Mastodawn

Lauren Weinstein

***** Google is making their weak, flawed passkey system the default login method — I urge you NOT to use it! *****

https://lauren.vortex.com/2023/10/10/dont-use-google-passkeys-now

#Google continues to push ahead with its ill-advised scheme to force passkeys on users who do not understand their risks, and will try push all users into this flawed system starting imminently.

In my discussions with Google on this matter (I have chatted multiple times with the Googler in charge of this), they have admitted that their implementation, by depending completely on device authentication security which for many users is extremely weak, will put many users at risk of their Google accounts being compromised. However, they feel that overall this will be an improvement for users who have strong authentication on their devices.

And as for ordinary people who already are left behind by Google when something goes wrong? They'll get the shaft again. Google has ALWAYS operated on this basis -- if you don't fit into their majority silos, they just don't care. Another way for Google users to get locked out of their accounts and lose all their data, with no useful help from Google.

With Google's deficient passkey system implementation -- they refuse to consider an additional authentication layer for protection -- anyone who has authenticated access to your device (that includes the creep that watched you access your phone in that bar before he stole it) will have full and unrestricted access to your Google passkeys and accounts on the same basis. And when you're locked out, don't complain to Google, because they'll just say that you're not the user that they're interested in -- if they respond to you at all, that is.

"Thank you for choosing Google."

--Lauren--

Pusher Of Pixels (old account)Oct 10, 2023

@lauren interesting. The whole push for passkeys has seemed a little over the top.

You give an excellent description of it!

Are other providers implementations better? For a single device passkeys seem ok, but multiple devices or shared accts seem problematic to me

Annie Oct 10, 2023

@lauren Google should know better than to trust client devices.

But the least vulnerable devices are probably in the hands of people with money, who are more likely to buy stuff from ads fueling their actual business of ad delivery. Making things a hair more convenient for them, the numbers might ad up in terms of increased revenue if advertisers see more effective ads.

bedast Oct 10, 2023

@lauren It's worth emphasizing that Google provides zero user support (based on my own experience) and for many people, losing access to accounts can be a lot more than just "oh no, my email".

Google Wallet, Gmail, Fi, Docs, everything is tied together, and can literally put a person in a precarious financial and payments position, and lose access to other non-google accounts.

Google user support is literally non-existent. It's why I've worked so hard to drop Google entirely.

Ertain Oct 10, 2023

@lauren I'm going to try to not use it. I hope they don't make it mandatory.

Lauren Weinstein Oct 10, 2023

@Ertain I assume they ultimately will.

Joe Ortiz Oct 11, 2023

@lauren @Ertain Trust me, they WILL make this mandatory at some point hence my statement about it: https://mastodon.sdf.org/@joeo10/111212182340850692

Joe Ortiz (@[email protected])

#Google (or preferably Gahoogle) is pushing to make passkeys mandatory at some point by trying to make people opt in by force without knowing the risks involved. https://www.theverge.com/2023/10/10/23910966/google-account-passkey-setup-prompt-default-passwordless-security Here's @[email protected] with thoughts on this disgusting move that will affect a LOT of people, especially normies. https://mastodon.laurenweinstein.org/@lauren/111211366080459949

Mastodon @ SDF

Mighty Orbot Oct 10, 2023

@lauren What a poor argument. If someone watched you enter a passcode into your phone before they stole it, they’ll have access to your Gmail and Google account anyway, because your phone saved that information.

There may be valid arguments against using passkeys instead of passwords, but this blog isn’t it.

Lauren Weinstein Oct 10, 2023

@mighty_orbot Many people have very weak (simple to see, simple to guess) PINS on their phones. Every day, many phones are stolen and cracked, leaving their owners locked out with no assistance from Google (whose usual response is -- "Just create a new account.")

And contrary to your assumption, many people do not leave credentials on their phones and choose to directly login to accounts as needed -- much more common than we techies might otherwise assume. Passkeys give away the whole store, based only on a weak phone PIN, with no option for stronger authentication over those enormously important tokens.

Chris Oct 10, 2023

@lauren @mighty_orbot So maybe the message should be 'Don't use Google's passkey system unless you have a good secure PIN on your phone'? Rather that 'Google's system is irrevocably flawed'

Mighty Orbot Oct 10, 2023

@ChrisNoble As I understand it, passkeys aren’t a solution to the “your phone and PIN get stolen” problem; they’re for the “hacker uses your recycled password without your knowledge” problem. Passkeys make it easier to use really secure and unique passwords for the sites that support them.

Mighty Orbot Oct 10, 2023

@lauren do you really think that a person using a weak PIN for a phone password is also going to be responsible about not letting that phone remember their passwords? The email program remembers automatically, as does the browser via cookies. That user is equally screwed either way.

Jacob Atzen Oct 10, 2023

@lauren @timbray Is it just googles implementation of passkeys you’re objecting to or is it passkeys in general?

Lauren Weinstein Oct 10, 2023

@jacobat @timbray My area of interest is Google's implementation specifically. It IS possible to build passkey implementations without these flaws, and in those situations passkeys can indeed be very useful.

Notable Shadow of Unusual Size Oct 10, 2023

@lauren @jacobat @timbray

What's your opinion on Apple's implementation of passkeys? I spend most of my day in MacOS & iOS, so was thinking of trying it.

Lauren Weinstein Oct 10, 2023

@notableshadow @jacobat @timbray I have not examined the Apple system. In general, any passkey system that depends on device authentication alone for access to the passkeys, without offering an additional separate authentication layer, should be considered to be highly problematic.

Jacob Atzen Oct 10, 2023

@lauren @notableshadow @timbray why so? I get that it’s not perfect but why is it not an improvement over passwords? From my understanding the benefits sound pretty good: Phishing proof, can’t be leaked by the service the key is providing access to, not reusable across services.

Lauren Weinstein Oct 10, 2023

@jacobat @notableshadow @timbray Because it's a single point of failure. Rather than (for example) having a weak phone pin providing access to the phone but not to unlogged-in accounts that may still need passwords and 2sv, this implementation provides access to ALL accounts based ONLY on that weak PIN. Nor is Google willing to even offer an optional additional authentication layer for the passkeys.

Jacob Atzen Oct 10, 2023

@lauren @notableshadow @timbray Okay, that’s surprising. I thought you would have to authorize biometrically. At least that’s the case for Apple. Just getting raw access to passkeys with just device access sounds crazy.

Lauren Weinstein Oct 10, 2023

@jacobat @notableshadow @timbray Yes, Google's implementation allows the use of device PINs. And of course many people use PINs, because they either don't trust fingerprint auth or they can't get it to work reliably.

Adam Lee Oct 10, 2023

@lauren So if my phone ever gets lost or stolen, I'm also permanently locked out of all my Google accounts? That's a horrible idea!

Lauren Weinstein Oct 10, 2023

@daylightatheism There are still other account recovery mechanisms -- IF a culprit hasn't moved quickly to lock you out of them (and often, they move VERY quickly). And of course, Google's account recovery systems are often dismal at best, locking out vast numbers of users permanently for no good reasons. Just because, basically, Google can't be bothered with them.

Mackaj Oct 10, 2023

@daylightatheism

Passkeys can be multi-device, so if you lose your phone but have a laptop as another trusted device you can access them that way. Then add a replacement phone asap.

Lauren Weinstein Oct 10, 2023

@mackaj @daylightatheism A big risk is an easily compromised (weak authentication) phone stolen, and owner locked out of their accounts before they have access to another device. Happens every day. Also, many people have only ONE device.

Adam Lee Oct 10, 2023

@lauren @mackaj This doesn't sound like an improvement on passwords at all. It just replaces one set of risks with a different set of risks.

Lauren Weinstein Oct 10, 2023

@daylightatheism @mackaj It could be an improvement with proper implementation, and for devices with strong authentication it can be useful. Google unfortunately has cut corners in a very unfortunate manner that puts devices with weak authentication at added risk, in my opinion.

Mackaj Oct 10, 2023

@daylightatheism

I intend to use passkeys eventually, but it won't be Google's implementation. I'll go with a 3rd party. I already use Bitwarden for password management so I'm holding out to see what they come up with.

PeoriaBummer Oct 10, 2023

@daylightatheism @lauren @mackaj A new product, you say? Imposed on all users?

Look, there’s a lot of uncertainty and controversy here, but we can count on one thing for certain: Google will cancel this in a couple years.

Everyday Freethought Oct 11, 2023

@daylightatheism @lauren @mackaj

Sometimes I wonder what things would be like if password managers had been invented ten years earlier.

Zack Cerza Oct 10, 2023

@lauren Reminds me of a conversation I had with a Googler that I know: they were bragging about not caring when a change they made resulted in three million users not using their product anymore.

klausfiend has moved Oct 10, 2023

@zack @lauren That's such a weird flex. If I bragged about shedding a third of our product user base, I'd be politely asked to look for a new job.

Lauren Weinstein Oct 10, 2023

@klausfiend @zack At Google, it's pretty much all about billions, not millions.

Mark T. Tomczak Oct 10, 2023

@klausfiend @zack @lauren indeed, but it's Google. (a) Google has something like 4.3 billion DAU; 3 million is .06%, (b) at the scale they operate, losing 3 million users due to an improvement in the experience of a billion users is a massive net positive.

... obviously, this means Google can't be in charge of the entire world of computing. Not when they pursue that calculus.

Lauren Weinstein Oct 10, 2023

@mark @klausfiend @zack And this is key (no pun intended). At G scale, letting millions or 10s of millions of users who depend on it swing in the breeze locked out of accounts inappropriately is NOTHING. In the "real world" that's one hell of a lot of real people, and often the already most vulnerable people. And G management just DOESN'T CARE. I know. I've banged my head into the wall trying to get them to treat these people better. And even after all these years I've gotten nowhere at this.

Zack Cerza Oct 10, 2023

@lauren @mark @klausfiend and, honestly, if companies like this actually had to compete for users instead of simply being able to acquire all their competitors, this wouldn't be nearly as much of a problem

jack the nonabrasive Oct 10, 2023

@lauren I thought passkeys were only supposed to be implemented on devices with strong biometric authentication built-in. Google's not doing that?

Lauren Weinstein Oct 10, 2023

@karabaic Google is permitting PINs.

jack the nonabrasive Oct 10, 2023

@lauren wuuuut that's insane

Lauren Weinstein Oct 10, 2023

@karabaic Of course many people don't use biometric auth because they either don't trust it or can't get it to work reliably.

Dima Oct 11, 2023

@lauren I see the point that biometrics might not be an option in some situations, but is a fingerprint scan stronger than a pin?

Dreaming Darkly (she/her)Oct 11, 2023

@dima @lauren In terms of security, yeah a print is less likely to get hacked, but there's also the legality issue with prints.

Biometrics are seen in the same light as locks and keys according to most jurisdictions, making them vulnerable to search warrents and other legal operations.

Of course, we can say that if you have nothing to hide, you're fine, but it still sets an ugly precedence.

Dima Oct 11, 2023

@DreamingDarkly so one need to think of different use cases, such as: a device is stolen in a coffee shop, authorities demand access, etc.

Dreaming Darkly (she/her)Oct 11, 2023

@dima Exactly.

The only devices I use bios for are devices that aren't linked to anything that could be used against me. It's not even a matter of am I doing something I shouldn't but the fact that we live in a society where you can't trust anyone.

Anything that is connected to banks or anything that ties to info that can be used to track/target/harm me gets an ultra long and secure password/key.

Bios are convenient, but also convnient for anyone who may want to use them against you.

Lauren Weinstein Oct 11, 2023

@DreamingDarkly @dima This is part of why many people don't want to use biometrics. Also, they can be very unreliable, and lock you out at the worst possible time.

Lauren Weinstein Oct 11, 2023

@dima That is not a trivial question to answer, because so much depends on implementation details and other issues. Many people don't want to use fingerprints because many laws give authorities much stronger invasive powers for fingerprint authentication than if passwords or PINs are used. E.g., often they can force you to unlock with a fingerprint, but not with a PIN or password without additional authority (e.g., search warrant). Also, some implementations are just flaky as hell, and lock you out at the worst possible time. I have a fairly high-end smartphone, but all of the sudden it will stop accepting my fingerprint, causing all sorts of hassles.

Dima Oct 11, 2023

@lauren Fingerprints (assuming they work) might save me from a thief in a coffee shop who is able to observe me interacting with my device.

PINs or Passwords might save me from authorities who can legally force me to provide my bio-metric data.

In case of Google which customer support is non existent, ideally, we want to satisfy at least the two use cases above without putting ourselves to the risk of being locked out.

Krit Oct 10, 2023

@lauren You’re using Google and are afraid that somebody would read your mail? 🤣

But that beside… I think passkeys are worse than a proper 2FA solution. Simpler to use but… a phone pin or bad face recognition isn’t secure at all

Lauren Weinstein Oct 10, 2023

@Krit Actually, user data at Google is very secure. I've worked inside Google and have always been impressed with the privacy protocols in place in this respect.

GreatApez Oct 10, 2023

@lauren Can you suggest any articles that would explain these vulnerabilities? I signed up for the passkey system because I assumed all passkeys are safer than password and two factor.

Lauren Weinstein Oct 10, 2023

@GreatApez There's been very little discussion of passkeys outside the realm of their proponents. My discussions are in various venues including here on Mastodon and in my long-standing mailing lists, you should be able to search for them fairly easily. I hope.

SpaceLifeForm Oct 10, 2023

There is a reason I do not check my gmail.

yayameen Oct 11, 2023

@lauren Google is pushing threats to a new location, not elliminating threats. People are more likely to be placed in physical proximate risk. I get asked to verify my logins 3 different ways, but 2 of them are useless because anyone who has my phone has access to everything. I prefer that my phone be easy to access and not be much of a security risk if it is stolen. I'm out of luck.

Nazani Oct 11, 2023

@lauren
Am I correct in thinking that I'll have to have my phone on hand to access passkeyed accounts?

Lauren Weinstein Oct 11, 2023

@Nazani Depends on implementations and configurations. But perhaps a more interesting question is what happens to people who don't use smartphones at all? Then you have to depend on other devices' authentication. But many people don't use ANY authentication on their home systems. There are far more of these cases than Google would care to admit. And putting aside thefts, what happens when the phone just breaks down? Doesn't boot one day. Gets dropped and dies. Then you have to depend on Google's oh so much fun account recovery systems, that lock out vast numbers of users permanently for no valid reason.

Nazani Oct 11, 2023

@lauren Right, and nobody cares about people who can't afford multiple devices or those who prefer basic phones.

@lauren @Nazani

It's also more than just Google regarding not using #smartphones.

I run into a disturbing, and ever-growing, number of web-based #services that simply cannot be accessed without a #smartphone - they want a phone number rather than an #email address to register, they want to #SMS you a PIN (ugh, SS7) to create an account or log in or pretty much anything else.

I choose not to have a #mobile phone - but I'm starting to see even #government/#public services that require one.

Acetopheles Oct 11, 2023

@lauren yeah I fucking hate this. My experience of it was having to immediately try to disable it because it was trying to insert an invalid password. Nearly locking me out of my account.

Useless, unwanted, unsecure rubbish.

Uberbrady Oct 11, 2023

@lauren @timbray I disagree with this take. The question we should be asking is not "is this perfect?" - because of course it is not. But the question should be "is this better than passwords?" and it most certainly is. We should try not to let 'perfect' be the enemy of 'good’. If I'm mistaken on the 'better than passwords' part - I'm happy to be corrected, of course.

Lauren Weinstein Oct 11, 2023

@uberbrady @timbray If someone doesn't store their passwords on their phone (and many people don't, because they don't trust password managers, often with good reasons), and the phone with typically weak authentication is compromised, all of their accounts under this scenario are compromised as well. By the time they can get to another device (assuming they even have another device) the perpetrators will likely have locked them out -- and Google is typically of no help whatsoever in these situations, telling users just to "create a new account." Bye bye data. That's the passkeys scenario. Everything depends on device authentication, and Google refuses to consider even the option of an additional authentication layer for passkeys. In the absence of passkeys, given no passwords stored on the phone, the crook has the phone, and not much more.

I guarantee you that most people accepting passkeys do NOT understand them and do NOT
understand the new vulnerabilities their typically weak device authentication brings with it.

I'm so damned tired of techies simply refusing to acknowledge that most people are not technical, and really don't understand most of this stuff at all. That of course is where the term "lusers" originated. Sickening.