Technology

58061 readers

3084 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS

503

Big Tech passkey implementations are a trap | Proton (proton.me)

submitted 5 months ago by AnActOfCreation@programming.dev to c/technology@lemmy.world

220 comments fedilink hide all child comments

Big Tech has implemented passkeys in a way that locks users into their platforms rather than providing universal security
Passkeys were developed to replace passwords for better account security, but their rollout by Apple and Google has limited their potential
Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.

you are viewing a single comment's thread
view the rest of the comments

[–] SniffDoctor@lemmy.ml 2 points 5 months ago* (last edited 5 months ago) (1 children)

If I use a password manager with long random passwords, and use 2FAS to generate those 6-digit two factor authentication codes whenever possible (as opposed to SMS/email 2FA), is there any advantage?

Is it just that you don't actually have to type anything, just press "I approve" on your phone after entering your username?

Or is it more just designed to improve security for people like my family members who use the same ~10 digit passwords for everything?

[–] Spotlight7573@lemmy.world 1 points 5 months ago

It's definitely trying to be user friendly enough that non-technical users like the family members you mention can use it to replace passwords. For your use case with a strong password and 2FAS to generate a code, it still gets rid of the phishing potential. The main advantage for the other people like your family is that they don't have to type or autofill anything, just select an account to log into or click approve on their phone. A main advantage for the service is that the user's diligence is taken out of the equation for a lot of it and they don't have to worry about a user giving their password and 2FA codes to a phisher. If a user tries to use a passkey at the wrong site (like a phishing site), it won't pop up as an option to select because the domain is wrong.

Passkeys can also help anyone who is using a service in an indirect way. The 23andMe "breach" was due to stolen credentials from other actually breached sites being used to log into accounts that have data shared with them. That 23andMe data was shared to those compromised users by people who may have actually had all their security turned up to the highest settings like 2FA but was nonetheless scraped and obtained by the bad actors anyways. If 23andMe had been using passkeys (or even magic login links in an email), there would have been no credentials from other sources to use against their 23andMe's users. Moving everyone to more secure authentication methods is in the best interest of everyone involved, it's just that typically it was a hassle to have to setup an authenticator app or a password manager for 2FA. Passkeys, when everything is working properly, finally provide both more security and more convenience for the average person than just a password and so people might actually adopt them.