- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing… that lives on my phone? What if I lose my phone? What if you steal my phone?
Passkeys work like a public/private key pair you’d use to secure SSH access to a server. You give the website a public key that corresponds to a private key generated on your local device. Unlike a password it’s not feasible to brute force and there’s nothing you have to remember which makes it more convenient for you to use. If a site is hacked and they gain access to the public passkey you use to authenticate, it can’t be used to authenticate anywhere.
It’s not really an alternative to a password manager, because you can use a password manager to generate and sync a single passkey between all your devices. In fact 1Password is a big proponent of passkeys and even maintain a big directory of sites that use passkeys.
Unlike my devices, I always have my brain on me. Devices are much more easily lost or stolen than memories. I often might want to access sites using my account from third party devices which I don’t want to be able to use my accounts when I’m not using them.
I just can’t understand how using passkeys (or password managers, for that matter, massive single points of failure that they are) is supposed to be in any way shape or form more convenient than simply remembering a passphrase (which can easily be customisable for each site using some simple formula so that no two sites will share the same but it’ll still be trivial to remember).
Both password managers and passkeys seem like colossal inconveniences and security risks to me when compared to passphrases, frankly. And if you want extra security there’s always two factor authentication (with multiple alternatives in case you don’t have access to one of them, of course; otherwise you might as well delete your account).
Both my mom and my grandma who are extremely far from tech literate absolutely love that I forced them into using a password manager because it is so much more convenient.
My mom wouldn’t even do the special algorithm for each site, she just had like 2 or 3 passwords that she would use depending on site requirements, and even that simple setup was far less convenient for her than a password manager. She was the one who initially had the idea to make my grandma use one because she became evangelized about how much better a password manager is than having to remember passwords.
Your point about inconvenience is just straight up wrong.
I would also vehemently disagree with your claim that they are a security risk unless you just straight up use them wrong / use hunter2 as your master password. But this comment is already super long so I will just stop there.
Coming up with a simple formula is a big security risk. It makes your passwords easier to brute force, and with enough entropy, probably easy to guess as well.
And what happens if the password is breached? Do you change the formula? What happens if a site requires a password change? Even if the formula accounts for versioning/iterating, how do you remember which iteration you’re on?
Extra security with 2FA I agree with, but that’s not mutually exclusive to using a password manager.
And are password managers really single points of failure? These password managers can sync to multiple devices, so your data is generally safe. If someone gets your password manager password, that’s a problem, yes, but they’d need access to your device to view anything, as installing on another device requires a separate master key to set it all up (which should not be stored digitally anywhere).
Passphrases are by definition hard to brute force.
The formula should not be obvious. Don’t just put the site’s name in the passphrase, put a similar sounding but easy to remember word, something that rhymes, the first and last letters of the site’s name plus the number of letters in the domain name, whatever.
An attacker would need to specifically target you and have more than one of your passphrases using the same formula in order to try to figure it out. Too much work. If they’re that interested in your password it’s easier to beat you up until you tell them.
You can have a couple different formulas or variations.
Same way you’d remember the password you used for a site if you reused two or three different passwords.
And if you use the wrong one just try again; sure, passphrases can be a bit long, but having to type them multiple times is a good way to make sure you remember which one you used, lest you have to type it again.
The benefit of passkeys over passwords is that they’re phishing resistant and use strong encryption. They’re effectively an iteration on yubikeys meaning you can have as many (or as few) passkeys associated with a given login as you’d like. So, you can easily prevent there being a single point of failure in the system.
Passkeys are tied to accounts and devices and those devices are the only devices used for authentication. This means you can access your account form a public device without that device ever knowing your credentials provided you and your secure device are physically present so it avoids the whole keylogger issue.
My secure device is in my other pants, though. I misplace my brain much less often.