But I also worry about new areas of weakness with passkeys - anyone accessing the device with the passkey on it, or hacked that device, gets access automatically to the accounts. Also if logins are too fluid I worry that anything out of the ordinary during sign ins won’t be noticed.
yeah that’s totally true, but usually modern devices ensure that the passkeys are protected with a PIN or some biometric security, so I think it’s at least as strong as having a password manager on your device that can be unlocked with a PIN.
not really sure what you mean about “out of the ordinary” logins - it sounds like you’re thinking about phishing risks? but remember - passkeys cannot be phished. they verify the identity of both sides of the authentication token exchange - the server verifies you, and you verify the server. If you only use passkey authentication, you are safe from being phished. the most secure system would be one entirely without passwords/oath totp
I guess I mean if people are too used to critical services opening up without any friction, a pause to complete some sign in step, they’ll stop taking a moment to look for any warning signs, so they might miss the fact that they’re at a spoofed url, for example. Yes you’re right that the passkey wouldn’t be working at this fake site, but it could still take them out and harvest some data, interactions or credentials.
But I also worry about new areas of weakness with passkeys - anyone accessing the device with the passkey on it, or hacked that device, gets access automatically to the accounts. Also if logins are too fluid I worry that anything out of the ordinary during sign ins won’t be noticed.
yeah that’s totally true, but usually modern devices ensure that the passkeys are protected with a PIN or some biometric security, so I think it’s at least as strong as having a password manager on your device that can be unlocked with a PIN.
not really sure what you mean about “out of the ordinary” logins - it sounds like you’re thinking about phishing risks? but remember - passkeys cannot be phished. they verify the identity of both sides of the authentication token exchange - the server verifies you, and you verify the server. If you only use passkey authentication, you are safe from being phished. the most secure system would be one entirely without passwords/oath totp
I guess I mean if people are too used to critical services opening up without any friction, a pause to complete some sign in step, they’ll stop taking a moment to look for any warning signs, so they might miss the fact that they’re at a spoofed url, for example. Yes you’re right that the passkey wouldn’t be working at this fake site, but it could still take them out and harvest some data, interactions or credentials.