xssfox (crossy)0 days since site tricked me into making a passkey
Meadow Whisper (Natasha L.)@xssfox Ugh, I hate that that concept caught on; one of those things that I *want* to like from a security perspective, but I have zero faith in the platforms doing it. Especially since the whole idea is built on some *extremely* US-centric assumptions about mobile device ownership and usage that do not hold true universally (and they don't even hold true universally *in the US*)
neuron@neuron @xssfox So, the basic idea is that your phone (or other mobile device) is your authentication method: Unlocking your phone during the login process logs you into whatever you're trying to use. But there's no direct interaction between devices, so it's more like simultaneously logging in from two separate devices in parallel, which means it requires the infrastructure and data access of a monopolistic megaplatform to work as securely as advertised in the first place. And when it works as advertised, it's really easy! But, just a sampler of the ways this can go wrong in practice, for normal people who aren't wealthy tech bros living specifically in major West Coast cities:
- You lost/broke your phone or someone stole it and you don't have a second phone sitting around but you need to be able to login to stuff to replace it.
- You lost/broke your phone or someone stole it and you can't afford to replace it immediately.
- You lost/broke your phone or someone stole it and you can't turn on cloud backups because the platform says it's not available in your country.
- Someone stole your phone and you *do* replace it, but your old phone is still out there and the thief did a sloppy job wiping it for resale, and the buyer uses it to set up their own passkey somewhere, and the platform flags this as suspicious and locks out *both of you*.
- The above scenario, but also the platform doesn't officially offer customer support in your country or language.
- You can't afford to buy a new phone every year or two and the platform arbitrarily decides your phone is too old to log you into stuff anymore.
- You *can* afford to buy a new phone every year or two, but only because the phones available to you are either used models, or the unsold leftovers from wealthier countries, so by the time you buy a new phone, it's considered "obsolete" by people on another continent who make a quarter million dollars a year.
- You're trying to login to something from a computer but your phone doesn't have internet access.
- You're trying to login to your computer but it doesn't have internet access so unlocking your phone is useless (seen this happen with Macbooks)
- The platform's geolocation data is inaccurate in your country and they think your phone and computer are arbitrarily too far apart even though you're literally holding them both.
- The platform decides they don't allow passkeys from your country but they forgot to tell you this until after you already set it up.
These are just the ones I *remember*. And this doesn't even factor in the basic concept of human mortality - I've been dealing with the mess passkeys cause in *that* scenario for *months*.
In short, my criteria for recommending passkeys is as follows:
- Do you live within 50 miles of San Francisco, CA or Seattle, WA and plan to stay there forever?
- Do you comfortably own at least two personal mobile devices and plan to continue to do so indefinitely?
- Does your annual salary have at least six digits?
- Do you trust at least one monopolistic megaplatform (Apple, Google, or Microsoft) to be a permanent, inescapable middleman in every attempt to login to things forever, and to indefinitely support the brand-new standard they championed?
- Do you plan to die alone and unloved with no surviving friends, family, or creative/business partners who might need access to something you locked behind a passkey?
If the answer to all of the above is "yes", then passkeys are for you!
@lupinia @xssfox Just wanted to give you a quick thank you! ❤️ I still have to digest that and want to follow up. It seems a few things you mentioned are of the category "they could be done better, but we know the incentive structure of companies and should have specced around them". I always thought of passkeys as a second factor for convenience (TOFU like) and not as a replacement.
@neuron @xssfox yw! And yeah, if passkeys were another type of MFA, this would be a VERY different conversation, but nope, they are a full-on replacement for conventional authentication. Theoretically, the conventional username/password/MFA is still there as a fallback, but in practice, it's entirely at the whims of the platform to algorithmically decide whether to allow you to use them, and I've personally never seen a situation that *didn't* lead to "lolnope, use your passkey or GTFO".
@neuron @xssfox Also, like I said at the top, this largely comes down to the problems being with the platform-owning companies implementing the technology, combined with the fact that passkeys are uniquely dependent on monopolistic infrastructure in ways that make them prohibitively impractical to implement without the direct involvement and control of Google, Apple, and/or Microsoft, OR making so many trade-offs that it'd be easier and more secure to just not bother, and implement something else that accomplishes a similar security role *without* being dependent on platform-monopoly surveillance to function (like FIDO or mTLS/smart cards).