Passkeys might really kill passwords
Passkeys might really kill passwords
On this episode of The Vergecast, we figure out passkeys once and for all.
Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing... that lives on my phone? What if I lose my phone? What if you steal my phone?
I didn't like that they interviewed a corporate PR person instead of a real security expert. Sorry but that lady is just deflecting and spinning and missing so many important details to promote 1password.
Generally like the verge but this one was a bit lazy ngl - was there really no neutral or open source expert available?
What if I lose my phone? What if you steal my phone?
Bitwarden supports passkeys, which are stored in your bitwarden vault. If you lost your device, as long as you can still access your bitwarden account, your passkey should still usable.
I can login with the same passkey on Firefox and Chrome using bitwarden. Too bad it doesn't work on mobile yet.
Ok so 2fa is based on things you know (passwords) things you have (devices), and things you are (biometrics).
I could see passkeys replacing the phone portion of a 2fa, but replacing a password? That can both invalidate the point of 2fa (verifies you have a device twice) and kill the benefits of having a password (if I lose my device I can still login, if it's stolen the attacker can't access all of my accounts).
Glad this is being discussed. Having worked adjacent to the authentication market, I have mixed feelings about it, though.
There are a few problems with passkeys, but the biggest one is that no matter what, you will always need a fallback. Yes, Apple promises a cloud redundancy so you can still log in even if you lose every device.
But that's just Apple's ecosystem. Which, for what its worth, is still evolving. So the passkey itself is phishing-resistant, but humans still aren't. Fallbacks are always the weakest link, and the first target for bad actors. Email, or sometimes phone and SMS, are especially vulnerable.
Passkeys in their current iteration are "better" than passwords only in that they offload the fallback security to your email provider. Meanwhile, SIM swapping is relatively ready easy for a determined social engineer, and mobile carriers have minimal safeguards against it.
Usability? Great, better than knowledge-only authentication. Security? Not actually that much better as long as a parallel password, email, or SMS can be used as a recovery or fallback mechanism.
I'm not saying passkeys are bad, but I'm tired of the marketing overstating the security of the thing. Yes, it's much more user-friendly. No one can remember reasonably complex passwords for all 100 of their online accounts. But selling this to the average consumer as a dramatic security upgrade, especially when so many still run passwords in parallel or fall back to exploitable channels, is deceptive at best.
I highly recommend using something like Bitwarden or 1password (which can manage both passwords and passkeys), and then generating a passphrase using a method like Diceware. If you're paranoid you might prefer rolling your own with Keepass but for most people that's going to be a lot of work. I think 1password's model is about as secure as you could hope for while still trusting a 3rd party. Definitely avoid Lastpass. In addition to widely reported breaches, they don't even fully encrypt your data; only the password portion is encrypted while usernames and site data are plaintext.
Eh... No, thanks.
Tuta mail keeps prompting me for a passkey, and I don't know where to get what it wants. So I basically can't use it.
The way I intend to handle this is with my keypass password manager since the file database has to be synced manually. The way I handle this is one copy of the database lives on my phone, which is my primary device. Then I copy this database to a flash drive, and then copy it to my laptop. The update process goes something like update the credential on my phone and then a few months later, during my scheduled backup routine, copy the database to the flash drive and then copy the database over to the laptop. So the most I could lose is a few months worth of data instead of all of it. If my phone is ever stolen, I still have a copy of the database on both the flash drive and the laptop, which at most might be a few months out of date, but nothing severe.
This is the best summary I could come up with:
It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly.
But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys.
On this episode of The Vergecast, we bring in an expert: Anna Pobletts, the head of passwordless (best title ever?)
She’s convinced that passkeys are the future but also has some ideas on the right (and not-so-right) way to get started.
Vee weighs in on Fossil’s exit from the market, the rise of the smart ring, and much more.
If you want to read more on everything we discuss in this episode, here are some links to start with, beginning with passkeys:
The original article contains 241 words, the summary contains 131 words. Saved 46%. I'm a bot and I'm open source!
Vendors will use passkey implementations as vectors for lock-in. Guaranteed. Workplaces need to accept BYO.