Passkeys replacing passwords

[Chuckanut]

We are on the verge of starting to use Passkeys to replace Passwords.

From an article in ArsTechnica:

https://arstechnica.com/gadgets/2022/12/rip-passwords-passkey-support-rolls-out-to-chrome-stable/#p3

Passkeys are here to (try to) kill the password. Following Google's beta rollout of the feature in October, passkeys are now hitting Chrome stable M108. "Passkey" is built on industry standards and backed by all the big platform vendors—Google, Apple, Microsoft—along with the FIDO Alliance. Google's latest blog says: "With the latest version of Chrome, we're enabling passkeys on Windows 11, macOS, and Android." The Google Password Manager on Android is ready to sync all your passkeys to the cloud, and if you can meet all the hardware requirements and find a supporting service, you can now sign-in to something with a passkey.

Passkeys are not phishable, and because they require your phone to be physically present (!!) some random hacker from halfway around the world can't log in to your account anyway.

I said passkeys "require a phone" but actually it's any portable device. It will most likely be a phone, but technically you can do the whole Bluetooth/QR Code connectivity dance with an iPad or Macbook, too. If you're all-in on Apple, you'll have a lot of this pain alleviated by cloud syncing, but Google doesn't have a way to seamlessly sync passkeys to every instance of Chrome, the way it does with passwords.

 

[bizlady]

My fear is we convert to one, and somehow, I am locked out. I just do not understand how these work.

 

[Sunset]

So somebody steals my phone, or clones my phone and downloads the backup from the cloud, and they have access to ALL my accounts...

I used to use a device for work , it generated a new number every minute, a few years later the company was hacked and all those devices were no longer secure as they could be duplicated.

 

[Spock]

Google seems to be the last company I would want to entrust with access to all of my accounts. OK. 2nd to last ahead of Facebook.

 

[Chuckanut]

Good questions above. I don't know the answer. I assume (<----- dangerous!) that the various experts in IT security will chime in on this over time. I'm not rushing into it myself.

The real issue for me is similar to that of fully self-driving cars: Nothing in perfectly safe. So...Am I safer doing it myself or letting the automation do it? Time will tell.

 

[audreyh1]

Google seems to be the last company I would want to entrust with access to all of my accounts. OK. 2nd to last ahead of Facebook.

Same here

 

[walkinwood]

I'm waiting for more sites to support it.



There will be passkey sync providers other than google and microsoft. Lastpass, for example, would be my choice.

 

[braumeister]

I'm waiting for more sites to support it.

There will be passkey sync providers other than google and microsoft. Lastpass, for example, would be my choice.

Yes, they have only been hacked twice in the last six months.

1Password, which is my choice, will also support passkeys.

Apple, Google, and Microsoft are the big 3 implementing passkeys so far, but there are many more working on it.

 

[walkinwood]

Yes, they have only been hacked twice in the last six months.

True, but they don't know my passwords. They are encrypted/decrypted on my device before being stored. They have been very timely & open about the intrusions and what they're doing about it.

 

[Graybeard]

I'll stick to my userids, passwords and security question answers. They are long and complex for the 1st 2 and stupidly ridiculous for the security question answers, no one will crack them.

 

[ExFlyBoy5]

It's about damn time they figure this out already. When I left the Air Force in 2014, we had been using "CAC (Common Access Cards)" for several years. It was your military ID and had a chip in it which you plugged into a reader and your plugged in a 7 to 10 digit PIN and you were free to "roam" the internet. No passwords to remember...you just had to have your card. I have no idea why this hasn't been adopted in some form or fashion.

 

[CaptTom]

I'm not so sure I like the direction of the phone being required for any and all on-line access. I have an annoying habit of dropping phones overboard or otherwise losing/breaking them.

Without my phone to receive the verification texts, I can't access most of my bank accounts already. I'm not sure I want to add to the number of sites I'd be locked out of next time that happens.

 

[steelyman]

I'm not so sure I like the direction of the phone being required for any and all on-line access. I have an annoying habit of dropping phones overboard or otherwise losing/breaking them.

Without my phone to receive the verification texts, I can't access most of my bank accounts already. I'm not sure I want to add to the number of sites I'd be locked out of next time that happens.

I’m the same way with sites that only send verification by text. I prefer email as an alternative.

 

[zaqxsw]

KeePass:

https://keepass.info/

 

[badatmath]

I’m the same way with sites that only send verification by text. I prefer email as an alternative.

+1

 

[SecondAttempt]

I’m the same way with sites that only send verification by text. I prefer email as an alternative.

Totally agree. IT security "experts" are idiots on reality. Many areas do not have reliable phone service but wifi is fine. I regulary work win an area where phones are not allowed. I am regulary locked out of my google accounts for no reason other than Google engineers make invalid assumptions about the world outside of the Bay Area. In the last few days I have been locked out of my google accounts because of an accident that took out a cell tower near me. SO google got suspicious when I did not respond to its security crap, texts and contact on my phone. My phone was fine and I could even make calls on my home wifi which worked fine. But some idiot at Google decided a cell tower going down in a rural area is suspicious? Give me a break!

 

[Markola]

I went through this yesterday on a new site. I’m getting ready to create “Strong password” when it throws a bunch of gobbledygook at me about how passkeys are better and, by the way, do you want facial or other biometric recognition?

The digital world is way too confusing, yet we are completely dependent on it.

 

[Midpack]

I’m happy with FaceID and TouchID with 2FA for now. If something goes wrong, I still have secure passwords. When Apple does Passkeys I’ll consider it, no way I’ll use Googles version. YMMV

 

[sengsational]

I was a commiter on an open source app that was similar to what Google is doing. The scheme I worked on was actually better; there were protections built in, but if you blew it, there was nobody to call, and your stuff was gone-gone.

This stuff isn't just userid password in the cloud with a little encryption sprinkled on it. I think, without learning about it, that's the impression people get.

I'll describe, briefly, the scheme I worked on, which is called SQRL. To start, you make an identity, which is saved on paper and on your phone. The identity is locked on the phone with a password, and that's the only password in the scheme. With the paper, your password, and another device, you can add your identity to the new device.

The gist of the scheme is that the domain of the site you are accessing is mixed with your identity and that's what proves it's really you. Obviously all this has a lot of cryptograpic magic to prevent eves dropper replays and the obvious stuff. What you see is, when you go to a web site, you activate the app (or the app activates) and you're in. No password.

The reason this didn't take off is a long discussion, but IMO, it's because the scheme didn't require the web site owner to know anything about you. They know with certainty it's the same password knowing person. They can have a user record with all kinds of snoopy stuff, but that's not required by the scheme. All the web site owners could get together and compare your SQRL record from each, and there would be no correlation. And, the web site owner could even make their SQRL records public without compromising security.

Google's scheme probably has the ability to track you across multiple sites, since that's what they're all about, but I say that because of their reputation, not because I've understood the protocol.

One thing about this thing that might make using it worthwhile is that the second factor stuff they have now is so bad, like calling my house when I'm traveling. They'd have to really trust the new scheme and not keep today's crappy second factor stuff for me to give in to the new stuff.

 

[CaptTom]

...IT security "experts" are idiots on reality...

I was an IT security expert and I agree with this assessment. I was on the committee which wrote the requirements for one information security certification program, and I never even bothered to get certified.

I am regulary locked out of my google accounts for no reason other than Google engineers make invalid assumptions about the world outside of the Bay Area.

Also agree here. Every time I log onto a GMail account on my laptop, I get locked out until I log on (from the same laptop, on the same network) via the GMail web site instead of my e-mail client.

How does that improve security? And, don't they understand we have mobile devices nowadays which don't always log on via the same network? Of course this only happens if you use some other e-mail app than their own, so it's clearly not done just for security.

 

[triangle]

Gmail can become a dead end trap for authentication. This summer I went to a foreign country and downloaded their local ride hailing app. It insisted on using a Facebook login to register instead of an email. As part of their login process it sent a "security code" which caused Messenger to load in a web browser. I am a light facebook user, not sure I had the full messenger app installed; which might have been a contributing factor in all this.

Long story short, since this was the first time I had used messenger in this web browser, I could not successfully complete its login process without facebook asking for a "security code" that it had sent to my recovery email address. So I attempted to login into that gmail account which failed because it was the first time I had used this gmail address on this device. Google insisted that I first login from the device that it knew about, which was a computer back home.

I ended up creating a new gmail account to create a new facebook account to signup for a ride hailing app. More "secure", but a waste of time.

 

[braumeister]

Resurrecting this old thread because the day is getting closer when passkeys will be the norm.

From a piece today:

Google has announced that passkeys, touted by the tech giant as the “beginning of the end” for passwords, are becoming the default sign-in method for all users.
...
On Tuesday, the company took a step closer towards killing off the password with the announcement that it’s making passkeys the default authentication method for all Google Account holders.
“This means, next time you sign in to your Google Account, you’ll start seeing prompts to create and use passkeys, simplifying your future sign-ins,” said Google product managers

Google makes passkeys the default sign-in method for all users

 

[badatmath]

good thing I never sign in to my google account. . . and don't use gmail. . . but I am sure they will get me eventually . . . when I w*rked we went thru a lot of different auth methods . . . most required more support because they were constantly screwed up . . . not sure I understand how this will work in practice though

 

[Gotadimple]

I use GMail and I use a password with it.

 

[qwerty3656]

So how does a passkey work? Don't you need a key fob? Or is your device itself the key fob (i.e. you have a key on your computer and another key on your phone)?