Support was first offered in May, but now Google suggests it as the default choice.

Passkey is some sort of specific unique key to a device allowing to use a pin on a device instead of the password. But which won’t work on another device.

Now I don’t know if that key can be stolen or not, or if it’s really more secure or not, as people have really unsecure pins.

  • kakes@sh.itjust.worksEnglish
    393·
    1 year ago

    While I would agree this sounds more secure, I’m always worried about people getting further locked in to Google’s products.

    Hopefully this system won’t take accounts “hostage” by requiring you use Chrome to log in to them, but it’s Google, so…

  • alvvayson@lemmy.worldEnglish
    21·
    1 year ago

    It’s definitely more secure, since stealing someone’s phone is much more difficult to scale up compared to stealing passwords.

    • Engywuck@lemm.eeEnglish
      22·
      1 year ago

      I don’t think that access to your personal data/email/files being dependent on a battery-powered electronic device is a great idea, to be honest.

      • alvvayson@lemmy.worldEnglish
        32·
        1 year ago

        That’s why they invented chargers, eh.

        But more seriously, there are recovery procedures if you lose a phone with or without a backup and if you are willing to share the keys with a cloud provider, you can also store them there and use them on any of your devices.

        Or you can get something like a yubikey if the battery aspect is really that problematic for you.

        • Engywuck@lemm.eeEnglish
          51·
          1 year ago

          The fact is that I fail to see something obviously wrong with outrageously long/complicated passwords managed by e.g. Bitwarden or the likes.

          • alvvayson@lemmy.worldEnglish
            13·
            1 year ago

            Bitwarden is also supporting passkeys, so it won’t make a difference for their users whether they use passwords or passkeys.

            And the fact that you don’t see anything wrong is more a you problem. Boomer mentality, dude. Don’t became one.

    • Ada@lemmy.blahaj.zoneEnglish
      8·
      1 year ago

      It’s not quite unique to a specific device. You can store your private key in a password manager or something similar, and then access it from other devices

      • alvvayson@lemmy.worldEnglish
        2·
        1 year ago

        Depends on your personal choice. You can definitely limit them to a single, hardeneddevice if you want the highest level of security.

        For most users and most situations, a synced solution will be preferable.

    • V0lD@lemmy.worldEnglish
      5·
      1 year ago

      But it becomes much easier if you want to compromise a specific target individual

      • alvvayson@lemmy.worldEnglish
        12·
        1 year ago

        No, not really.

        Even if you want to target a specific user, it doesn’t become necessarily easier.

        Unless you happen to target an individual that combines good password OpSec with shitty phone OpSec.

        But I would expect those to be a minority.

        • V0lD@lemmy.worldEnglish
          4·
          1 year ago

          Hi, yes, I am that minority

          I have a 37 character password with both cases, numbers and special characters to login to my pw vault using long random strings

          My phone has a swipe pattern lock since that is the safest lock option it allows in the first place. I wish I could lock it better, but the only other options available to me are a 4 character pin, and fingerprints/facial scan. I hope the problems with those are obvious

          Couple that with the fact that I have a daily predictable commute in public transit where I have a habit to put my phone next to me during breakfast and you have a recipe for disaster.

    • Midnight Wolf@lemmy.worldEnglish
      4·
      1 year ago

      Me, at the bank:

      Robbers, as they enter the bank: everybody freeze

      Me: ah shit

      Robbers: everyone give me your phones

      Me: aw hell naw

      mission impossible style shootout

  • TheBananaKing@lemmy.worldEnglish
    152·
    1 year ago

    Nope. Not going to have my entire digital everything depend on me not losing or breaking a single electronic device.

    • Tibert@jlai.luOPEnglish
      12·
      1 year ago

      You won’t need to?

      The key is for a single device. Logging in on another one is going to generate another key.

      They key is secured with the pin of the device, so when you try to log in, you can use the pin to log in, and not the password.

      https://youtu.be/6lBixL_qpro?si=wFFQwrfjQBKDHs5B

      • Kusimulkku@lemm.eeEnglish
        2·
        1 year ago

        Would you have to set up multiple devices when making your account then, if you wanted more than just your phone?

  • devfuuu@lemmy.worldEnglish
    141·
    1 year ago

    Fuck google.

    passkeys sounds good on paper and for most users on day to day stuff should improve their security. But the failure path is horrible and it happens at the worst case most of the time. If I have the keychain on the phone and lose it or is out of battery and usually happens that I need to access some service like email, then if the email provider starts forcing people to use passkeys or you only have that method on, then I’m locked out of the account and can’t use email. This will happen for all other services that one may need to use on an emergency. Personally I don’t like it.

  • a_fancy_kiwi@lemmy.worldEnglish
    12·
    1 year ago

    Someone else correct me if I’m wrong but it works similar to PGP.

    Background info:

    • Your device generates two keys, a private key and a public key
    • The public key can be given to anyone and the private key stays with you
    • The public key is used to encrypt data and the private key is used to decrypt it

    Usage:

    1. You sign up for a service with all the normal info minus a password and click submit
    2. In the background, a private key is generated and stored in iCloud Keychain, Google Passwords, or a 3rd party password manager (so all your devices can access it). A public key is also generated and given to the service
    3. Now you try and login. You enter your username and click login
    4. In the background, the server encrypts a challenge, token, or some piece of data and sends it to your device
    5. Your device decrypts that piece of data with the private key associated with the website
    6. At this point, your device either sends the decrypted data back to the server in exchange for an access token or maybe you decrypted the access token (not sure exactly how that will work. If it’s the former, the data would still be encrypted via ssl so only you and the server would see it)
    7. Now you are logged in

    Closing:

    So, it’s supposed to be more secure because every time you login, you never type in a password that gets transferred to the server for verification. The server is sending your device data to verify so that it can then verify you. This mainly prevents phishing and the reuse of passwords but I suppose if someone hacks into your iCloud account or whatever, they have the keys to the kingdom 🤷‍♂️

    • JasSmith@kbin.social
      7·
      1 year ago

      As you point out, the single point of failure is access to the passkey repository. Of course, this will usually be 2FA, so much more secure than simple passwords which people usually employ.

      One major issue, IMHO, is vendor lock-in. I’ve no doubt Apple is going to make migration away from iCloud a huge pain in the ass. It’s just another way they’re going to make it difficult to leave their ecosystem.

      I’m also worried about backups. People lose access to their Google and Apple accounts routinely for any and no reason at all. Will these keys be stored in the cloud? If so, access to EVERYTHING is just a capricious random algorithm away from being lost.

      I wouldn’t touch any passkey system which doesn’t provide a seamless way to migrate away especially if I’ve lost access to my Apple/Google account.

    • Nolegjoe@lemmy.worldEnglish
      5·
      1 year ago

      How does this work with checking my emails on a public computer in a library, for example? Somehow my private key needs to be shared with the library pc?

      • Kusimulkku@lemm.eeEnglish
        1·
        1 year ago

        Wouldn’t the private key stay in your phone and you’d be exchanging a challenge and a response?

  • NeoNachtwaechter@lemmy.worldEnglish
    8·
    1 year ago

    people have really unsecure pins.

    Ok but what’s unsecure with ‘1111’ as long as I’m not telling the order of the digits to anybody?

  • AutoTL;DR@lemmings.worldBEnglish
    5·
    1 year ago

    This is the best summary I could come up with:

    Google is taking a big step toward making passkeys the default login option for its users.

    Starting today, users logging in to personal Google accounts will be prompted to create and use passkeys instead of passwords when possible.

    They’re both easier to use and more secure than passwords, so users no longer need to rely on the names of pets, birthdays or the infamous “password123.” Instead, passkeys let users sign in to apps and sites the same way they unlock their devices: with a fingerprint, a face scan or a screen lock PIN.

    And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.

    Google has been experimenting with passkeys across numerous products, including Chrome, over the past year.

    Users who want to forgo passkeys can uncheck the “skip password when possible” option in their accounts.

    The original article contains 289 words, the summary contains 146 words. Saved 49%. I’m a bot and I’m open source!

  • Seagull@lemmy.caEnglish
    2·
    1 year ago

    This video about passkeys is fascinating. They are very secure even if your pin is 1234. The only way for someone to hack your account is if they have your device.