Lauren WeinsteinOct 10, 2023

***** Google is making their weak, flawed passkey system the default login method — I urge you NOT to use it! *****

https://lauren.vortex.com/2023/10/10/dont-use-google-passkeys-now

#Google continues to push ahead with its ill-advised scheme to force passkeys on users who do not understand their risks, and will try push all users into this flawed system starting imminently.

In my discussions with Google on this matter (I have chatted multiple times with the Googler in charge of this), they have admitted that their implementation, by depending completely on device authentication security which for many users is extremely weak, will put many users at risk of their Google accounts being compromised. However, they feel that overall this will be an improvement for users who have strong authentication on their devices.

And as for ordinary people who already are left behind by Google when something goes wrong? They'll get the shaft again. Google has ALWAYS operated on this basis -- if you don't fit into their majority silos, they just don't care. Another way for Google users to get locked out of their accounts and lose all their data, with no useful help from Google.

With Google's deficient passkey system implementation -- they refuse to consider an additional authentication layer for protection -- anyone who has authenticated access to your device (that includes the creep that watched you access your phone in that bar before he stole it) will have full and unrestricted access to your Google passkeys and accounts on the same basis. And when you're locked out, don't complain to Google, because they'll just say that you're not the user that they're interested in -- if they respond to you at all, that is.

"Thank you for choosing Google."

--Lauren--

Show threadJacob AtzenOct 10, 2023
@lauren @timbray Is it just googles implementation of passkeys you’re objecting to or is it passkeys in general?
Show threadLauren WeinsteinOct 10, 2023
@jacobat @timbray My area of interest is Google's implementation specifically. It IS possible to build passkey implementations without these flaws, and in those situations passkeys can indeed be very useful.
Show threadNotable Shadow of Unusual SizeOct 10, 2023

@lauren @jacobat @timbray

What's your opinion on Apple's implementation of passkeys? I spend most of my day in MacOS & iOS, so was thinking of trying it.

Show threadLauren WeinsteinOct 10, 2023
@notableshadow @jacobat @timbray I have not examined the Apple system. In general, any passkey system that depends on device authentication alone for access to the passkeys, without offering an additional separate authentication layer, should be considered to be highly problematic.
Show threadJacob AtzenOct 10, 2023
@lauren @notableshadow @timbray why so? I get that it’s not perfect but why is it not an improvement over passwords? From my understanding the benefits sound pretty good: Phishing proof, can’t be leaked by the service the key is providing access to, not reusable across services.
Show threadLauren Weinstein
@jacobat @notableshadow @timbray Because it's a single point of failure. Rather than (for example) having a weak phone pin providing access to the phone but not to unlogged-in accounts that may still need passwords and 2sv, this implementation provides access to ALL accounts based ONLY on that weak PIN. Nor is Google willing to even offer an optional additional authentication layer for the passkeys.
Oct 10, 2023 at 5:49pmWeb
Show threadJacob AtzenOct 10, 2023
@lauren @notableshadow @timbray Okay, that’s surprising. I thought you would have to authorize biometrically. At least that’s the case for Apple. Just getting raw access to passkeys with just device access sounds crazy.
Show threadLauren WeinsteinOct 10, 2023
@jacobat @notableshadow @timbray Yes, Google's implementation allows the use of device PINs. And of course many people use PINs, because they either don't trust fingerprint auth or they can't get it to work reliably.