Technology

I disagree with most of those arguments in the article… Additionally, there is nearly no passkey using service that does require you to still have PW and 2FA login active even if you use passkeys

We are right now in the learning/testing phase. It is not a flip and suddenly only passkey work. Transition to passkey only will be a very long time, like it was for 2FA, like, my girlfriend has it on, only at about 2 services, lol.

The main problem I have is, that people without knowledge get grabbed into walled gardens using passkeys. People with knowledge know that you can use alternative apps for passkeys, like proton or strongbox (keepass).

I wish FIDO had paid more attention to SQRL. It's long in the tooth now, but with some attention it could have been a better solution than passkeys, IMO.

I just wish that companies enabling passkeys would still allow password+MFA. There are several sites that, when you enable passkeys, lock you out of MFA for devices that lack a biometric second factor of authentication. I'd love to use passkeys + biometrics otherwise, since I've often felt that the auth problem would be best solved with asymmetric cryptography.

EDIT: I meant to say "would still allow passkeys+MFA." hooray for sleep deprivation lol.

There was a related news recently, that bitwarden and other pw managers will be able to sync passkeys between devices. Won't that solve these issues?

I am very shitty on security (I would not write this reply on a post on the cybersecurity community), and I resisted MFA for several years as being too annoying having to login to mail/SMS. After finding open source apps supporting TOTP, I feel better about it and I manually do the syncing by just transferring the secrets between my devices offline.

Passkeys are another foreign thing that I think I will get used to eventually, but for now there are too many holes in support, too much vendor lock-in (which was my main distaste for MFA, I didn't want MS or Google Authenticator), and cumbersome (when email and SMS were the only options for MFA, difficulty of portability for passkeys).

I wish all sites using 2FA would just support hardware keys instead of authenticator apps. It's so much easier to login to a site by just plugging in my hardware key and tapping its button, than going to my authenticator app and typing over some code within a certain time.

It's even sinpler than email 2fa or sms 2fa or vendor app 2fa.

For authenticator app you also can't easily add more devices unless you share the database which is bad for security. For hardware security key you can just add the key as an additional 2fa, if the site allows it.

DHH with a pants-on-head stupid argument just because he hates the big players in tech? Must be a day ending in Y again.

Whenever I read an article about security (and read the comments, even here on Lemmy) I'm constantly frustrated and depressed by a couple of things.

1. Corporations making things shittier with the intention of locking customers in to their stupid proprietary ecosystem. And of course, they are always seeking more data harvesting. Security itself is way down the list of their priories, if it's even there at all.

2. Users being lazy trend-followers who quickly sacrifice their security on the altar of convenience and whatever shiny new FOMO thing is offered up for "better security".

It's a very bad combination. Doing security right is a bit inconvenient (which users hate) and expensive (which corporations hate).

I do think that we need more standard procedures around what a reset/authorize new device looks like in a passkey world. There's a lot about that process that just seems like it's up to the implementer. But I don't think that invalidates passkeys as a whole, and most people are going to have access to their mobile device for 2 factor no matter where they are.

Incidentally I have no idea who this is or whether his opinion should be lent more weight.

If you're using a hardware token to replace passwords, you're doing 2FA wrong

Dunno, we rolled it out without issue. But of course they also had keepass. You want password AND (TOTP token or hardware token)

I thought passkeys were supposed to be a hardware device?

This is typical embrace/extend/extinguish behavior from the large platforms that don't want their web-SSO hegemony challenged because it would mean less data collection and less vendor lock-in.

The whole idea of passkeys provided by an online platform should have been ruled out by the specification. It completely defeats the purpose of passkeys which is that the user has everything they need to authenticate themself.