Just last month my missus cracked the glass of her iPhone. Apple repaired it under AppleCare, which is great… except… that they didn’t tell her that the “glass repair” entails them replacing the guts of the phone and wiping it in the process.

Apple iPhone backups don’t contain cryptographic secrets like eSIMs!

She got stuck in a loop where she couldn’t activate her eSIM because that needed her email, but her email needed MS Authenticator, which she couldn’t activate without an SMS.

She had to drive to the Telco with a pile of photo ID to reissue her eSIM. Her bank account got locked in the process despite the password being correct because of some sort of phone hardware lock.

This took days to fix and multiple in-person visits to various organisations. If this had happened while overseas on holiday, she would have been screwed.

Times have changed.

Your entire digital identity is now a smart card in your phones

That Smart Card is either a SIM card or an onboard TPM chip, but in any event if you lose it, you may as well be dead as far as anyone else is concerned.

Passkeys make this much worse. At least if you still have a physical SIM you can transfer it from any phone to any other phone.

Passkeys are not cross-vendor transferable!

Run away screaming. Don’t believe the hype. Wait until the vendors get their act together and come up with a solution for transfer and recovery.

Very much this. Having authentication tied to hardware you don't control is a near-certain denial of service in the future.

People love to hate on passwords but the reality is that for many circumstances (threat models) they are the best compromise. You can make them more than strong enough (take 32+ bytes out of /dev/random and encode however you like, nobody will ever brute force that in this universe) and various passwords managers solve the problem of re-use (never reuse a password).

And it comes with the benefit that you control how it is stored and can apply as much redundancy as you want to feel comfortable.

> And it comes with the benefit that you control how it is stored and can apply as much redundancy as you want to feel comfortable.

Honestly, I agree!

I used KeePass back in the day (https://keepass.info/) but now use KeePassXC (https://keepassxc.org/) and it's really nice - I don't know any of my passwords because they're all randomly generated and are pretty secure, in addition to them being unique for every account. The only one I have to remember is my main password for decrypting the safe, which I also wrote down and entrusted to someone close to me due to its complexity.

It honestly works great, software to interact with the password safe is on every platform where I need it to be, in addition to it being super easy to reason about storage, because it's basically just a file - that I can then put on self-hosted Nextcloud, or another solution like that, or USB sticks or burn to CDs for all I care.

Maybe I should also migrate all of my TOTP stuff over to it and look into good Android apps at some point, then I wouldn't quite need Google Authenticator or FreeOTP anymore, either.

There's also the possibility of bringing my netbook with me, which also could have a Nextcloud client setup (or Syncthing, or some cloud based option), same as every other device that I own, which would have the last offline backup of the file even if the server itself would blink out of existence.

Honestly a bigger problem without my phone would be the fact that I basically couldn't pay for things all that well when using a card, because of a redirect to my bank when making a purchase online (to confirm it), which then makes me use https://www.smart-id.com/ with a code to confirm it. That's kind of a problem because it's not TOTP but rather it's bound to the device.

I can work around the password safe issue with an SD card that has the database on it, or a USB stick as well, but that wouldn't work for the app, so in the modern day I'd basically need to have two phones, the same way someone might have two sets of keys to their apartment or something. Kind of crazy when you think about it. And I'd also need a smart card reader to even register a new account in most cases, in combination with my government issued ID card.

Then you can tie it to hardware you do control, or to software.

Obligatory "Passkeys misconceptions" article: https://www.stavros.io/posts/clearing-up-some-passkeys-misco...

- "I can’t recover the keys if I lose the hardware"

- "That is a risk you’ll need to take if you’re using hardware authenticators"

Fantasizing that with this proposed simplification of the authentication process people will introduce complexities such as a password manager or a backup hardware device is naive to say the least.

Passkeys are WebAuthn credentials that are synced between devices, so they aren't hardware keys, they're software keys.

"more secure" is a completely meaningless statement, I wish this usage would die already (in general).

You need to talk about security in the face of a very specific threat, then you can say solution A is better than solution B against threat T1, worse for T2 and about a wash for T3 and so on.

Security is not a linear scale from 0-100 where you can say "more secure". There are many different criteria and any given solution will be better in some, worse in others. You must do a threat model for your specific use case to say if something is better or worse for those specific threats, and keep in mind other people will have very different threat models for the same solution.

Threat #2: User creates a weak credential

Threat #3: User reuses a credential (uses same credential across multiple services)

Threat #4: Phishing

Attackers use huge password dumps compiled from multiple server breaches, and then try them against other services. Relying on a combination of the fruits of their labor from all four threats, attackers successfully compromise millions of accounts on the internet every year.

If you want to see the data, check out the Verizon Data Breach Investigation Report that comes out every year.*

These threats affect a majority of both consumers and enterprises.

Passkeys address all four of these major real-world threats. Passwords address none of them.

Threat #1 mitigation: with passkeys, only a public key is stored on the server. Attackers can steal all the public keys they want; it will not help them compromise any user's account.

Threat #2 mitigation: passkeys (which are WebAuthn credentials) are guaranteed to be cryptographically strong. It is not possible for a user to generate an insecure passkey. This is because the browser the the Operating System APIs take care of generating the credential.

Threat #3 mitigation: passkeys (which are WebAuthn credentials) are guaranteed to be unique. It is not possible for a user to reuse the same passkey across multiple apps/websites. This is because the browser the the Operating System APIs take care of ensuring that a new, unique credential (passkey) is generated for every new app/website the user sign's into.

Threat #4 mitigation: passkeys (and all WebAuthn credentials) are bound to the server FQDN at the time they are created. The browser and Operating System APIs take care of ensuring the credential is only ever sent to the app/website server it was created for. Users cannot be tricked (via phishing) into using their passkey on a malicious app/website controlled by an attacker.

* https://www.verizon.com/business/resources/T249/reports/2023...

But personally, as a technically able user, my risk of randomly losing access to my Google (or MS, Apple, Meta, etc) account is far greater than from all those threats combined.

If we had a trustworthy and accountable authority operating this stuff then it would be great. But we don't, we have a bunch of companies who are neither of those things.

It's like mandating that everyone must use self-driving cars that are on average safer than human motorists but occasionally randomly drive off a cliff.

That aside, what happens if you lose your current password? Every major platform out there has a method for recovery. Why can’t that be used for passkeys as well? I don’t see how there’s any incentive for companies to lock us out of accounts, when the platform is pointless without people consuming it.

We may have very little power, as users, but if enough people have trouble getting into their own accounts, that’s going to directly impact the bottom line of the company locking them out. From a purely capitalist standpoint, that’s a really good reason to make sure that that doesn’t happen.

Lastly, at least Bitwarden is planning on having passkey support in their password manager very soon, so there’s real competition that will allow users to be in full control of their own passkeys.

Password managers don't solve #4. But you left out the huge one, losing access to the account. Which for most people is a larger risk than all the others put together.

For just about every person and account, the near-zero chance of getting personally spearphished is much less relevant than the risk of complete loss of access.

Losing access to your passkey/password manager is a separate concern from the strength of the credential itself. Passkeys and passwords are just credentials. What you use to manage them is a separate concern. The concern about losing access to your passkey manager is super valid, but that same concern applies to all password managers that exist today. It's not a new concern that's specific or unique to passkeys. Yes, if you lose access to your password/passkey manager, then whatever solution you're using better have a great recovery story.

I know that at least both 1Password and iCloud Keychain have pretty great recovery flows. I am not sure about Google or the other password/passkey managers (I haven't looked into it deeply).

>of getting personally spearphished

100% agreed that most people don't need to worry about spear-phishing attacks. But that's (sadly) not super relevant, because many users fall for run-of-the-mill basic phishing attacks that any reader of HN would never fall for in a million years.

Since this is the greatest security problem, I would hope all the vendors trying to improve security would focus on that.

Exactly. Unrecoverable secrets tied to closed hardware solve for the scenario where your most important criteria is that no attacker be able to ever access your account, even at the expense of yourself possibly losing access to it forever.

Does this solve a problem anyone actually has for consumer accounts? No.

That threat model makes sense for highly classified information where it is preferable to lose the information forever than have an attacker get it. Other than that, it's not a reasonable threat model to optimize for.

Additionally, part of the security concern is also accessibility by yourself.

edit: Just tried the Google passkeys on one of my Android phones. It is a complete usability hell and it seems I cannot opt out again without logging in from my browser and deleting my "device". If there is another way to just do it from my device without an additional browser, please tell.

Here is 1Password discussing how passkeys are simpler to use than passwords: https://1password.com/product/passkeys

Here is Ars Technica declaring that passkeys are easier to use than passwords: https://arstechnica.com/information-technology/2023/05/passw...

Etc etc. If this is the first time you are seeing businesses and media refer to passkeys as being simpler to use than passwords you haven't been paying attention.

I can definitely believe passkeys are easier, in light of that.

Saying that, I am struggling to understand what is the expectation for ordinary user behavior in terms of hardware-tied credentials. Eg so many people upgrade their iPhone every 1-2 years. If passkeys are not transferred to the new phone, what is the industry suggesting people do?

I have frequently heard and read claims that passkeys are easier to use than passwords. The claim always seemed incorrect to me for so many reasons. What passkeys do is make things more complicated, but move where the complication is.

    “That is a risk you’ll need to take if you’re using hardware authenticators. The fact that the key isn’t copiable means you only have one of it, so you should probably be enrolling multiple hardware authenticators on each account, or just switching to a software authenticator if you don’t care about the decreased security.”
 Software authentication with backup and synchronization is how passkeys are being shown to end users on two of the biggest platforms. For Apple, this is iCloud. For Android, it’s Google Play services. Add to that the fact that 2FA tokens are very often tied to a particular phone, and there’s very little difference between a passkey and the current system of passwords + 2FA, except that passkeys are currently far more resistant to phishing.

Also, what's stopping us from falling into the passkey version of the world we got with OpenID, where many services force you to log in with your BigTech account?

Or at least they will at some point in the near future.

You can try this out on webauthn.io and changing the attachment setting.

They are going to be the gatekeepers if you and the web services let them. Oh yeah — also they’ll run all the web, email and other services anyway. Trap you in their metaverse and AI most likely, since that’s where your coworkers and friends will be you’ll have to be there too.

Resist by opting out :)

But in many other countries, gmail isn't that successful. Still, email is still under attack by big mail servers getting more and more restrictive.

https://intercoin.org/overview.pdf

You can use passkeys with a yubikey, right?

I believe all of the issues you've described, but you can usually add multiple passkeys to each service. There is nothing stopping you from adding your iPhone and a cheap android phone and having redundancy, or using 1Password and storing your passkey in there.

iPhone backups do store backups of the media stored in iCloud Keychain, if you have another apple device or if you have the recovery key, you can get back in. You just need the device passcode or recovery key and you can re-bootstrap everything. eSIMs are unique because they're carrier things and those things have and always will be a pain and tied to stores and phone calls.

How does this work? Do I have to visit the website of each service from my secondary device for it to get the alternate passkey?

But not all setups support this. Some only allow one. Obvious issues abound.

I'd go as far as to say "most setups don't support this. Most only allow one".

The services I've seen so far that support multiple passkeys are in the minority.

All of the things I've used passkeys on support both web and mobile auth, which necessitates two keys.

So no, writing down the SSH private key is not the solution. The solution is to trust multiple private keys, each stored within tamperproof hardware.

This is also why, as a service provider, I'd like to see some device attestation. I want to know that the keys being used here are not written on a fucking piece of paper.

This is precisely why user should run away. Service provider is moving liability to end user and washing their hand away, while user gets screwed if anything happens during vacation.

With a bank, if I lose paperwork, they will have a process in place for me to prove my identity. BigTech will shrug if my phone-locked passkey becomes inaccessible.

The effort and hassle for Google et al to invest in robust support mechanisms (backend and people) for passkeys makes it highly unlikely.

No doubt you'll get the standard boilerplate email responses, if you are even that lucky, that just point you to an FAQ or something similarly unhelpful.

Imagine leaving identity to a corporate who simply shrugs off all but legal threats. It's terrifying and I reckon we are in our way there

If you want to avoid that, just set up multiple devices.

I have had a (Google) phone suddenly die in my hands without any prompting. With a password I was able to transition to a new device without incident. If my passkey was locked to that device, I might have found myself locked out of my digital identity.

But you can use multiple devices... How is "a password written down and stored somewhere" better than a separate device used for backup purposes? Hell, get three devices, go nuts.

With passkeys you have to buy multiple phones, sign each of them into every one of your accounts, then keep them physically distributed (no cloud storage for phones). And to make sure they still work you have to periodically manually go and interact with the phones physically, even the one you stored in a bank vault. You also have to do this if you sign up for a new service.

Not to mention the inevitable services that don't allow multiple passkeys.

Let’s not forget the providers who do not offer the ability to enroll multiple devices. Last I heard, AWS would only let you put a single authenticator on your account.

Anyway, to be clear, I'm not advocating for "get rid of passwords forever", I'm saying that for a lot of people passkeys are superior and the whole "how do I recover" is just not that big of a deal.

The main issue is the cost of devices like yubikeys. They should lower those. Companies should start providing them. Schools should hand them out. etc.

As a user I hope you don't get it. Having an easy way for services to require that everyone using them is doing so via the official app on an iPhone or OEM Android phone sounds like a nightmare.

This seems incorrect. “ Like passwords, passkeys are encrypted and stored in your iCloud Keychain”

I also just recently set up some passkeys via 1Password and they are also not hardware bound.

But as a user, this is not a realistic solution. If I have to keep multiple pieces of hardware enrolled, that means that I have to keep all the multiple pieces of hardware at hand when I create an account somewhere, and go through multiple enrollment cycles.

That means that I have to keep all the various pieces of hardware in the same physical location and relatively easy to access, which removes a great deal of the safety of redundancy.

It's just not realistically workable for me.

> I want to know that the keys being used here are not written on a fucking piece of paper.

Why do you care?

Any web service that locks accounts to devices is going to be shedding customers as they lose or replace phones.

If I can't access my pk, I cannot be phished. As soon as you allow me to copy my key (instead of creating many, which should be acceptable) I can be phished again.

That is, passkeys cannot be phished. The only way to get into my passkey protected account is to physically gain access to my passkey device, which requires both physical access to the device, and a second factor like a face/fingperprint or PIN/password.

Additionally, the TOTP secret can be copied, while today passkeys don't allow that either.

Except shorter for convenience. Something you could even memorize.

If Neil deGrasse Tyson gets locked out of his Instagram, you can be damn well sure someone answers his support request.

If you or I, in two to four digit follower counts, have an issue? We can get fucked.

Damn near most companies do this with the social media PR teams, too. Any tags/mentions, messages, etc are filtered through software that decides how much cloud you have and thus how worthy of attention you are. Delta loses your guitar and you've got 100 followers? Nobody in the social media team is likely to even see it. Someone with 5000 followers, and a post about it gets a couple hundred likes/retweets? American is going to fall over themselves to make it right.

That's the great lie about social media - that you can use it to draw attention to a problem you're having. Unless you've cultivated a large enough following, you'll be completely ignored.

I pretty much use 3; Yubikey in my workstation, portable Yubikey, phone. All 3 of those can bootstrap Google, which I use for email, and Apple, which I use for my phone. Then, everything else is in 1password, which are available through those mediums. Worst case, I am pretty sure in the most dire of dire emergencies, I can get my email back no matter what. Verify ID with my DNS provider, switch MX records, back in business. Even then, it's not necessarily essential to daily life. (A colossal inconvenient to lose access? For sure. Death sentence? Probably not.) All my SMS and Signal contacts are elsewhere. I can spend money out of my bank account by writing a check. I can get into work stuff by showing up in person at an office.

I do think that passkeys are probably too complicated for the ordinary user of computers; unfortunately that "we'll just email you a link every single time you want to sign in" seems like the most user-friendly passwordless authentication.

I also don't feel great about my habit of putting passkeys in 1password, because I know I'm locked in forever. But, I like the service, and when I want to switch, welp, at least there's a list of accounts I have to remake.

My biggest fear is something like forgetting my phone's passcode. One time I woke up, got distracted at just the wrong moment, and could not for the life of me remember my 6 digit passcode. (I also use the same code to unlock my workstation.) I had to distract myself and then use muscle memory to remember it. It was really crazy, truly one of those "did I just have a stroke" moments. I have that saved in 1password now, so if I have one unlocked device, I can refresh my memory. This happened a while ago and I don't think I have dementia. Just a weird quirk.

(Meanwhile, I can perfectly remember every 1-year-max-lifetime password I've ever had at any job. A lot of that good does when you can't remember a 6 digit number!)

> But while they’re a big step forward, we know that new technologies take time to catch on — so passwords may be around for a little while. That's why people will still be given the option to use a password to sign in and may opt-out of passkeys by turning off “Skip password when possible.”

So, soon passwords will be added to “Killed by Google,” along with my account. (I keep zero devices logged in.)

It’s well past time to migrate off my few remaining use cases. I wonder if my employer will be able to reset my corporate account passkeys when the inevitable happens.

Adding a passkey to an account is like adding a yubikey to an account (experience wise). You can (typically) add multiple keys to your account.

It's also not all or nothing. You can (in every service I've setup) still have a password and an even a TOTP.

The multiple passkey option kicks out my other session when i use the other passkey.

Unless you store the passkey in a hardware Fido key like a Yubikey. Then the way to transfer it is to physically carry the key and plug it to another device.

This “cross-vendor” property is nice but it’s not required to defend against being locked out of one’s stuff.

https://bitwarden.com/passwordless-passkeys/

Seriously, just tried passkey on an Android phone of mine with a burner account. I would not recommend this to anyone. Passkey as a tech might not be the issue, but the lacking option of just removing devices and passkeys freely from your account is just not acceptable. The vendor simply has different ideas about security than I have and it is not just restricted to serving me "safer" ads.

The solution is to set up multiple pieces of secure hardware, not writing down the keys to the castle on a piece of paper.

It is true that you do need to be rich enough to own a phone and ~100 USD of something else (laptop or USB), which does put redundancy out of the reach of a large portion of the world. But then they can just use regular 2fa at the expense of not being phishing-proof.

Things being this complicated makes them a non-starter. A nerd vanity project.

And this isn’t a knock on the “intelligence” of the general population. They quite rightfully won’t want to spend their limited time on God’s earth learning about all this.

But information sovereignty is crucial when it comes to this stuff; losing that is a regression that will cause problems

That doesn't mean giving up on having good security, though. Passkeys don't work like eSims and other users' situations might not be the same. Their failure modes will be different. They might have more than one device (like a phone and a tablet), or they might not use MS Authenticator for their email, or they might have set up different recovery methods?

We need more backups and user education, which ideally would include rehearsing account recovery before it's actually necessary.

I am not being sarcastic - which ever service your authenticating to make sure you have passkeys from at least 2 different devices so you do not lock yourself out.

If you don't fit into this multi device assumption, passkeys are not going to work well for you. There will not be a standard for transfer / recovery.

And the question they will ask is about the need to have two passwords.

It would be awesome to have an "emergency" server where I could type in the URL, decrypt it with my passphrase and OTP, and get access to everything I need temporarily so I can re-bootstrap all my stuff. Of course, this doesn't solve the problem of SMS 2fa being used for everything, but it's a good first step.

I am in favor of crossplatform solutions like YubiKey. Apple and Google passkeys are lame.

  Have 3 passkeys
  2 of them on-person at any time (e.g. one on your phone TPM, one on a Yubikey)
  1 of them off-site (e.g. keep a backup Yubikey at home in a fireproof safe, or use a 1Password passkey, depending on your threat model)

I use four: an Apple Passkey, a YubiKey I keep on me, a YubiKey at home, and a YubiKey in the bank. When I sign up for a service, I need to register all four of them. Not only is this generally a bit of a pain in the ass, but it also means I have to remember to go fetch the one in the bank vault periodically and update the credentials.

If I could save a stub locally that would let me register with a key not in my physical presence, that would go a long way to making this more usable. Even better would be the ability to register a bundle of them all in one go without having to do it four separate times.

As it stands right now, it’s hard to recommend to users who don’t understand or care enough to take all of these steps. Which to be clear is entirely reasonable on their part. It’s an unacceptable amount of work and mental accounting for it to be something the average person can do without high risk of losing their entire digital identity.

I have Yubikeys and find this frustrating.

Is there not a technical solution that should've happened by now, or is it not as simple as I'm imagining: can't hardware passkeys have a way to export whatever it is that's needed for services to register them (public key/s?) such that if you have 4 keys you can export 4 files to your PC and and time you create an online account just provide all four files at the same time to be registered?

I guess maybe it's not as simple as being a public key that can be registered without the key being around, some sort of active challenge/response needed as part of registration? Or is my imagined solution above completely workable and just overlooked so far?

I feel you, but I don't think Average Joe's threat model requires keeping a Yubikey in a safe deposit box (this is besides the issue that safe deposit boxes are less safe than you think: https://www.nytimes.com/2019/07/19/business/safe-deposit-box... ). A cloud-based passkey (like 1Password) is fine as the off-site backup key for most people.

You're probably right, but this is still new enough that I'm nervous to rely on that. If 1Password has a data-corruption incident and you don't have other passkeys, there goes your digital identity. 1Password (or Apple Keychain) plus two YubiKeys is almost certainly fine. But that does still now run into the pain of registering multiple passkeys.

To be completely honest, I sometimes wonder if it's borderline malpractice that sites allow registering only a single Passkey. Registration processes should fundamentally require you to onboard two of them at a minimum, and encourage three. Or maybe I'm just becoming curmudgeonly as I get older. But I do worry that the current state of things—while absolutely on the right track—is going to be an unfolding disaster for non-savvy early adopters.

I thought passkeys were supposed to be convenient to use.

That's exactly the part that makes this solution unworkable.

I just have a hardware key on my key chain and one on a pretty fireproof safe (which I got for other reasons). But I still added a phone recovery just in case.

As I understand it, the recovery process will always wait multiple days while sending many emails to me that it's been initiated.

Some common attack vectors like phishing would be more secure since you more or less automatically generate different credentials for different services, just as you get different access tokens from your oauth service. Token theft is an issue too, but only ever partially compromises you for a limited time.

I moved quite a bit of logins to Passkey and I chose to stay with the Apple ecosystem as my Passkey Lord/God. So far, it has worked and I have moved between devices (desktops, mobile, and the in-betweener).

Assuming I’m going to stay for quite a while with the Apple Ecosystem, am I doing it wrong by making my Passkeys pass through my Apple ID?

For instance, I change my eSim or number or replace phone, won't accept next time I login and then verify from the laptop, desktop, iPad, watch, or, heck, the Apple Polishing Cloth? (Assuming the cloth will become a smart cloth eventually).

They are when using a third party password manager like 1password or dashlane. At least in they are device agnostic. Haven‘t yet tried to export a passkey to another manager.

I predict this will not be true always.

IMO, this also means the problems with Passkeys will get fixed pretty quickly. And given I can already store my Passkey in 1Password and then use it on every device I currently use (including Firefox on mac/windows and iOS Safari), it's honestly not a huge problem.

I think passwords are a much bigger problem for people. Simple/re-used passwords are still incredibly common-place, and too many people don't realize how big of a problem that is. Once you incorporate a password manager so that you don't need to remember passwords... Passkeys via a password manager should be even easier to use, given you don't have to rely on browser extensions auto-detecting input fields.

Or a password? Wait, didn't we want to get rid of passwords? How is that any better?

The kinds of people with reused passwords all over the place won't use 1Password. And if you do use 1password to actually generate strong passwords you don't need passkeys and it works on all kinds of services without those having to support passkeys.

    Cloud-based backup storage – contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data. All sensitive customer vault data, other than URLs, file paths to installed LastPass Windows or macOS software, and certain use cases involving email addresses, were encrypted using our Zero knowledge model and can only be decrypted with a unique encryption key derived from each user’s master password. As a reminder, end user master passwords are never known to LastPass and are not stored or maintained by LastPass – therefore, they were not included in the exfiltrated data.

In other words, the thieves went to the bank vault a d stole your safety deposit box but can't access it because they need your key, which only you posses.

If I can store my passkeys in 1password (or lastpass etc) then nobody needs access to my physical phone. They just need access to my password manager's password.

I agree that for many many people password managers are way better than alternatives. But they don't magically make everything safe.

It's like MFA. "it is all safe now because we will send you a code via SMS" and the people fall for social engineering attacks that make them disclose the code the attacker just had the bank send to them.

I doubt such people will be a le to safely use a password manager or passkey for that matter. Passkey are just new enough that we have not had widespread news about how crooks were able to find the weak link(s). Probably on the human side again like in many cases.

So even if there is some sort of hardware tie in that only ever works with real hardware an attacker just needs hardware. Or virtual hardware I guess ;)

Totally out of context parallel: Pokémon Go. A game that gets you out into the world to find and capture Pokémons and talk to other people. Or spoof your GPS coordinates with a simple SDR setup. No anti-cheating software on the phone will ever know.

Apple and Google do not quickly fix things when users have no alternative in my experience.

> And given I can already store my Passkey in 1Password and then use it on every device I currently use (including Firefox on mac/windows and iOS Safari), it's honestly not a huge problem.

For you. You believe the criticisms are dishonest?

Still being the operative word. Consider situation with running banking apps without hardware attestation, etc

The problem here is that you are assuming one passkey. Just like you don't get just one key for your door its risky to get only one passkey, if you are planning to use it exclusively.

Passkeys are like normal keys but for your digital life. They have many benefits over normal keys like being impossible to copy/pick while still being easy to replace (as long as you have one that works) and if used properly (with a short pin-code) someone who finds or steal your key cant log in to your virtual doors anyway. They compare even better to passwords.

Just get one for your keychain and one to put at your stationary computer at home. The only thing to remember is to add both to your account(s), which still is faster than fiddling with your password manager and/or second factors.

Passkeys are really amazing, the only thing(s) remaining is to stop confusing people with terminology, explain that you should have a pair and for services to start properly using the keys as a combined first+second factor with a pin (which you can have safely the same on all your passkeys, in contrast to passwords).

What do you mean not cross-vendor transferable? You can use any brand key that properly implements the protocol (fido2/webaunth), and replace them with any brand key. If you mean copy them, well yea that's kinda the point..

There are plenty of ways for recovery on reasonable services, sometimes they ask to set up way to many (and with multiple passkeys, recovery is only relevant if you loose ALL of your keys).

Just want to point out that if your missus had a pair of passkeys there would not have been any issue!

you can do it on your own with twilio, then create a phone number and have a program forward you stuff to your real phone.

the twilio phone is hard to lose as it has an api and you can toss it when you want to start over.

except now, you need an entire phone virtualized as your proxy instead of just a twilio phone number.

they keep raising the barrier

This might feel true, but it's factually not true.

Both passwords and TOTP can be phished. In addition, passwords can be weak, reused, and password hashes can (and are frequently) stolen and cracked in server breaches.

Passkeys are guaranteed to be strong, unique (can't be reused), strongly phishing-resistant, and there's nothing worth stealing from servers (just public keys).

Passwords and TOTP are not fine, they're both fundamentally broken when you look at them in the context of the modern internet attack landscape.

years ago i was robbed in dc of my phone at night on the way to a concert. i use google voice and was able to login at cvs to contact a friend to meet me there. in 2023 i would have been locked out by not having a 2fa or phone

I don’t think I am alone in thinking I am on borrowed time. Someday, probably due to my own fault I will be locked out of Google and my digital life will be over.

If a private company can offer a similar login method like login.gov and let me talk to a real person when I am locked out like the USPS, I will be screaming shut up and take my money.

[1] https://mastodon.laurenweinstein.org/@lauren/111103819626952... [2] https://mastodon.laurenweinstein.org/@lauren/111211366080459...

The criticism is based on the idea that most non-techie folks are unlikely to use a strong PIN and are unlikely to set up strong biometrics. There’s a related criticism about malware being able to steal passkeys on PC-based systems.

What does this change?

At least in this case the thief has to steal the physical phone instead of guessing "password123" on the google signin prompt from the comfort of their home.

Also- how many non-techy people do you know that avoid using on-device biometrics? On my end, the number is approximately 0.

...very high? I don't understand how this is unlikely, pretty much every phone owner with a google account is signed into that account on their phone.

> The criticism is based on the idea that most non-techie folks are unlikely to use a strong PIN _and are unlikely to set up strong biometrics._

On-device biometrics are typically _also_ used to unlock the device password manager, so my other remarks still apply. I bet a sizeable portion of the HN crowd also uses biometrics to unlock their well-configured password managers on their phone.

At least, that's what I personally do. Entering my very strong vault password every [lock duration] on a touch keyboard is already irritating enough; I'd rather just look at my phone to unlock my passwords when I need to use autofill.

And none of that helps you when someone robs you of your phone and says tell them your unlock code or they’ll stab you. Now they’ve got all your passkeys too.

So yes it is true that your phone and it's pin/biometrics are ultimately the most important thing for security. But passkey on your phone is no worse than the previous state.

1) The House smartphone → it is where you install everything truly vital, like the main bank app (started mainly because of this), 2FA apps like authy google microsoft equivalents, passwords, streaming apps (to do their 2FA), etc. This phone NEVER NEVER leaves the house, except ONCE if the bank app requires on location authentication of the phone for the bank app to function, which is common practice with traditional banks.

2) The Street Smartphone → you essentially create a ''street bank account'', deposit sufficient money for day-to-day transactions for some days or weeks, install the app, and only keep this app installed for any money use (many people also avoid even using the same bank as the main bank app, as the main bank usually is a traditional bank with physical locations to get help - and has tons of personal information stored - and the street bank usually is a fin-tech bank that people do not really trust like old banks, either economically or for security, but it has less personal data anyways). It also has the essencial social media like Whatsapp, instagram, some password manager like bitwarden or the apple-google cloud, and 2FA (the ones who actually use it) is avoided in this device.

3) the thief smartphone → many people like to take some old phone around to give to a thief if the need arises, this way even the street smartphone is saved. Might not work if the thief smartphone is too old or clearly broken though.

4) the work smartphone → the only mostly chill 2nd smartphone on the list, useful to keep private life separate from the professional life, and also is useful to avoid the boss sneaking into the worker's private life and devices. There was a scandal here when a provincial government out of the blue installed a whole app in the smartphones of teachers AND students with no warning or any control whatsoever, and many people got scared that the administrative google service app being used by all (google education or some s*t) pretty much allowed the devices to be remotely controlled and viewed by the employer , be it private or public, so many people assumed any work devices is or can be done the same.

Can you elaborate ?

What does this "on location" process look like ? What do they ask you to do ?

A disaster scenario in practice means you are screwed either way here, tons of physical documents can be lost or destroyed too, but that is a calamity that by definition is exceedingly rare.

Most are worried about common thiefs, a scenario of robbery or assault that can happen anytime anywhere and frequently, repeatedly. The overall threat here is far larger that the rare scenario.

Now, to the complexity. Usually the thief smartphone is some old phone still around, might not even be working, and no one puts anything in there, it is literally a throw-away device. It has no complexity or hassle, and usually is free. The house smartphone, people usually repurpose some old smartphone or buy a cheap android. I still have an iphone 6 for this purpose, and if the app is up to date, it usually is safe enough. People will not be using the phone for anything else, it will not leave the house, so exposition is severely reduced.

It isn't a matter of if, it's just a matter of when. Backups and a thorough disaster recovery plan is absolutely mandatory for anyone who cares about their data. Some company is going to mess something up due to no fault of your own. It is inevitable.

Unfortunately, there aren't good disaster recovery options for some aspects of lost accounts, but having multiple accounts and avoiding single-points of failure help some.

But even this can't protect against getting locked out of your Google account due to some Google policy change, so ideally we'd rehearse how to get by without it.

I thought the Apple Store would check your driver’s license or whatever and reset your password, recovering whatever is protected by the escrow keys.

I know Google loses accounts all the time, mostly thanks to “surprise 2FA” combined with zero tech support. I’d believe Apple screws this up too, but I haven’t heard any anecdotes.

Care to share a link to examples?

Modulo the whole privacy/vendor lockin issue, passkeys are not a terrible alternative to people without 2FA reusing the same basic password on every single website.

However, when you actually rely on it to secure things, it quickly becomes a massive nightmare - made even worse by it being treated as equivalent to password+2FA.

passkeys are significantly more secure than the most widely-used/most popular forms of 2FA, because the most popular forms of 2FA are TOTP and SMS, and both are subject to phishing attacks. A passkey alone is much more secure than the vast majority of password + 2FA combinations.

The only thing stronger than a passkey standing alone is a Security Key, but Security Keys come with a lot of usability downsides that can easily bite the average user, including:

- inconvenience: you have to remember to carry it around with you everywhere (and not lose it!)

- recoverability: you're completely screwed if you lose it and don't have extras that you already previously added to your accounts. (this also means that you need to buy at least two security keys to have a decent recovery story.)

- rotation (have to log in to every single service, one by one, to re-add new key if you change keys)

And if you really want the extra security that a Security Key provides, you can use a Security Key as a passkey.

Blanket statements like this demonstrate a misunderstanding that "security" is just one thing in a single lineal scale.

In reality you have to ask, secure against what? And to answer that meaningfully you need to a thorough threat model for the specific use case of person P and account A.

The same person P will have a different threat model for every account they have.

The D in STRIDE is for denial of service. Passkeys are much worse on this axis than any other solution. You need to evaluate for the specific combination (P,A) how much this matters vs. other criteria.

Here's the full context again:

passkeys are significantly more secure than the most widely-used/most popular forms of 2FA, because the most popular forms of 2FA are TOTP and SMS, and both are subject to phishing attacks.

>The D in STRIDE is for denial of service. Passkeys are much worse on this axis than any other solution. You need to evaluate for the specific combination (P,A) how much this matters vs. other criteria.

How are passkeys (really, WebAuthn credentials in general) any worse in terms of denial-of-service attacks than passwords?

I think you're trying to make a point about specific passkey/password managers, rather than the actual credentials themselves. Is that accurate?

He says it's "easy to find" but apaprently he can't find it. https://mastodon.laurenweinstein.org/@lauren/111211489395997...

Why is "weak device password" a reason to avoid passkeys, when those users presumably have weak service passwords as well?

But that argument doesn't address how passkeys somehow make that worse.

Sure, if you don't want your valuable stuff stolen, don't put it on your phone. But that's a problem whether you use passkeys or passwords or passwordless links sent to your email or SMS.

For Google in particular, password/passkey isn't a binary choice(currently). You can fall back to the password sign-in flow if your device doesn't have a passkey.

To compare the risks and benefits, we need to know how often people actually re-use passwords, use 2FA, rely solely on their phone screen lock for access to all their accounts, use biometrics, need account recovery, and so on. That data is the only way to settle the debate (and would allow each person can settle it for themselves, perhaps differently based on their circumstances).

Google has most of this data. They should publish it to back up their claims.