Jay Steen
Andrew CoutsNEW: Google today rolled out passkeys—the industry-wide tech that will replace passwords—to all accounts. It’s a big step toward replacing passwords, which are often insecure, altogether, @lhn reports (tip @Techmeme and @TechDesk) https://www.wired.com/story/google-passkey-password-replacement/
gillo@couts @lhn @Techmeme @TechDesk While optimal in concept, the full reliance on biometrics worries me. It has been reported that in many countries adversaries just took the phones and turned it towards the victim to unlock it with face biometrics. Of course, these are extreme cases and concern only people with a specific threat model, but it would still be good to mention it somewhere.
Adam I@aiannazzone @couts @lhn @Techmeme @TechDesk Precisely. And, a good reason to always switch the phones off before border controls. (Biometrics are disabled at restart)
@aiannazzone @couts @lhn @Techmeme @TechDesk Luckily it seems it works also with a pin. Hopefully a long one too.
Francesco Gianni@gillo @aiannazzone @couts @lhn @Techmeme @TechDesk
How is that better than password manager + 2FA?
I probably cannot see it, but if someone takes your phone it's easier to guess a PIN or crack bio than guessing a password manager password.
My guess is that they are trying to improve the situation for who is using weak passwords without a PM. Though I'm a bit scared about this "share access with QR code", how many people that won't send you a password will send you the screenshot of a QR?
Political Janitor@couts I’ve used a password manager for many years, so i presume i’m not the prime target for this. But I struggle to wrap my head around passkeys conceptually.
Are they tied to a single account/ecosystem? Do they require biometric verification? How is this maintained across diverse platforms?
For me to begin embracing this I would need a well-backed and open sourced system to interface with passkeys. I will not use Apple, Google, Facebook, etc. implementations.
@fiveEyedBeast They're definitely a bit tricky to explain, but they're tied to both device and account, so you'll have different passkeys for the same account depending on what device you're using. It's a protocol, so it's not tied to any one company. Also, password managers are going to support passkeys soon, once there's wider rollout. (You'll prob see that feature arrive soon with Google's announcement today.)
@couts That’s good! I’m gonna keep an eye out for BitWarden’s support - but as long as they function on Linux, Apple, and other niche environments (like streaming apps on tv) then I would happily embrace!
Jerry