Michael Gale6d ago

I don't like #Passkeys over #Passphrase and #MFA (edit: specifically, rotating pin codes via a password manager or dedicated auth app)

Am I wrong? or is it the children who are wrong. #Security #Privacy

Show threadRelish the Cracker6d ago
@miclgael passkeys are MFA, your personal preferences aside
Show threadMichael Gale
@relishthecracker ah so its "more MFA", where more types or auth = more better - rather than a replacement?
Jun 16 at 5:13amWeb
Show threadRelish the Cracker5d ago

@miclgael

> ah so its "more MFA", where more types or auth = more better - rather than a replacement?

Both yes, and no. It’s complicated. 🤣

Passkeys are meant to be a full replacement. Eventually.

And one day it will become that.

But right now, for the few corps that use it, they are probably are using Passkeys and authentication wrong.

In an ideal world the user experience for authentication should be as follows:

1. Enter username
2. Insert passkey & touch the button (or hold key to NFC reader)
3. Supply 6-8 digit PIN
4. Obtain access

That’s it. Touch the key, supply PIN, obtain access. That’s all it should be.

This would also be acceptable:

1. Enter username / password
2. Insert passkey & touch button (or hold key to NFC reader)
3. Obtain access (no PIN necessary)

If you’re not experiencing something like this for your logins, it means the application owner hasn’t properly thought through the authentication.

Show threadMichael Gale5d ago

@relishthecracker

Thats really interesting thanks.