Passkeys are a great idea, but everyone involved seems like they want the process to be as much of a pain in the dick as possible. So until the industry pulls it's collective head out of its collective ass (not going to hold my breath on that one), it'll be passwords+2FA for me.
It feels like everyone is trying to tie people to their platform. Oh, and also use the opportunity to force shit like "no custom ROMs or bootloader unlocking" on Android at the same time.
I hate 2fa so much, I never thought they would come up with anything more irritating. Little did I know.
I really like 2FA as long as it's TOTP and I can use an offline app or program for it. It just works and is very easy and secure.
Jesus Christ, dude, that is exactly it.
We're trying to implement passkeys at work and the testing has been an absolute nightmare. Literally have no control over the onboarding experience because each tech giant is clamoring over each other, interjecting into the process to be the "home" for your passkeys. It's bananas.
When it's all set up, it's kinda great! But getting set up in the first place is an exercise in frustration.
What's wrong with passkeys? I'm in love with passwordless sign-in with yubikey, so much easier and faster than password + totp
It’s shitty user experience when forced to dig out my phone to authenticate myself to a site I barely give half a shit about.
Like I wouldn’t even have an account if it wasn’t forced, and now you assholes want my phone too?
I don't like how there isn't a nice, cross-platform and secure way to sync my keys. Not all services allow multiple keys to exist at once.
Until sites start disallowing youbikeys because it doesn't make it impossible for you to backup your keys...
What is planned to happen.
Shouldn't you still need 2fa, and use the passkey as the second auth?
The passkey is still protected with another factor, such as pin code or biometrics
Like when I login to my account, I put the yubikey to usb port, then browser asks me to unlock it using pin code, then I'll touch the yubikey to confirm I'm in physical access to it, and only then it allows the authentication
In practice this takes about 2 seconds
Passkeys are light years ahead of 2fA in user experience. Why do you dislike them?
Security based on devices is one of the positive innovations of smartphones and perhaps the only area where they've improved over the desktop experience.
I very specifically don't want my security tied to my device. Trying to migrate to new phones, and keeping things synced between a phone, desktop, and laptop is why I long ago moved to a password manager. Now, especially in the phone space, getting passkeys to function fully with a password manager ranges from "pain in the ass" to "not actually possible".
Passkeys make plausible deniability more difficult. “This user name isn’t necessarily associated with my real world identity” permits some important good things.
Passkeys use unique keys per site for that reason
The amount of people in this thread that don't understand passkeys surprises me. This is Lemmy. Aren't we the technical Linux nerds of the Internet?
The synchronization part is the annoying part. And when you have multiple accounts on one site you can end up with multiple passkeys for it.
2FA is just dead simple. I contact you, you contact me, handshake achieved. If you call me out of the blue I raise the alarm. If you get a login attempt with a failed handshake you raise the alarm.
Putting it all behind a pop up screen just isn't trustworthy to the human brain.
I briefly looked into passkeys a while ago, but I think I remember really disliking them because they just seemed like another excuse for companies to lock you in.
Has this changed? With Bitwarden + passwords, I can change to any platform, any device, at any time, and instantly get all my creds moved over securely.
I don't want to be in a situation where I'm locked into using Android, Chrome, iOS, or whatever because I can't move my creds.
Bitwarden has passkey support! Syncs too!
Yeah I don’t think it’s the only password manager that allows PassKeys either. Plus, they’re more secure by design; the website never has to store anything that can be reversed to allow access. Bitwarden even lets you store multiple passkeys per site.
I do hate how it’s promoted as “locked to your device” though but i imagine that’s because (unfortunately) password managers aren’t used by a majority of users.
There's been a lot of pain in the attempt to portray it as "Just click the passkey button, and that's it! Your login is secured for life!"
No - Buddy. It is secured for this one specific device that I have biometric authentication for. What about my computer? What about my other computer that isn't on the same operating system? I have a password manager that stores these things, why didn't you save to that when I registered? Why is it trying to take this shit from my Apple Keychain when it's in Bitwarden?
And, the next ultra-big step: How would a non-techie figure this shit out?
No - Buddy. It is secured for this one specific device that I have biometric authentication for. What about my computer? What about my other computer that isn't on the same operating system?
Then use a Yubikey.
Amazon fucking insisting every damn time I log in.
I use passkeys through 1Password and it’s vastly less irritating to me than anything involving passwords, especially 2fa. I really don’t like having to wait for email to arrive or copying down digits from a text message, which seems to be how 2fa typically works 90% of the time.
It's not for your security, it's for the company's. People suuuuuuuuck when it comes to credentials.
My company insists on expiring passwords every 28 days, and prevents reuse of the last 24 passwords. Passwords must be 14+ characters long, with forced minimum complexity requirements. All systems automatically lock or logout after 10 minutes of inactivity, so users are forced to type in their credentials frequently throughout the day.
Yes people suck with creating decent credentials, but it's the company's security policies breeding that behavior.
Same. They also don't allow password managers and I have multiple systems that don't use my main password, so I have at least 5-6 work passwords for different systems.
Nobody can remember all that.
So everyone makes the simplest password they can (since it has to be regularly typed in) and writes it down somewhere so they don't forget it.
I don't get why people get upset at frequently expiring passwords. It's not hard: just write it on a postit note and stick it on your monitor.
removed don't know that passkeys are awesome. It's like ssh key authentication for web apps. Just save the passkeys to my password manager & presto: use same keys on all my devices.
It replaces opening a TOTP app to copy a token with a click to select the passkey in a prompt from my password manager.
Ancient meme
I thought passkeys were supposed to be more secure?
They're using the same standard as FIDO2 / WebAuthn hardware security keys. The protocol is phishing resistant, unlike TOTP and similar one time code solutions.
I prefer the physical ones, because they're easy to organize. Passkey synchronization can be annoying.
Coincidence or did you get that email from eBay today, too?
They probably got hacked and we'll find out about it next year.
Y’all are my people.
