Passkeys Mess

[meeker]

ARSTechnica has an article on Passkeys that SN listeners will likely agree with: https://arstechnica.com/security/20...-but-its-most-definitely-not-usable-security/

 

[miquelfire]

The experience of logging into PayPal with a passkey on Windows will be different from logging into the same site on iOS or even logging into it with Edge on Android. And forget about trying to use a passkey to log into PayPal on Firefox. The payment site doesn't support that browser on any OS.

I'm a Firefox user, and this hurts. When I attempted to have Bitwarden create a Passkey for me, I saw it didn't support Firefox for Passkeys at all.

I haven't seen anything about Passkeys that I feel makes it better than what we have already.

 

[PHolder]

I saw it didn't support Firefox for Passkeys at all.

That's bad "support" from PayPal. As a customer you should at least complain... even if they never end up doing it the CORRECT way by checking the browser for support rather than hard coding which browsers offer the support. (This is no doubt actually a Google lock-in situation, no doubt Firefox reports its support using the officially agreed standards but Google backdoored all that and some tired dev took the "easy route" rather than doing it the more difficult but "officially standard" way.)

 

[bdub76]

Until I can easily move passkeys between my home computer, work computer, tablets, and mobile devices, I'm not ready to move over to passkeys.

 

[PHolder]

Until I can easily move passkeys between

The issue with this is that is doesn't fix the problem of inexperienced users who "give away" their credentials to phishers.

 

[bdub76]

The issue with this is that is doesn't fix the problem of inexperienced users who "give away" their credentials to phishers.

I don't think that is a design problem. That is a user problem.

 

[PHolder]

I don't think that is a design problem.

A replacement for passwords that doesn't fix one of the major problems of passwords is not actually a replacement then is it?

 

[Lapidary]

I don't think that is a design problem. That is a user problem.

I thought the solution to this was you create a new passkey on the second device? Transferring the data is a possible security risk. I like the idea of creating more than one key for a site. Data doesn't transfer between devices, sites store more than one key per user. Many sites store the last few passwords anyways to ensure you are not reusing a password. Those sites should not have an issue with storing more than one key per user.

 

[f1assistance]

Seriously, do some of us really wonder how everything binary continues to manifest such a privacy/security disaster…even “informed” users simply don’t innerstand the cost of the “tyranny of convenience”, along with the dark destructive nature of effortless. The truth is, one cannot secure what one does not physically control...

 

[AlanD]

I thought the solution to this was you create a new passkey on the second device? Transferring the data is a possible security risk. I like the idea of creating more than one key for a site. Data doesn't transfer between devices, sites store more than one key per user. Many sites store the last few passwords anyways to ensure you are not reusing a password. Those sites should not have an issue with storing more than one key per user.

But creating multiple VALID keys for the same site just increases the risk of a "password/passkeys" being guessed. Admittedly it may not increase the risk much, but it is directly contrary to the existing philosophy that once a password has been changed, the old one cannot be used.

 

[Lapidary]

But creating multiple VALID keys for the same site just increases the risk of a "password/passkeys" being guessed. Admittedly it may not increase the risk much, but it is directly contrary to the existing philosophy that once a password has been changed, the old one cannot be used.

password, yes. Passkey; no. Passkeys are public private keys. In Steve's solution SQRL, all sites you log in with use the same key pair. Even that is secure! The only added risk in the original question is he wanted to have both his home and work computer access PayPal. Having two places with valid keys is a risk; but passkeys are way safer than passwords. That's why you don't need second factor with passkeys, they are that secure.

 

[a viewer]

Until I can easily move passkeys between my home computer, work computer, tablets, and mobile devices, I'm not ready to move over to passkeys.

if you use a password manager (ironic! isn't it?), you can move your passkeys among your different devices (as long as they have binaries for that)

 

[a viewer]

The issue with this is that is doesn't fix the problem of inexperienced users who "give away" their credentials to phishers.

can you even give a passkey to someone? The length would make it impractical to read out load. That is if you can find it through the ui

 

[PHolder]

give a passkey to someone

Well the context was to allow someone else to use it (or yourself in another place), so that would presume a mechanism to share it, no?

I was under the impression that the original design "trapped" them in a device to prevent any possibility of accidentally sharing it with someone you should not.

 

[a viewer]

Well the context was to allow someone else to use it (or yourself in another place), so that would presume a mechanism to share it, no?

I was under the impression that the original design "trapped" them in a device to prevent any possibility of accidentally sharing it with someone you should not.

meant something more like this. I thought of someone trying to scam an elderly lady by having her read the pki files. To share it for your own use, get a password manager. Have all the passkeys i made on my computer on my phone