A lot of services support passkeys. Microsoft even has an option to make my account “passwordless”. Since they are more secure than passwords, will you be switching some / most of your accounts to passkeys any time soon? Interested to hear everyone’s thoughts on passkeys. 🔑

  • Darkassassin07@lemmy.ca
    link
    fedilink
    English
    arrow-up
    25
    ·
    3 months ago

    They are more secure than password authentication, though how much more secure depends on how the user manages their passwords.

    If a user never reuses passwords across different services and maintains long complex passwords, preferably randomized strings; the security upgrade of Passkeys is quite marginal. Arguably marginal enough to not even bother. The farther a user gets from ‘ideal’ password security practices though, the more of a security upgrade Passkeys would be for them; though convincing them of that is another story…

    Switching to Passkeys does take a lot of responsibility off of both the user and service provider. The user no longer needs to ensure passwords aren’t reused, insufficiently complex, or already compromised; and the service provider doesn’t need to worry about leaking your passkey as they only have the public key portion which can’t be used to login as you.

    In some ways they can be more inconvenient though. With a password, even long unique complex passwords stored in my password manager; I can open the password manager on my phone, read the password I want, and manually enter it into an unfamiliar or shared device without having to load my entire password/key vault onto that device. Passkeys make that impossible; essentially forcing you provide the whole vault to the device or give up. It is also a big step for people that aren’t familiar with password managers and are used to just remembering their passwords, to then switch to a passkey manager where they can’t use their memory to login anymore.

    There’s good sides and bad sides to everything really. Some people will prefer one way, some will want the other way. Ultimately I think we’ll get pushed into using Passkeys by most companies, just so they can shed some of the responsibility of keeping your credentials secure. A stolen passkey database, unlike a password database, would not allow you to pose as users, which leads to less claims of fraudulent activity.

    • 777@lemmy.ml
      link
      fedilink
      arrow-up
      2
      ·
      3 months ago

      Passkeys (depending on implementation) are more resistant to info stealer viruses.

      The private key portion can be in your OS’s credential store and can be used to sign the challenge without being revealed to the calling application.

      Of course this doesn’t work if you got rooted, but a lot of viruses of this kind try to steal what they can get as a regular user, and you can get a lot, ie AWS credentials, saved browser passwords etc.

      In my view it’s cheap defense in depth.