Lauren WeinsteinOct 10, 2023

***** Google is making their weak, flawed passkey system the default login method — I urge you NOT to use it! *****

https://lauren.vortex.com/2023/10/10/dont-use-google-passkeys-now

#Google continues to push ahead with its ill-advised scheme to force passkeys on users who do not understand their risks, and will try push all users into this flawed system starting imminently.

In my discussions with Google on this matter (I have chatted multiple times with the Googler in charge of this), they have admitted that their implementation, by depending completely on device authentication security which for many users is extremely weak, will put many users at risk of their Google accounts being compromised. However, they feel that overall this will be an improvement for users who have strong authentication on their devices.

And as for ordinary people who already are left behind by Google when something goes wrong? They'll get the shaft again. Google has ALWAYS operated on this basis -- if you don't fit into their majority silos, they just don't care. Another way for Google users to get locked out of their accounts and lose all their data, with no useful help from Google.

With Google's deficient passkey system implementation -- they refuse to consider an additional authentication layer for protection -- anyone who has authenticated access to your device (that includes the creep that watched you access your phone in that bar before he stole it) will have full and unrestricted access to your Google passkeys and accounts on the same basis. And when you're locked out, don't complain to Google, because they'll just say that you're not the user that they're interested in -- if they respond to you at all, that is.

"Thank you for choosing Google."

--Lauren--

Show threadjack the nonabrasiveOct 10, 2023
@lauren I thought passkeys were only supposed to be implemented on devices with strong biometric authentication built-in. Google's not doing that?
Show threadLauren WeinsteinOct 10, 2023
@karabaic Of course many people don't use biometric auth because they either don't trust it or can't get it to work reliably.
Show threadDima
@lauren I see the point that biometrics might not be an option in some situations, but is a fingerprint scan stronger than a pin?
Oct 11, 2023 at 12:15pmWeb
Show threadDreaming Darkly (she/her)Oct 11, 2023

@dima @lauren In terms of security, yeah a print is less likely to get hacked, but there's also the legality issue with prints.

Biometrics are seen in the same light as locks and keys according to most jurisdictions, making them vulnerable to search warrents and other legal operations.

Of course, we can say that if you have nothing to hide, you're fine, but it still sets an ugly precedence.

Show threadDimaOct 11, 2023
@DreamingDarkly so one need to think of different use cases, such as: a device is stolen in a coffee shop, authorities demand access, etc.
Show threadDreaming Darkly (she/her)Oct 11, 2023

@dima Exactly.

The only devices I use bios for are devices that aren't linked to anything that could be used against me. It's not even a matter of am I doing something I shouldn't but the fact that we live in a society where you can't trust anyone.

Anything that is connected to banks or anything that ties to info that can be used to track/target/harm me gets an ultra long and secure password/key.

Bios are convenient, but also convnient for anyone who may want to use them against you.

Show threadLauren WeinsteinOct 11, 2023
@DreamingDarkly @dima This is part of why many people don't want to use biometrics. Also, they can be very unreliable, and lock you out at the worst possible time.
Show threadLauren WeinsteinOct 11, 2023
@dima That is not a trivial question to answer, because so much depends on implementation details and other issues. Many people don't want to use fingerprints because many laws give authorities much stronger invasive powers for fingerprint authentication than if passwords or PINs are used. E.g., often they can force you to unlock with a fingerprint, but not with a PIN or password without additional authority (e.g., search warrant). Also, some implementations are just flaky as hell, and lock you out at the worst possible time. I have a fairly high-end smartphone, but all of the sudden it will stop accepting my fingerprint, causing all sorts of hassles.
Show threadDimaOct 11, 2023

@lauren Fingerprints (assuming they work) might save me from a thief in a coffee shop who is able to observe me interacting with my device.

PINs or Passwords might save me from authorities who can legally force me to provide my bio-metric data.

In case of Google which customer support is non existent, ideally, we want to satisfy at least the two use cases above without putting ourselves to the risk of being locked out.