- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
Passkeys are an easy and secure alternative to traditional passwords that can help prevent phishing attacks and make your online experience smoother and safer.
Unfortunately, Big Tech’s rollout of this technology prioritized using passkeys to lock people into their walled gardens over providing universal security for everyone (you have to use their platform, which often does not work across all platforms). And many password managers only support passkeys on specific platforms or provide them with paid plans, meaning you only get to reap passkeys’ security benefits if you can afford them.
They’ve reimagined passkeys, helping them reach their full potential as free, universal, and open-source tech. They have made online privacy and security accessible to everyone, regardless of what device you use or your ability to pay.
I’m still a paying customer of Bitwarden as Proton Pass was up to now still not doing everything, but this may make me re-evaluate using Proton Pass as I’m also a paying customer of Proton Pass. It certainly looks like Proton Pass is advancing at quite a pace, and Proton has already built up a good reputation for private e-mail and an excellent VPN client.
Proton is also the ONLY passkey provider that I’ve seen allowing you to store, share, and export passkeys just like you can with passwords!
See https://proton.me/blog/proton-pass-passkeys
#technology #passkeys #security #ProtonPass #opensource
Passkeys can’t be lost or stolen in the same way passwords can. They aren’t something you need to learn and are at risk of forgetting, and unlike passwords they never leave your device so they can’t be intercepted, or stolen in a server side data breach. In order for a passkey to be stolen, somebody would need to both steal your phone, and force you at gunpoint to unlock access to the passkey using biometrics.
So they’re much, much harder to lose or “steal”, and the only way they can be stolen, could similarly be used against you to steal your password.
Yes, I think this person is precisely and exactly asking, what if someone steals your phone?
Not so much that they will get access to your data. Even though on secops it’s a given that access to the device is game over. Even if the device is fully encrypted, it’s just a matter of time (even if that time is infinite) to get access.
But, now the user is locked out of their digital life. How do you get back in? There’s nothing you can use to authenticate yourself in with the server if all you had was a passkey. Your data is now inaccessible, great, but utterly lost, not so great. One workaround is to have more than one device with access to all your accounts and never have them in the same physical space or travel with them at the same time. So you don’t lose them both. Or, how most implementers are doing, using all security systems simultaneously. Passkey, passwords, TOTP, 2FA, all at the same time. Such that you can go back into your account if all your devices are compromised.
I’m still not sure what the question is. The same way you would with a password. Using an authenticator app also ties authentication to a single device and yet you don’t seem worried about that. Using “all security systems simultaneously” is not a solution to this problem you’ve suggested which I don’t think really exists. By using all security systems you’re just making your service less secure, not more.
I didn’t mention it because the comment is not about that (?). But it does worry me. This is why I have 2FA with my authentication/password manager, and do make sure to remember my password to that, because it is the one service remembering all my passwords, TOPTs and passkeys.
I agree that it is less secure, but it’s a necessary evil. Furthermore, it’s mandatory. Security and convenience are always at odds. Passkeys theoretically hit a sweet spot of both qualities. But they come with a higher potential for a possible theoretical lockout.
Let’s assume you have an email, you access this via a passkey authenticator that remembers all your passkeys. To access the authenticator you have to provide either a fingerprint on your phone or a password + OTP to your email. This is a system on potential lockout.
If your phone is stolen or destroyed, now you can’t use the phone to access your email, nor login into your email to verify your access to the passkey authenticator. Now you are locked out of your entire digital life. This is not a rare occurrence, it happens everyday. The only reason it’s not catastrophic is because some part of the chain is password only, and the person remembers the password. Or the second factor is on a trusted third party (like cellular carriers reinstating phone numbers via ID check).
Just like welding all doors and windows shut, yes it is more secure, but you also locked yourself out of the house. You want to still be able to enter the house.
But they don’t. I think this is where your confusion is. I think you’re worrying over a problem that doesn’t exist.
It does not.
If you’re scared of losing both your device and your recovery codes for TOTP, to the point that you store those in your password manager, and you’re happy with that solution, then just store your passkeys in your password manager. Thats literally what this post is about.
And even if you store your passkeys on device for an iPhone for example, they’re stored in your iCloud Keychain which can be recovered if you lose your device. Theres also just nothing about Passkeys that prevent a service from offering an account recovery service.
If you’re already using 2FA, then Passkeys do not pose any additional risk to being “locked out” of your accounts. They actually have less risk usually.