Michael GaleI don't like #Passkeys over #Passphrase and #MFA (edit: specifically, rotating pin codes via a password manager or dedicated auth app)
Am I wrong? or is it the children who are wrong. #Security #Privacy
Relish the Cracker@miclgael passkeys are MFA, your personal preferences aside
@relishthecracker ah so its "more MFA", where more types or auth = more better - rather than a replacement?
> ah so its "more MFA", where more types or auth = more better - rather than a replacement?
Both yes, and no. It’s complicated. 🤣
Passkeys are meant to be a full replacement. Eventually.
And one day it will become that.
But right now, for the few corps that use it, they are probably are using Passkeys and authentication wrong.
In an ideal world the user experience for authentication should be as follows:
1. Enter username
2. Insert passkey & touch the button (or hold key to NFC reader)
3. Supply 6-8 digit PIN
4. Obtain access
That’s it. Touch the key, supply PIN, obtain access. That’s all it should be.
This would also be acceptable:
1. Enter username / password
2. Insert passkey & touch button (or hold key to NFC reader)
3. Obtain access (no PIN necessary)
If you’re not experiencing something like this for your logins, it means the application owner hasn’t properly thought through the authentication.
Thats really interesting thanks.
Briala
Quasit@miclgael
I haven't accepted a passkey yet! And I don't plan to.
If I don't understand it, I won't use it.
@Quasit maybe thats what it is. the tech dropped just as i happened to be entering my "cannot learn a new thing or i'm going to lose it" phase of my life.
Blake Garner@miclgael we have not yet succeeded in telling the right story to average users. Consistent UX and automating the approach so text or email validation automatically sets up passkey instead of giving people the constant cred verification flow.
@trode who is the "we" in this story? Just curious.
My understanding of passkey is "a device is now your auth instead of an app"
and since apps are (usually) multi-platform and devices (typically) die every other year, it just seems inferior in every way, from a practical perspective.
@miclgael @trode The big problem right now is that every #passkey implementation is different.
A thing that sidetracks people is worrying about ‘moving a passkey from one system to another’, instead set up a passkey in each trusted system.
Unless of course the server didn’t implement passkeys right and it doesn’t support multiple passkeys, if that happens I won’t use them.
It’s actually great, it’s just too much damn research. (On the server side too.)
I’m hopeful it’ll get there eventually.
Nekodojo@miclgael
If you already have a password vault that you like and you already use strong passwords and MFA, you may not be the target audience. You are probably doing fine.
You may want to TRY them, if only so that you can tell your less-technical family members who are using simple passwords, no MFA or only SMS MFA, if they are objectively better than what they are doing now. They might be more likely phishing targets than you are.
Personally I love them but I will only use Bitwarden or Yubikey passkeys, not apple or google, as those are too limiting. I definitely like not having to type OTP codes.
Good luck
Emily :verifiedtrans::verifiedpansexual: