TechmemeApr 27, 2024

Google and Apple use passkeys to capture users by locking credentials into their platforms and have made the UX of passkeys worse than that of password managers (William Brown/Firstyear's blog-a-log)

https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/
http://www.techmeme.com/240427/p5#a240427p5

Passkeys: A Shattered Dream

Firstyear's blog

Show threadSite Reliability EnbyπŸ³οΈβ€βš§οΈπŸπŸ”¦πŸ“ˆπŸΊπŸ‘—πŸ˜·Apr 28, 2024
@Techmeme This is exactly why passwords are good actually, and all this webauthn bullshit is just unnecessary complexity.
Show threadcrdotsonApr 29, 2024
@SiteRelEnby @Techmeme Sorry, have to strongly disagree here. Passwords are terrible even when good passwords are used, because of the ease in phishing them with lookalike web sites. And in practice they’re even worse than that, because lots of users reuse passwords and are then vulnerable to credential stuffing attacks when one of the sites is inevitably breached. Passkeys are the best solution, but it’s fairly early and they definitely have usability and portability challenges right now.
Show threadSite Reliability EnbyπŸ³οΈβ€βš§οΈπŸπŸ”¦πŸ“ˆπŸΊπŸ‘—πŸ˜·Apr 29, 2024

@crdotson @Techmeme I'll take password + TOTP over some brittle protocol with a dubious future of support that's tied to web browsers, while my KeePass DB is portable.

If people want a better system than passwords, why not just use SSH keys? Avoids all this browser bullshit and is well implemented and understood everywhere.

Show threadcrdotsonApr 29, 2024
@SiteRelEnby @Techmeme Well, at the heart of it, passkeys are really just public/private key pairs with a web protocol (webauthn) wrapped around it. If you used ssh keys on the web, you’d have a public/private key pair with … a web protocol wrapped around it. You can argue that webauthn is implemented poorly, and I’d agree to some extent, but in my opinion it or something very much like it is desperately needed.
Show threadSite Reliability EnbyπŸ³οΈβ€βš§οΈπŸπŸ”¦πŸ“ˆπŸΊπŸ‘—πŸ˜·
@crdotson @Techmeme Yeah, it is implemented poorly. Zero reason for it to be tied to a browser other than Google's usual E/E/E play. Could have just used something like ssh-agent instead.
Apr 29, 2024 at 3:26pmWeb