top | item 43305481

(no title)

The big thing missing from the article is how a device that contains many passkeys is any different from a password manager that enforces security settings. I don’t worry about passwords my password manager generates getting compromised because I use at least 24 random characters (assuming my password manager is using a cryptographically secure PRNG that guarantees some level of randomness, giving us more than 128 bits). Assuming I use that to manage the password to my email, I really only have to worry about my password manager key being compromised. I only used my password manager on trusted devices so I really only have to worry about my trusted devices being compromised.

If I use passkeys, I have to worry about my trusted devices being compromised. According to the article, “as long as you can remember your phone password, you can log in to your accounts.” That sounds like my password manager. The other benefits also sound like a combination of my password manager and privacy focus. I’m not saying this is bad; I just don’t see how it’s different from a security-conscious status quo.

discuss

freeone3000|11 months ago

Passwords are still leakable, guessable, and can be phished. Passkeys are “second-factor-only”: your device responds to a challenge and acts in a similar capacity to a yubikey. The private keys contain much more entropy than a password, never leave the device, and the challenges and responses are both signed with site-specific keys so they can’t be phished. So from a security perspective, a lot is gained.

From a user perspective, instead of trying to get the dang webform to autofill, I just smile for a second and become authenticated.

voxl|11 months ago

Until you lose the device. Or you're given security codes and those are again, leakable and guessable. No normal user is going to accept their phone being stolen and losing access to their bank account. It's bitcoin as unregulated fiat levels of wishful thinking

AlotOfReading|11 months ago

"Leakable" isn't a purely negative property. It's the same thing you can use to provide access to a trusted spouse, and ensures a trivial solution to the "lost device" problem when traveling.

tonyhart7|11 months ago

well if your hardware is compromised using passwd manager or passkeys is not different at all

for now phone hacked = say goodbye to work,banking etc is not ideal yes but in the future where you can implant chips under skin??? now we talking