pull down to refresh

138 sats \ 5 replies \ @kepford 5 Aug \ on: Passkeys are just passwords that require a password manager - Dan Fabulich security
Is the main advantage of a passkey that it won't let you copy and paste it or is it that it's tied to a specific app/url?
Both. Its like using SSH keys if you know what those are except in a much more user friendly way.
If done right you can't get phished(as far as I know). You can't make a weak password. You can't forget your password. You don't have to reset it. In many ways for people that don't do passwords right it is better. Its hard for me to make a valid argument against them. Do I need them? No.
I don't like how it hides this stuff from you. I have trust issues. That said, I am not using it day to day. I need to try it with a few sites and get real world experience.
write
preview
249 sats \ 4 replies \ @ek 5 Aug
Its hard for me to make a valid argument against them
Here's one: Not being able to export your passkeys makes you dependent on the password manager. If you want to switch, you now have to setup new passkeys for every website where you use them.
And if a password manager allows export (or other reasons in the future), it apparently might be possible to mark them as "insecure" and ban their passkeys if attestation will be mandatory, see this Github comment:
[...]
The unfortunate piece is that your product choices can have both positive and negative impacts on the ecosystem as a whole. I've already heard rumblings that KeepassXC is likely to be featured in a few industry presentations that highlight security challenges with passkey providers, the need for functional and security certification, and the lack of identifying passkey provider attestation (which would allow RPs to block you, and something that I have previously rallied against but rethinking as of late because of these situations).
[...]
and this one.
Just that this might become possible makes me want to stick to password+TOTPs.
reply
55 sats \ 3 replies \ @kepford 5 Aug
Not being able to export your passkeys makes you dependent on the password manager.
Is it not possible to migrate between tools? I don't mean that companies aren't implementing this. I mean is it not allowed by the spec.
But again. The people that need this are not you and I. Its people that WILL export their keys in plain text on their desktop...
reply
102 sats \ 2 replies \ @ek 5 Aug
There's a spec for import and export and a 1Password blog post about it
If that solves vendor lock-in, then I'm just worried about possible attestation stuff
reply
77 sats \ 1 reply \ @kepford 5 Aug
For the record. I'm not SOLD on passkeys as the solution but there's a lot more right with it than wrong. And passwords are just far too easy for people to screw up. There have been other attempts to replace them in the past and who knows if passkeys will catch on.
reply
100 sats \ 0 replies \ @kepford 5 Aug
One of the attempts was SQRL - Secure Quick Reliable Login
reply