Auth Updates Bot[deps]: Update astro to v5.13.2 [SECURITY] (#118)
https://github.com/bitwarden/passkeys-index/commit/4743729ec26a9e3e8d44aefc2c58c86367949918
Eric 🚲🚎Ok mastodon, can this #passkey scenario work? I'm not an expert, tell me what I'm doing wrong.
Log in to {service} on desktop web. Set up a passkey, stored in #ProtonPass. This works on this PC and others where I have ProtonPass extension.
Try login on different PC, select "use my passkey" which shows a QR code. On my phone with ProtonPass app installed and set as preferred passkey service in Android, I scan the QR code and Android says there is no passkey. Help?
Royce WilliamsThese can both be true:
Passkey deployment has been fraught with UX challenges, failures to advise users about threat model trade-offs, and vendor lock-in concerns
The ecosystem couldn't go much longer without the benefits of passkeys (reducing password reuse risk, mitigating infostealer harm, and deploying FIDO2 phishing resistance at scale)
FirebaseForget strong passwords. Use passkeys. They offer better security against phishing and credential stuffing. Your unique biometric or device unlock protects your accounts. Make the switch. #Cybersecurity #Passkeys
Tod Beardsley@jik I have accidentally accepted a couple of #passkeys. I get it - it’s just normal PKI - but I need to figure out how to unwind those site logins where suddenly I’m in an unrecoverable zone if I screw up the backups.
Passkeys are shaping up to be a user-side failure akin to PGP. But credit to PGP: people very rarely accidentally PGP their messages.
NekodojoI do think #passkeys are a big improvement over plain passwords for most people. But I also think they are not really “ready for prime time” and people really need to keep a real strong password too, for sites they care about. Passkeys are NOT ready to replace regular passwords, especially if you don’t already have multiple synchronized devices for your credentials. For now, your backup method needs to be a password plus MFA or a second passkey on a different key ring.
Exporting passkeys probably won’t be a great solution for people either, since it’s pretty complex and documentation is nonexistent. If I’m helping people I will probably still recommend a real password and MFA or SMS as the backup to passkeys. More important, I always suggest to people to have Keychain/password manager “living” in 2 places that are synced.
@jik
I do think #passkeys are a big improvement over plain passwords for most people. But I also think they are not really “ready for prime time” and people really need to keep a real strong password too, for sites they care about. Passkeys are NOT ready to replace regular passwords, especially if you don’t already have multiple synchronized devices for your credentials. For now, your backup method needs to be a password plus MFA or a second passkey on a different key ring.
Exporting passkeys probably won’t be a great solution for people either, since it’s pretty complex and documentation is nonexistent. If I’m helping people I will probably still recommend a real password and MFA or SMS as the backup to passkeys. More important, I always suggest to people to have Keychain/password manager “living” in 2 places that are synced.
What happens when you lose your password: Get a recover link using your email or SMS
What happens when you lose your passkey: Get a recover link using your email or SMS
People are saying this is a problem unique to #passkeys, but the same problem exists with passwords. If you try to educate people that they should keep their credentials backed up safely in a couple different ways, and they don’t, sorry but the technology works as expected. Passkeys doesn’t solve the problem of losing your credentials but doesn’t make it worse either. What were people expecting??
@jik
What happens when you lose your password: Get a recover link using your email or SMS
What happens when you lose your passkey: Get a recover link using your email or SMS
People are saying this is a problem unique to #passkeys, but the same problem exists with passwords. If you try to educate people that they should keep their credentials backed up safely in a couple different ways, and they don’t, sorry but the technology works as expected. Passkeys doesn’t solve the problem of losing your credentials but doesn’t make it worse either. What were people expecting??
Jonathan Kamens 86 47Seriously, the issue in this thread is why I think #passkeys are a ticking time bomb. Most people don't understand how they work, or that they're linked to a single device, or that they need to maintain a backup login method. Websites that support passkeys don't do enough to communicate and enforce good habits. If we continue down the passkey path, people losing access is going to be a much bigger problem in the future, and we're not ready for it. #infosec