civilized countries.
With proper infrastructure yes signatures are extremely secure. But that proper infrastructure doesn’t exist.
ITT: people who think only SMS, email and TOTP exist as 2FA.
And people who think only your phone can be used as passkey.
When those are the only options given by some services, yeh it kinda is. I’d love to be able to just use my flipper as a u2f for everything, but unfortunately most websites are all “no” and you have to use a chrome browser instead of Librewolf even when you could use a yubikey, so fine I guess text me, oh whoops I changed my number and I’m now locked out of my acct, cool.
Remember when tap-to-pay was new and didn’t work at a lot of places and some people were freaked out over it?
And now most of us use it without a 2nd thought.
I speculate passkeys will be like that.
I’d use it if it didn’t cost extra in my country. Swiping my card really isn’t much harder
Wow that’s madness
On the contrary i want more services using passkeys instead of 2fa methods that are less secure (sms).
I have no idea what a passkey is and I will probably only learn what it is when they become mandatory
I will just use passwords + 2FA for the moment
Here is a demo you can try if you’re so inclined
I see, thanks. It mentions biometrics on that page. Maybe if my next laptop has a fingerprint reader then I should look into passkeys more.
I don’t use the biometric authentication on my laptop and am able to complete the demo on it. Chrome asks me for a PIN that I save and provide when it asks on my laptop. I don’t think biometrics are a requirement for passkeys.
Passkey is essentially a branding of webauthn. Instead of typing some code that changes, you just do something with some sort of device or key manager.
Plug in a yubikey and touch the button to authenticate. Easier.
Has this energy…
I have the opposite situation, I bought yubikeys but nobody supports them.
Indeed. Why so many recommend them I have no idea.
Honestly, if you have a password manager that supports security keys then buy two cheap keys (one for backup) like the Thetis FIDO U2F Security Key and use those to secure your password vault. For everything else just use TOTP and Passkeys stored in your vault.
I invested in Yubikeys and yes it was a waste.
I’m getting ready to roll them out at work but it’s basically exclusively for the password managers. Having a password manager and every account be unique isn’t helpful if everyone’s going to just use shit passwords for their password manager
It’s not for your security, it’s for the company’s. People suuuuuuuuck when it comes to credentials.
My company insists on expiring passwords every 28 days, and prevents reuse of the last 24 passwords. Passwords must be 14+ characters long, with forced minimum complexity requirements. All systems automatically lock or logout after 10 minutes of inactivity, so users are forced to type in their credentials frequently throughout the day.
Yes people suck with creating decent credentials, but it’s the company’s security policies breeding that behavior.
And yet admin, 1234, test, etc. remain the most commonly ‘hacked’ passwords. Your company’s policies may be annoying, but they certainly don’t make you use unsafe passwords.
Same. They also don’t allow password managers and I have multiple systems that don’t use my main password, so I have at least 5-6 work passwords for different systems.
Nobody can remember all that.
So everyone makes the simplest password they can (since it has to be regularly typed in) and writes it down somewhere so they don’t forget it.
I don’t get why people get upset at frequently expiring passwords. It’s not hard: just write it on a postit note and stick it on your monitor.
Tell them the NIST recommendations for password frequency changes have been really reduced in recent times because it pushes people into other bad password practices. Among all factors, changing the password frequently is the least important.
My company insists on expiring passwords every 28 days, and prevents reuse of the last 24 passwords. Passwords must be 14+ characters long, with forced minimum complexity requirements.
Outdated security practices & cargo culture. Someone should roll up a copy of NIST SP 800-63 to smack them over the head until they read it:
The following requirements apply to passwords:
- Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
- Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
- Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
- Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
- Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
- Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Maybe ask them their security qualifications & whether they follow the latest security research & industry standards.
Uhhh… Can someone ELI18 to me the problem with passkeys? I use them wherever available and find them very convenient.
Yeah i can sum it up for you
Amazon fucking insisting every damn time I log in.
