this post was submitted on 16 Oct 2024
228 points (86.3% liked)

Technology

58706 readers
4034 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world
228
Passwords have problems, but passkeys have more (world.hey.com)
submitted 1 day ago by exu@feditown.com to c/technology@lemmy.world
166 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] azalty@jlai.lu 17 points 11 hours ago (5 children)

I have never understood the goal of passkeys. Skipping 2FA seems like a security issue and storing passkeys in my password manager is like storing 2FA keys on it: the whole point is that I should check on 2 devices, and my phone is probably the most secure of them all.

[–] ByteOnBikes@slrpnk.net 1 points 35 minutes ago

That was my take too.

Security training was something you know, and something you have.

You know your password, and you have a device that can receive another way to authorize. So you can lose one and not be compromised.

Passkeys just skip that "something you have". So you lose your password manager, and they have both?

[–] drphungky@lemmy.world 2 points 3 hours ago

It feels like the goal is to get you married to one platform, and the big players are happy for that to be them. As someone who's used Keepass for over a decade, the whole thing seems less flexible than my janky open source setup, and certainly worse than a paid/for profit solution like bitwarden.

[–] ICastFist@programming.dev 2 points 3 hours ago

I find phones the least secure devices simply because of how likely they are to be damaged or stolen

[–] sem@lemmy.blahaj.zone 1 points 3 hours ago (1 children)

I love storing 2FA in the password manager, and I use a separate 2FA to unlock the password manager

[–] azalty@jlai.lu 2 points 1 hour ago* (last edited 1 hour ago) (1 children)

I imagine you keep your password manager unlocked, or as not requiring 2FA on trusted devices then? Re entering 2FA each session is annoying

You still have the treat of viruses or similar. If someone gets access on your device while the password manager is unlocked (ex: some trojan on your computer), you’re completely cooked. If anything it makes it worse than not having 2FA at all.

If you can access your password manager without using 2FA on your phone and have the built in phone biometrics to open it like phone pin, finger or face, someone stealing your phone can do some damage. (Well, the same stands for a regular 2FA app, but meh, I just don’t see an improvement)

[–] ByteOnBikes@slrpnk.net 1 points 33 minutes ago

I went to see HR a month ago and they had a post-it of their password for their password manager. We use passkeys too.

And this was after security training.

[–] interdimensionalmeme@lemmy.ml 1 points 8 hours ago

OTP in the password manager Private key pkcs#12 in a contactless smart card plus maybe a pin if I'm feeling fancy