Do you people trust companies with passkeys?
I feel like big tech have started pushing for passkeys really hard lately. Microsoft has been asking me if I want to switch to passkeys pretty consistently. Google just automatically brings up the passkey registration fingerprint scan system dialogue every single time I’ve been signing in on Android. Without even asking if I want a passkey or not, it just does it without saying anything. I think the intention is pretty clear, an unknowing person sees the completely random fingerprint scan dialogue, doesn’t think much of it, scans their fingerprint, a passkey gets created automatically.
Well, I fell for their trick. I’ve been avoiding the passkey dialogue pretty consistently for a while now, but just now I was signing in while distracted and accidentally tapped my finger on the scanner by reflex on the prompt. I guess I have a passkey now. Yay.
I did some digging on my Google account settings and the internet, and I couldnt find a way to completely remove the passkey. It seems you can only disable the use of passkeys, but the passkey itself remains. There is also a setting called “Skip password when possible”, which is clearly what has been causing the non-stop passkey prompts. It’s on by default. It’s a shame I’m only aware of it now that its too late.
Theoretically, the passkey standart itself should be private and secure. Throughout the process, the biometric information used for the cryptographic challenges never leaves the device, and the server only gets access to a signature that has been signed with the client’s private keys that it can use to authenticate but can’t derive the private keys back from because of complicated math I didn’t spend enough energy to understand. Google automatically syncs the passkeys with its private keys with E2EE in the Google Password Manager tied to the account, which is where I start to get uncomfortable because I can’t bring myself to trust Google with E2EE.
What do you people think?
How is passkey better than PW + MFA? Serious question. Everywhere I read online tells me “it’s better” but doesn’t get into the nitty gritty. Also, I don’t use biometrics of face scans on any device.
Edit: I should add, doesn’t this make online less anonymous/private? Once a site or browser is uniquely identified, couldn’t that be used for better fingerprinting across other sites, hindering anonymity? I feel like data is still going to be extracted or gathered.
Aren’t they also stored via cookies? What if your authenticated session is stolen via cookies, what then?
There are a few main benefits.
So I think if you are using unique passwords with an automated password manager the effective benefit is quite small. However for the “average computer user” who likely has less than 5 passwords that they use for everything it forces a pretty high base level of security.
These answers will be theoretical, because it’s possible some browser or system will do things stupid and negate these positives:
It shouldn’t make things less anonymous, because different websites get unique passkeys made for them. This also makes them more secure, because if one site has a complete DB leak, that doesn’t impact other sites at all.
Also, the passkeys are used for auth, so there’s already no “anonymity” here, you’re logging into a website. They know who you are, at least which user you are, maybe not which human, which is as true as it was before with passwords.
Also they should require your device to ask you if you want to use the passkey, they’re not supposed to be automatically leaking to every site you visit without your knowledge.
Also, they are not stored via cookies. Unless you mean the login session, in which case that part is stored via cookies, but just the same way that a password login gets a session key via a cookie to use after you’ve logged in. So if someone can steal your cookies that’s already a huge problem, but they don’t get any extra information with passkeys. The actual secret material for a passkey is stored outside of the browser entirely.
The biometrics aren’t supposed to leave the device, they’re prompted for by the hardware on the device asking if you’d like to allow the keys to be used. The browser asks the passkey hardware “I’d like to sign this thing please” and then the hardware pops up the biometric thing as part of its decision making process on whether it should do that or not. Crucially this is not the website asking for biometrics, it’s your device. And if you unlock it, then it chooses to sign what it was asked to sign, and all the browser gets back is the signature.
In theory.
Thank you for the more detailed explanation of use and practice. That does help! Gives a little more piece of mind too.
Had this a few weeks ago, my partner had her email hacked, she used the same password on a service that was hacked and email/passwords stollen. They first used a ‘forgot password’ on her phone operator account, reported the SIM as lost/stollen and registered her number to a new SIM. Then they could change the passwords on anything they liked as they had her phone number and got the 2FA calls and SMS. They then went through accounts downloading apps and setting up or re-registering MFA once the passwords were changed.
Gotcha. OK so maybe a little less applicable to some more than others.
I already use mostly unique passwords (like a random root word(s) with varying numbers and special characters mixed in) for accounts, and only have my mfa app allowed, not email or SMS. My PW & MFA apps have unique PINs. I also have multiple email aliases for those varying accounts and rotate through after they’re sold every so often. Helps cut down on spam A LOT vs manually unsubscribing. Retail sites are especially guilty of selling info IMO.
Mine might be slightly overkill, and maybe less necessary with passkeys, but I’ll wait until there are goods self-hosted apps for that.
Yeah you are going far beyond most people, but passkeys will be a major step up for the majority of the population who still use the same or similar passwords for everything.
OK, thank you.