• Big Tech has implemented passkeys in a way that locks users into their platforms rather than providing universal security
  • Passkeys were developed to replace passwords for better account security, but their rollout by Apple and Google has limited their potential
  • Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.
  • @[email protected]
    link
    fedilink
    English
    175
    edit-2
    7 months ago

    Not commenting on the merits of the blogpost’s arguments, but Proton is selling their own product here too

    • @[email protected]
      link
      fedilink
      English
      547 months ago

      And if you believe in our mission and want to help us build a better internet where privacy is the default, you can sign up for a paid plan to get access to even more premium features.

      Translation: don’t give those other guys money, give us your money!

      • Encrypt-Keeper
        link
        fedilink
        English
        237 months ago

        Well no, their call to action isn’t to not give anyone else money. They didn’t have anything negative to say about their competition like 1Password. They’re just warning you about the shady things Google and Apple are doing specifically. And as an alternative they’re offering their own solution instead, which also doesn’t cost any money.

    • @[email protected]
      link
      fedilink
      English
      307 months ago

      As a fan of Proton services I don’t like “blog posts” from companies where the solution to a problem is just their product, regardless of who the company is

    • Encrypt-Keeper
      link
      fedilink
      English
      227 months ago

      Proton enabled passkeys in their free tier. So ultimately, yes by using their free tier and being safe in the thought that you can always leave if you want, that might drive you to pay for a paid plan.

      But companies trying to earn your business by offering you a good honest product is not at all the same as a company using anti-consumer practices to keep you from leaving lol.

      • Josie
        link
        fedilink
        English
        1
        edit-2
        7 months ago

        We’ve tried to stay true to the intention behind passkeys. With Proton Pass, passkeys:

        • Are easy to use, no matter your device or platform
        • Can be quickly shared or exported
        • Use an open-source implementation
        • Are available to everyone with our Free plan
    • @[email protected]
      link
      fedilink
      English
      67 months ago

      As someone who is not familiar with photon, I love to see a vendor presenting a feature with a technical discussion, even if they’re also selling it. As far as I can tell, no one was hiding intent, no one was directly selling, so “well done”. Or maybe I just agree with the premise, I dunno

  • capital
    link
    fedilink
    English
    747 months ago

    If I can’t add your passkey to my Bitwarden vault, I’m not using your passkey.

    • @[email protected]
      link
      fedilink
      English
      457 months ago

      If I can’t add your passkey to my local KeepassXC database, I am not using your passkey.

          • capital
            link
            fedilink
            English
            57 months ago

            I don’t mean to be pedantic but self hosted isn’t cloud.

            • Kairos
              link
              fedilink
              English
              17 months ago

              Doesn’t it require cloud activation?

            • @[email protected]
              link
              fedilink
              English
              17 months ago

              Yea, I understand, and it’s a perfectly valid choice. But does that disregard people’s preference to not bother with this at all?

              • capital
                link
                fedilink
                English
                17 months ago

                I don’t think I understand the question.

                To be clear, the alternatives are valid choices.

                • @[email protected]
                  link
                  fedilink
                  English
                  17 months ago

                  That was a rhetorical question. What I wanted to say was basically “if it is only supported by Big Tech walled gardens and some open, selfhostable cloud password managers, I am not using such passkeys, because for me it is far more comfortable to have my password manager fully offline”.

          • @[email protected]
            link
            fedilink
            English
            97 months ago

            I mean, they were responding to someone who sounded like they were acting superior for self-hosting their password manager. This person chimed in with “well you can self-host Bitwarden too”. And now you’re upset because they offered a direct counterpoint, and furthered a conversation?

            • Skeezix
              link
              fedilink
              English
              27 months ago

              This is a guy who planted some Cheerios because he thought they were donut seeds.

    • @[email protected]
      link
      fedilink
      English
      157 months ago

      Yeah or if they only offer 2FA via SMS. Like 1) it’s not even that much more secure and 2) it’s just more awkward.

      But I also hate how Steam and Blizzard only allow you to verify logins in their mobile app. Fucking ridiculous.

      • @[email protected]
        link
        fedilink
        English
        47 months ago

        It is stupid that they not only require the app to be present, but to verify each and every trade. Even those for items that drop to everyone for free. Good thing it does work in an Android VM but still - very annoying.

        • @[email protected]
          link
          fedilink
          English
          17 months ago

          That’s with hosting your own server. Unfortunately I only discovered this paywall after sending them $10 out of good will.

          Of course it’s open source, so it’s certainly possible to break their DRM, and if it were something less sensitive I would.

          I still might, but VaultWarden looks like a better alternative.

      • @[email protected]
        link
        fedilink
        English
        97 months ago

        I pay $10/year for my wife and I, total. The $40 is if you want 3-6 people. AFAIK, you still need to pay if you self-host and use the premium features, but you can self host on the free plan as well.

        $10/year for my wife and I is completely reasonable, and I’d pay the $40/year if my kids needed their own accounts. It’s a fantastic service.

        • @[email protected]
          link
          fedilink
          English
          37 months ago

          If you self host you need the $40 plan for two people. Seems kinda backwards, doesn’t it?

          Yeah, they absolutely don’t make that clear or I wouldn’t have gone with Bitwarden.

  • @[email protected]
    link
    fedilink
    English
    657 months ago

    Not surprised,

    Google too nowadays.

    There’s a reason why they removed their company motto “Don’t be Evil”

    • @[email protected]
      link
      fedilink
      English
      197 months ago

      Google has obviously been crap for a long time, but that was just a dumb motto to begin with. It’s not aspirational, it’s not useful for anything and it barely requires anything of anyone.

      They changed it to: Do the right thing.

      It’s not much better, they’re still an awful company, as most companies are, but this is just the worst reason to rag on them.

  • @[email protected]
    link
    fedilink
    English
    617 months ago

    It seems no matter what new advancements we make in technology the big tech companies seek nothing more to implement it in a way that benefits themselves. Regardless if it means fucking over the consumer.

    I really hate what the internet has become over the last couple of years.

    • @[email protected]
      link
      fedilink
      English
      197 months ago

      That’s capitalism for you. They’re not interested in making things better, they’re interested in making more profit.

  • @[email protected]
    link
    fedilink
    English
    587 months ago

    Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.

    I wonder if there could be any bias in Proton claiming their product is the best

    • @[email protected]
      link
      fedilink
      English
      207 months ago

      I’d trust them miles before Google or Apple. Hell, they dropped the prices on some of their products when they found ways to provide them cheaper. Proton is a good company.

      • @[email protected]
        link
        fedilink
        English
        87 months ago

        That doesn’t mean they will be around forever. Economic realities care little about whether a company is good or not.

        • @[email protected]
          link
          fedilink
          English
          77 months ago

          In fact history has shown the good die out or become corrupt. Still using them for now though.

        • @[email protected]
          link
          fedilink
          English
          67 months ago

          Iirc you can export everything. Most allow export of passwords of course but i think proton allows export of passkeys too.

          So there’s portability if they ever do disintegrate.

        • gian
          link
          fedilink
          English
          17 months ago

          True, but this is valid for every company.
          Let’s say that since the company is Swiss based and, AFAIK, not quoted maybe they are not driven by the “the next quarter is all that matters” mentality of many quoted (US) companies.
          There is a smaller chance that they will do something stupid to monetize more just to be ok next quarter (while risking to lose everything the next one) and will be there as long as they provide a value to the customer for the paid price.

    • @[email protected]
      link
      fedilink
      English
      17 months ago

      Do you typically just take people’s word for their claims or do you do cursory research?

  • @[email protected]
    link
    fedilink
    English
    577 months ago

    I am not using passkeys until it’s possible to easily migrate them between providers (not just devices / browsers). If I used Proton Pass, and then later decided to use another password manager, could I export my passkey data?

        • @[email protected]
          link
          fedilink
          English
          127 months ago

          The next question is does anyone actually let you import passkeys? I don’t think there is ☹️

          I have a few keys in Bitwarden but before I go adding more I am going to play with Proton Pass. A lot of users were understandably annoyed when Bitwarden released passkey support but in such a limited manner.

    • gian
      link
      fedilink
      English
      87 months ago

      Proton Pass allow you to export your passwords in various formats (both plain and encrypted). That you are able to import somewhere else is not something Proton Pass can guarantee but you have your data.

  • Irdial
    link
    fedilink
    English
    56
    edit-2
    7 months ago

    Better yet: use a hardware 2FA token that supports passkeys

      • @[email protected]
        link
        fedilink
        English
        227 months ago

        How is 25 bad? Do you need a passkey for each service /app/website? Can’t you use the same key for many services? (trying to understand how they work)

        • BlackEco
          link
          fedilink
          English
          367 months ago

          Yes, you need a passkey per service, so you would quickly end up with your 25 slots full.

        • lemmyvore
          link
          fedilink
          English
          197 months ago

          Ideally yes, they’re supposed to eventually replace all passwords. Of which I have hundreds. And yes not 100% of them will do that on the near future but a lot more than 25 will.

          • capital
            link
            fedilink
            English
            47 months ago

            Being down-voted for asking questions is bullshit. Your questions are valid and those people suck.

        • @[email protected]
          link
          fedilink
          English
          97 months ago

          I have 150 passwords in my password manager. I’m not buying 7 YubiKeys (and to be fair that’s not what they’re designated for)

        • @[email protected]
          link
          fedilink
          English
          67 months ago

          No, sharing passkeys across services is way too risky. One service gets compromised, someone gets your passkey, and then they have access to all of your services. It’s the same principle with regular passwords.

          • @[email protected]
            link
            fedilink
            English
            87 months ago

            Uh, each service only has access to your public key, not the private one that stays with you. It’s less risky than a regular password.

            Even with U2F hardware keys where the server-side stores the encrypted key (to allow for infinite sites to be used with a single hardware key), it’s only decryptable on your key and thus isn’t that useful for someone who has compromised a service.

            • @[email protected]
              link
              fedilink
              English
              4
              edit-2
              7 months ago

              Thanks. I’m still learning about this “new” technology (which already is, what, eight years?)

        • paraphrand
          link
          fedilink
          English
          37 months ago

          Having a key shared across sites wouldn’t be great. If it was great it would be an article talking about “passkey” not “passkeys” because you would just have one. Like some sort of Skeleton Passkey that unlocks all your shit when compromised.

          • lemmyvore
            link
            fedilink
            English
            27 months ago

            That’s impossible. Passkeys were designed specifically to be impossible to share across different websites.

            • paraphrand
              link
              fedilink
              English
              7
              edit-2
              7 months ago

              Well, that’s basically my point. It’s not a good idea.

        • Natanael
          link
          fedilink
          English
          37 months ago

          You only need one per website if you want it to autofill the username, because resident keys held on the security token can be recognized and suggested automatically but otherwise you must first enter your username on the website and let the website send its challenge value for the corresponding domain and account pair so that your security token can respond correctly.

      • m-p{3}
        link
        fedilink
        English
        57 months ago

        It depends on the passkey type (resident vs non-resident keys)

        • BlackEco
          link
          fedilink
          English
          47 months ago

          Right, now I remember reading about that, I forgot.

        • @[email protected]
          link
          fedilink
          English
          3
          edit-2
          7 months ago

          Passkey = Resident Key

          Nonresident keys are not passkeys, they are solely a second form of authentication meaning the service you are logging into still requires a password.

          • @[email protected]
            link
            fedilink
            English
            17 months ago

            Couldn’t a site theoretically use a nonresident key with just a username, in place of a password?

            This seems to imply it might be possible:

            https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Resident_Keys.html

            Discoverable Credential means that the private key and associated metadata is stored in persistent memory on the authenticator, instead of encrypted and stored on the relying party server. If the credentials were stored on the server, then the server would need to return that to the authenticator before the authenticator could decrypt and use it. This would mean that the user would need to provide a username to identify which credential to provide, and usually also a password to verify their identity.

            • @[email protected]
              link
              fedilink
              English
              1
              edit-2
              7 months ago

              For sure, but that still isn’t a passkey. The method you are talking about is the equivalent of non-passphrase protected SSH protocol, which is a single form of authentication (i.e. if someone has your security key they have your account).

              The term passkey implies MFA: having a physical key and a password, a physical key and a fingerprint scan, or equivalent.

              Sure the username could be considered the password, but usernames are not designed to be protected the same way. For example, they typically are stored in clear text in a services database, so one databreach and it’s over.

    • Dark Arc
      link
      fedilink
      English
      27 months ago

      Eh… That’s not exactly a silver bullet or necessarily “way better”; it’s got a lot of usability issues.

      You really only want to do that for your most important sites and then you want to use multiple passkeys to make sure you retain access.

  • @[email protected]
    link
    fedilink
    English
    507 months ago

    When vaultwarden supports this I’ll play ball. If I don’t have control over my authentication methods, then they aren’t my authentication methods.

    • @[email protected]
      link
      fedilink
      English
      15
      edit-2
      7 months ago

      Do you really think it’s a good idea to store your password, TOTP and pass key in one place?

      • @[email protected]
        link
        fedilink
        English
        157 months ago

        Yes, as long as that place is only accessible by a physical passkey (such as a Yubikey). The risk is miniscule and the convenience is 100% worth it.

        • @[email protected]
          link
          fedilink
          English
          37 months ago

          I’m actually not sold that I should be putting all my keys in a single password manager like Bitwarden.

        • @[email protected]
          link
          fedilink
          English
          57 months ago

          Treating social media accounts as irrelevant is fine as long as none of your real life friends associate with you on the same platform. Once that’s the case, scammers can take over your platform and send messages to your friends telling them you’re stuck and need money or other sorts of things that sound ridiculous but work all the time.

          • @[email protected]
            link
            fedilink
            English
            27 months ago

            I am not treating them as irrelevant, hence a password manager. But I am not treating it as fort knox. Most of my real-life friends probably don’t even go that far.

      • @[email protected]
        link
        fedilink
        English
        17 months ago

        I personally settled on having TOTP in the same application but in a different database.

      • dantheclamman
        link
        fedilink
        English
        27 months ago

        Still waiting for the mobile app. Maybe the firefox addon would work, but would prefer the app

  • dinckel
    link
    fedilink
    English
    427 months ago

    The way Apple or companies like Paypal implement two-factor authentication, let alone passkeys, drive me up the wall. This all could have been so much better.

    I’m not even going to mention all the platforms that rolled out passkey creation support, but not passkey login support, for whichever damn reason

    • plz1
      link
      fedilink
      English
      397 months ago

      Yeah, Apple 2FA is infuriating, especially since you can do all factors from the same device. Kind of defeats the purpose of traditional 2FA/MFA. Also, companies that decide you 2FA experience has to use their app, instead of a standards-compliant TOTP app of your choosing…ugh.

      • @[email protected]
        link
        fedilink
        English
        327 months ago

        Traditional 2FA (assuming you mean apps with codes) can be done from the same device (if you have the app with the codes installed on that device).

        It doesn’t defeat the purpose of 2FA. The 2 factors are 1. The password and 2. You are in possession of a device with the 2FA codes. The website doesn’t know about the device until you enter the code.

        • plz1
          link
          fedilink
          English
          37 months ago

          Yeah my point is it does not protect the local device well. It does protect well from remote compromise though.

      • paraphrand
        link
        fedilink
        English
        18
        edit-2
        7 months ago

        If you think forcing everyone to carry an object other than their phone around so they can use 2factor on their phone is a good idea… Or if you said I need to go to my laptop when I’m logging in on my phone and vise versa… that’s nonsense too. Sure maybe some companies require this. But that’s different.

        Authy on my phone is just as “dumb” as Keychain on my phone.

        How else are you imagining this should work? Keep in mind normal people need to do it too.

        • @[email protected]
          link
          fedilink
          English
          47 months ago

          I bring my yubikey with me, it’s in my keychain. This is not only more secure against phone theft/access, which probably is not very relevant for most people, but it spreads the risk of locking yourself out.

          For example, I was in Iceland with my girlfriend and she “lost” her phone. We wanted to locate it, so I logged to Google for her, which asked 2FA. If she used her phone, she would have been toast. Instead I made her use yubikeys too, and she just logged in and found her phone.

          Obviously you can lose your hardware tokens too, but it’s generally less likely (you take out your home keys way less than your phone, for example). You can also backup your TOTP on multiple devices etc., of course.

        • plz1
          link
          fedilink
          English
          37 months ago

          If I’m on my laptop, and the 2fa code shows on that same laptop, it defeats the purpose of it. The point is sortation of security privileges, ask this just adds more work while providing no less security to the device. It does protect you from remote compromise, though.

          • @[email protected]
            link
            fedilink
            English
            37 months ago

            It doesn’t defeat the purpose of it, as you indicate, it can protect from remote attacks.

            • @[email protected]
              link
              fedilink
              English
              27 months ago

              Also most or all of these should require some for of local authentication.

              For example I have 2fa apps on my phone, where I need to use them, so yes, that’s less than ideal. However

              • it protects against remote attacks
              • it protects against SIM attacks
              • and even if someone stole my phone and unlocked it, they’d still need my face id for every use
        • @[email protected]
          link
          fedilink
          English
          17 months ago

          For Apple, it’s your iCloud account that everything depends on, and it’s the weakest point. Not by itself maybe, but in practice there needs to be a way to reset your iCloud password, even without your phone. Currently I believe that’s just an Apple representative asking life questions, but that information is mostly publicly available. There needs to be a better way.

          A physical 2fa device may be just what we need to securely rest our iCloud passwords, keeping everything else more secure

          • paraphrand
            link
            fedilink
            English
            17 months ago

            That’s a fair point. iCloud Keychain is a single point of failure.

      • @[email protected]
        link
        fedilink
        English
        5
        edit-2
        7 months ago

        The factors are:

        • Something you have
        • Something you are
        • Something you know

        Here the password is something you know and the device is something you have (typically also protected by something you are, like your fingerprint or face)

        Someone with your phone but no password or fingerprint is SOL. Someone with your password but not your phone also SOL

    • @[email protected]
      link
      fedilink
      English
      1
      edit-2
      7 months ago

      PayPal for sure, because at one point they actually removed the ability to use a hardware mfa token.

      A little known fact about iCloud is that you can use hardware MFA tokens. I think this feature was just recently released though. They force you to enroll at least two tokens too, which is a nice safety. I set this up about a month ago and it’s been great.

  • SkaveRat
    link
    fedilink
    English
    35
    edit-2
    7 months ago

    I’m well versed in IT security, and even with (or because of) my knowledge, I still haven’t looked deep into setting up passkeys on my services. Just because it’s such a clusterfuck of weird implementations.

    I can’t imagine being a normal consumer and wanting to set them up. The poor support teams having to support this…

    And I’m managing at least one service at work that could totally benefit from passkey integration. The headache of looking into how to properly implement them is just way too much

    • @[email protected]
      link
      fedilink
      English
      107 months ago

      I can’t imagine being a normal consumer and wanting to set them up.

      It’s quite simple on iOS. IIRC, when logging into the paypal website you get a prompt asking if you’d like to use passkeys. Accept that, then you get a keychain prompt asking if you’d like to make/use a passkey. Click continue and pass FaceID authentication, then you’re in with a passkey. For future logins you click the login with passkey and it faceIDs you in. It’s easy.

      • @[email protected]
        link
        fedilink
        English
        367 months ago

        Then you are totally locked in with Apple devices and cannot switch to Android and take your passkeys with you

        • @[email protected]
          link
          fedilink
          English
          7
          edit-2
          7 months ago

          I’m not saying it’s good, I’m saying it’s easy. It is not hard for normal consumers to setup.

  • @[email protected]
    link
    fedilink
    English
    317 months ago

    Yeah I’ve avoided passkeys. Anything that Google is pushing to me is always in their interests.

    • Dark Arc
      link
      fedilink
      English
      347 months ago

      That is not the takeaway here.

      The takeaway is Passkeys are great technology but as implemented by Google, Microsoft, and Apple fall short of what they could be.

      • @[email protected]
        link
        fedilink
        English
        37 months ago

        Are we talking in circles here? “I avoid passkeys because of Google” “Passkeys implemented by Google have problems”

        • Encrypt-Keeper
          link
          fedilink
          English
          87 months ago

          The way out of the circle that you’ve put yourself in is realizing Google isn’t the only company implementing passkeys.

          • @[email protected]
            link
            fedilink
            English
            3
            edit-2
            7 months ago

            And that most people are in multiple ecosystems…e.g. Android/iOS + Windows. So they can’t use a solution that’s not interoperable.

            • Encrypt-Keeper
              link
              fedilink
              English
              37 months ago

              Fortunately there are several interoperable solutions now. There weren’t as recently as last year though.

        • @[email protected]
          link
          fedilink
          English
          77 months ago

          Are we talking in circles here?

          No. “I avoid passkeys because of Google” is avoiding an entire technology because of a bad implementation. “Passkeys implemented by Google have problems” is only avoiding passkeys implemented by Google, leaving using passkeys still on the table.

    • @[email protected]
      link
      fedilink
      English
      97 months ago

      People not getting phished is in their interests. That doesn’t mean it’s not in yours.

      • @[email protected]
        link
        fedilink
        English
        27 months ago

        People getting their accounts compromised leads to spam email, spam comments, fake crypto livestreams, etc that impact others. Google definitely has an interest in preventing people from getting their accounts compromised and not just for the benefit of the individuals with the accounts but their platforms as a whole.

    • Encrypt-Keeper
      link
      fedilink
      English
      67 months ago

      Google pushed email accounts to you, do you not have an email address either?

      • ditty
        link
        fedilink
        English
        97 months ago

        Email was already ubiquitous and generally standardized by the time Gmail released in 2004.

        • Encrypt-Keeper
          link
          fedilink
          English
          2
          edit-2
          7 months ago

          Asymmetric cryptography has been ubiquitous and generally standardized by the time Google began letting you store Passkeys, so what’s your point?

          Is Google supporting a particular service or system a dealbreaker for you or not? Because Google has far more fingers in the public operation of email than it does passkeys. So if you’re still ok with having an email account, then you should be just as ok with using passkeys.

      • @[email protected]
        link
        fedilink
        English
        3
        edit-2
        7 months ago

        I’m not locked into Gmail: I know it implements standards and I choose it as long as it is most convenient.

        A lot of what comes into my gmail account is actually addressed to various aliases from various providers, and I can point those aliases anywhere

        In particular, all my recent online accounts use unique generated email addresses that I can disable at will, and that forward to my actual email

        • Encrypt-Keeper
          link
          fedilink
          English
          27 months ago

          Well that’s great news, then you’ll like passkeys because you can use them without being locked into anything.

    • @[email protected]
      link
      fedilink
      English
      47 months ago

      A lot of my hesitation is that not only are passkeys being pushed by the big vendors AND they seem to have a less than portable implementation BUT ALSO they don’t seem to give enough details. Everything is dumbed down for the less technical until it means nothing

      I like that this thread already has more actual information than all the outreach of the big vendors over months

      • Natanael
        link
        fedilink
        English
        27 months ago

        The spec behind it is solid, it creates per-domain cryptographic keyspairs which allows your device to prove you’re you in a standardized and secure way while avoiding adding a new way to track you across sites, and by using the device’s TPM chip to hold the key it’s also resistant to most types of manipulation.

  • @[email protected]
    link
    fedilink
    English
    317 months ago

    Lock downs are pretty much a hard pass for me. Anything I buy, I research, and if there’s even the slightest hint of BS incompatibility, it’s simply a no go.

  • My Password Is 1234
    link
    fedilink
    English
    25
    edit-2
    7 months ago

    I noticed that recently every post on Proton’s blog has been an advertisement of their services.

    They are hypocrites.

    A few days ago they posted that corporations are bad because they collect fingerprints, profile users, etc., yet they are no better, as their mobile apps rely on Firebase Cloud Messaging (FCM) owned by Google to deliver notifications to their users.

    In 2020 they wrote that they “may offer alternative push notification system”, but apparently shitting on corporations is easier than making actual changes. Four years ago.

    • Kairos
      link
      fedilink
      English
      17 months ago

      That’s a google services issue. That’s Google’s fault.

      • @[email protected]
        link
        fedilink
        English
        27 months ago

        It was their choice to not exclude this knowingly-evil service from their applications though.

        • Kairos
          link
          fedilink
          English
          17 months ago

          Yes. It’s still the fact that Google monopolizes shit. Same thing with Apple by the way.

          • @[email protected]
            link
            fedilink
            English
            37 months ago

            But there are apps that have been built with Google-independent notifications. Proton could have supported UnifiedPush, for example, yet they decided not to.

  • @[email protected]
    link
    fedilink
    English
    22
    edit-2
    7 months ago

    told ya so, i got downvoted for being skeptical of this shit.

    if google or similar is pushing it, is should NOT be trusted! lets NOT, please!

    • Encrypt-Keeper
      link
      fedilink
      English
      127 months ago

      You still deserve those downvotes. There’s nothing to not trust about passkeys.

      • @[email protected]
        link
        fedilink
        English
        7
        edit-2
        7 months ago

        theres google, give me an alternative not exclusively controlled by oligarchs and i will consider it.

        • Encrypt-Keeper
          link
          fedilink
          English
          6
          edit-2
          7 months ago

          Not sure what Google has to do with passkeys besides the fact that they’ve implemented them. Google implemented passwords too but I’m guessing you’re fine with those?

          Passkeys are not exclusively controlled by oligarchs so I guess by your own admission you should consider them.

            • Encrypt-Keeper
              link
              fedilink
              English
              57 months ago

              Well you’re in luck, they’re currently established and working in practice.

        • Aniki 🌱🌿
          link
          fedilink
          English
          27 months ago

          Youre get downvoted by the same MS defender chuds.

          Fuck the billionaires.

        • Encrypt-Keeper
          link
          fedilink
          English
          27 months ago

          No one is suggesting that you secure your online accounts with the billionaire owner class. They’re suggesting you secure them with passkeys.

    • Dark Arc
      link
      fedilink
      English
      10
      edit-2
      7 months ago

      That is not the takeaway here.

      The takeaway is Passkeys are great technology but as implemented by Google, Microsoft, and Apple fall short of what they could be.

      This isn’t some “owned by the billionaire class”. It’s an open standard that’s why Bitwarden and Proton both have implementations. Big tech of course provided implementations that are not as portable as possible, that’s all that’s going on here.

      There’s really not some big conspiracy to kill kittens or whatever. Passkeys are far more secure (and for most people far more usable) than passwords.

      • @[email protected]
        link
        fedilink
        English
        2
        edit-2
        7 months ago

        The takeaway is Passkeys are great technology but as implemented by Google, Microsoft, and Apple fall short of what they could be.

        then get them implemented by someone else useably. that open authentication login garbage they pushed years ago was also supposed to be an open standard, but you can only use it if you lock yourself in to facebook/google to this day. i still have to use a different password for each damn website still.

        id like to see its opennes at work in the real world, in practice, first.