Passkey is some sort of specific unique key to a device allowing to use a pin on a device instead of the password. But which won't work on another device.

Now I don't know if that key can be stolen or not, or if it's really more secure or not, as people have really unsecure pins.

  • MeanEYE@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    But that's the whole thing we are trying to solve here. We are trying to eliminate human factor and by extension bad habits people have when it comes to security. So expecting people to use good passwords and pins for keys will be the same as expecting people to have good passwords for accounts. Perhaps even worse because of claims it's better security so people might even relax more.

    Also timeouts with pins and passwords mean very little once someone has your device. This is why I don't consider it good two-factor. PIN might be in your head, but nothing is preventing someone brute forcing it. Once you image the device you can do whatever you want. With credit cards, you'd need ATM to keep doing it and lockout is a serious problem there.

    It's a step in right direction for sure, but I'd prefer if keys didn't depend on PIN or password.

    • confusedbytheBasics@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      But that’s the whole thing we are trying to solve here. We are trying to eliminate human factor and by extension bad habits people have when it comes to security. So expecting people to use good passwords and pins for keys will be the same as expecting people to have good passwords for accounts. Perhaps even worse because of claims it’s better security so people might even relax more.

      I feel like it's 2001 and I'm trying to convince my users to switch from passwords to RSA keys for SSH. Yes there are potential weaknesses. Yes it's still much better.

      Also timeouts with pins and passwords mean very little once someone has your device. This is why I don’t consider it good two-factor. PIN might be in your head, but nothing is preventing someone brute forcing it. Once you image the device you can do whatever you want. With credit cards, you’d need ATM to keep doing it and lockout is a serious problem there.

      Even if all we've done is reduced potential attackers from everyone with an Internet connection to people with physical access to the device we've still massively increased the average user's security. And we've done more than that.

      Also unless you can clone the device somehow hitting max guesses and losing access just like an ATM is part of the design.

      It’s a step in right direction for sure, but I’d prefer if keys didn’t depend on PIN or password.

      I lost track of your suggestion over the weekend but what was your suggestion for second factor other than a pin or password?

      • MeanEYE@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        I didn't have one, I just disliked the idea of having all that's needed for auth in a single device which can be lost.

        • confusedbytheBasics@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Thanks for the civil discussion. While my views haven't changed I have learned a lot about possible objections from informed people.

          Let's hope this new auth standard is implemented responsibly by all the major parties and that weak passwords and phishing become relics of the past.

          • MeanEYE@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Hope is all we can have. Sadly time and time again there were companies who thought the were smarter than others and altered established protocols. Be it Telegram or OAuth with Facebook. But let us hope.