Passkeys: how do they work? No, like, seriously. It’s clear that the industry is increasingly betting on passkeys as a replacement for passwords, a way to use the internet that is both more secure and more user-friendly. But for all that upside, it’s not always clear how we, the normal human users, are supposed to use passkeys. You’re telling me it’s just a thing… that lives on my phone? What if I lose my phone? What if you steal my phone?

  • @[email protected]
    link
    fedilink
    English
    2310 months ago

    It’s probably overkill for most people but I would love to have a system that lets me choose what combination of factors together work to login rather than just ‘password and something else’. Something like A,B,C are on the account and you can use A+B or B+C to login. It’d be great for those who don’t necessarily want to trust SMS-based one-time passwords (due to SIM swapping, theft, etc) if we could require something else along with it.

    That said, the way passkeys are typically used satisfy multiple factors at once:

    Password to unlock your password database that stores your passkey: something you know, the password + something you have, the database

    Biometric to unlock your phone that has your passkey: something you are, fingerprint or face + something you have, the phone

    • @[email protected]
      link
      fedilink
      English
      1510 months ago

      Forget about biometrics, they are way too insecure.

      Our cameras have reached a stage where we can replicate fingerprints from photos. ‘What you are’ is useless when we leave part of us everywhere. And furthermore, in parts of the world, authorities can force you to unlock your device with biometrics but not with passwords.

        • @[email protected]
          link
          fedilink
          English
          510 months ago

          Exactly. See my reply in another thread where I describe a “person trap” that I used to go through to get into a secure facility. Its biometric check analyzed the geometry of your entire hand. It wasn’t just a fingerprint scanner.

        • @[email protected]
          link
          fedilink
          English
          210 months ago

          I strongly disagree. That’s like using MD5 and saying ‘It’s OK, we use SHA256 down the line’. Information encrypted with it might as well be in plain text.

          • @[email protected]
            link
            fedilink
            English
            610 months ago

            That’s not how that works. If you were using MD5 and then immediately SHA256 the output and not using it for anything else, that would be fine. You’re not accomplishing much in this specific case, but it’d be fine.

            When you layer security, the attacker has to pull back each layer. You don’t rely on any singular layer. If the attacker needs biometrics AND a code AND a physical key, that’s very good security.

      • @[email protected]
        link
        fedilink
        English
        310 months ago

        For many people it works well as a trade-off between security and convenience. It may not be for everyone though and that’s okay. Nothing stops you from using a password/passcode to secure your passkey instead.

    • @[email protected]
      link
      fedilink
      English
      1410 months ago

      SMS second factor is so bad! The really dumb thing in my opinion is the place that uses SMS to factor the most is banks. Now how dumb is that?

      • Something Burger 🍔
        link
        fedilink
        English
        910 months ago

        In the EU they have to use something stronger if available. SMS is only used if requested by the user.

      • @[email protected]
        link
        fedilink
        English
        510 months ago

        Banks are certainly behind the times and ‘bank-grade security’ is a joke in terms of what authentication methods they offer. I understand that they are slow to change anything though.

        • @[email protected]
          link
          fedilink
          English
          310 months ago

          My crypto wallet is more secure than my bank because I hold the keys myself and I am not nearly as large a target as a bank. Is it better to go after one person’s money or one million people’s money?