Lauren WeinsteinOct 10, 2023

***** Google is making their weak, flawed passkey system the default login method — I urge you NOT to use it! *****

https://lauren.vortex.com/2023/10/10/dont-use-google-passkeys-now

#Google continues to push ahead with its ill-advised scheme to force passkeys on users who do not understand their risks, and will try push all users into this flawed system starting imminently.

In my discussions with Google on this matter (I have chatted multiple times with the Googler in charge of this), they have admitted that their implementation, by depending completely on device authentication security which for many users is extremely weak, will put many users at risk of their Google accounts being compromised. However, they feel that overall this will be an improvement for users who have strong authentication on their devices.

And as for ordinary people who already are left behind by Google when something goes wrong? They'll get the shaft again. Google has ALWAYS operated on this basis -- if you don't fit into their majority silos, they just don't care. Another way for Google users to get locked out of their accounts and lose all their data, with no useful help from Google.

With Google's deficient passkey system implementation -- they refuse to consider an additional authentication layer for protection -- anyone who has authenticated access to your device (that includes the creep that watched you access your phone in that bar before he stole it) will have full and unrestricted access to your Google passkeys and accounts on the same basis. And when you're locked out, don't complain to Google, because they'll just say that you're not the user that they're interested in -- if they respond to you at all, that is.

"Thank you for choosing Google."

--Lauren--

Show threadMighty OrbotOct 10, 2023

@lauren What a poor argument. If someone watched you enter a passcode into your phone before they stole it, they’ll have access to your Gmail and Google account anyway, because your phone saved that information.

There may be valid arguments against using passkeys instead of passwords, but this blog isn’t it.

Show threadLauren Weinstein

@mighty_orbot Many people have very weak (simple to see, simple to guess) PINS on their phones. Every day, many phones are stolen and cracked, leaving their owners locked out with no assistance from Google (whose usual response is -- "Just create a new account.")

And contrary to your assumption, many people do not leave credentials on their phones and choose to directly login to accounts as needed -- much more common than we techies might otherwise assume. Passkeys give away the whole store, based only on a weak phone PIN, with no option for stronger authentication over those enormously important tokens.

Oct 10, 2023 at 3:52pmWeb
Show threadChrisOct 10, 2023
@lauren @mighty_orbot So maybe the message should be 'Don't use Google's passkey system unless you have a good secure PIN on your phone'? Rather that 'Google's system is irrevocably flawed'
Show threadMighty OrbotOct 10, 2023
@ChrisNoble As I understand it, passkeys aren’t a solution to the “your phone and PIN get stolen” problem; they’re for the “hacker uses your recycled password without your knowledge” problem. Passkeys make it easier to use really secure and unique passwords for the sites that support them.
Show threadMighty OrbotOct 10, 2023
@lauren do you really think that a person using a weak PIN for a phone password is also going to be responsible about not letting that phone remember their passwords? The email program remembers automatically, as does the browser via cookies. That user is equally screwed either way.