Passkeys replacing passwords

Probably a software tag on your device or in something else they force you to use if I had to guess. I know I say this alot but it seems a bad idea to have your phone be a key to anything as it could be lost or stolen or damaged.
 
Last edited:
badatmath said:
Probably a software tag on your device or in something else they force you to use if I had to guess.
Click to expand...

So how would that work with multiple devices (iPhone, iPad, computer)? And what about a different computer like one at my daughters house if I want to log in while visiting?
 
Jerry1 said:
So how would that work with multiple devices (iPhone, iPad, computer)? And what about a different computer like one at my daughters house if I want to log in while visiting?
Click to expand...

The key may be on your phone, such as the Google Authenticator app. Whenever you access Google from a new computer you open the authenticator app and enter the code to gain access.
 
Alan said:
The key may be on your phone, such as the Google Authenticator app. Whenever you access Google from a new computer you open the authenticator app and enter the code to gain access.
Click to expand...

Thanks.

Ugh. I hate the thought of that. I’ve heard stories about people not able to do business because their phone was lost/broken . . . and the only way in is to enter the code they text to your phone.
 
Alan said:
The key may be on your phone, such as the Google Authenticator app. Whenever you access Google from a new computer you open the authenticator app and enter the code to gain access.
Click to expand...

That just sounds like the 2-step authentication they've had for a while. When I log into any Google account on any device, a pop-up appears on my phone asking if it's me trying to log in.
 
https://support.google.com/accounts...f-signing-with-passkeys,lost-or-stolen-device

I'm not really inclined to think hard enough to read that link properly today but it bypasses the 2nd step of 2 step auth.

"If your account has 2-Step Verification or is enrolled in the Advanced Protection Program, you will bypass your second authentication step by signing in with a passkey, since this verifies that you have possession of your device."
 
With Apple you don't need to use an authenticator app.

Once you set it up (which was simple the times I've used it), the passkey for a site stored in your iCloud Keychain.

So, for example, Home Depot supports this.

1. I go to home depot.com
2. Click Sign In
3. Enter in my account (e.g. myaccount@myemail.com)
3. It asks "Use Face ID to sign in"
4. Tap "Continue" (there is alternative "Other sign in options")
5. It verifies who you are using Face ID and you are in.

Note: On my Mac it uses Touch ID instead of Face ID (likewise on older iPhones that use Touch ID).

If I select "Other sign in options" I get three options

- use the passkey for the current account entered (basically, the default)
- "iPhone, iPad, or Android" "Use passkey from a device with a camera"
- "Security Key" "Use an external security key"

These options allow the more complicated case where the passkey isn't on the Keychain. This allows using an android phone or YubaKey or other security manager.


Frankly, it's not really any more simply for Apple users - your password is also stored in the Keychain and if you use a generated long, random password you are in good shape. But the passkey is actually more secure since the key is cryptographic.

More info: https://support.apple.com/guide/iphone/use-passkeys-to-sign-in-to-apps-and-websites-iphf538ea8d0/ios
 
Jerry1 said:
Thanks.

Ugh. I hate the thought of that. I’ve heard stories about people not able to do business because their phone was lost/broken . . . and the only way in is to enter the code they text to your phone.
Click to expand...

Unfortunately that is often the case with holding any sort of passkey, whether it is a phone with a code unlocked by a fingerprint or Face ID or a physical device that generates a code. If you lose the physical passkey then access becomes really difficult. Before my UK bank started using a Face ID on their banking app to authenticate a computer login I had to carry around a credit card sized device that I had to enter a PIN to unlock and generate an authentication number to login.
 
I really worry about losing my phone and being unable to access any of my on-line accounts. It happened to me once, while I was away on the boat in a relatively remote location. Back then there weren't as many sites which required 2FA so I got by.

Today they almost all do. I'd be screwed without my phone. I'm trying to set up backup options, like a 2nd phone number or an e-mail address for the 2FA verification wherever it's supported. I've also gotten a Google Voice number (and have been looking at other VoIP phone providers) which I can use on a backup phone and/or my tablet which each have a Google Fi data-only SIM card.

We take a huge risk when we depend on our phones for everything.
 
CaptTom said:
.....

We take a huge risk when we depend on our phones for everything.
Click to expand...

Yes, we do. I try to rely on my phone for as little as possible.
 
Am I the only one who doesn't understand what a passkey is exactly? The explanations seem vague. I will not be using one if I can help it.
 
jim584672 said:
Am I the only one who doesn't understand what a passkey is exactly? The explanations seem vague. I will not be using one if I can help it.
Click to expand...

It is something you physically possess to prove it is you accessing the account. It might something you plug into the USB port on the computer you are using, it might be a key fob or credit card size device that is synch'ed with your account and generates a code or it could be an app on your phone that generates a code.
 
Last edited:
I was just starting to enjoy the use and convenience of a password manager when I heard about passkeys. Passkeys seem like a good idea, but I think websites should give users a choice between password managers and passkeys.
 
It's a concept as old as computer security itself. There are three ways to authenticate a user: something they know, something they are or something they have.

Any one of those can be compromised. Requiring two makes it (in theory) more secure. Hence the term two-factor authentication. That being harder to say, the marketing folks appear to have settled on the term "passkey" this week.

Of course, not everything carries the same risk. The only totally secure system is one that no-one at all can access, not even legitimate users. But that's pointless. The trick is to strike a balance between convenience and an appropriate level of security. FWIW, they don't usually get it right.
 
jim584672 said:
Am I the only one who doesn't understand what a passkey is exactly? The explanations seem vague. I will not be using one if I can help it.
Click to expand...

No, most of the people here don’t. Heck, I don’t understand it beyond being able to use it.
Here is a primer on it: https://www.techtarget.com/whatis/feature/Passkey-vs-password-What-is-the-difference

One thing I see over and over again in this thread I would like to address…
No one is required to use it even if they use an iPhone, Google device, or Microsoft device. It is available as an option on those devices, not a requirement.
 
Zathras said:
No, most of the people here don’t. Heck, I don’t understand it beyond being able to use it.
Here is a primer on it: https://www.techtarget.com/whatis/feature/Passkey-vs-password-What-is-the-difference

One thing I see over and over again in this thread I would like to address…
No one is required to use it even if they use an iPhone, Google device, or Microsoft device. It is available as an option on those devices, not a requirement.
Click to expand...

I read that and I must say that I still do not understand how I would log on to my accounts from my desktop computer with a passkey. I think I might be able to do it from my phone, since it has a fingerprint reader, but I wouldn't want to. I never access my financial accounts with my phone.
 
Gumby said:
I read that and I must say that I still do not understand how I would log on to my accounts from my desktop computer with a passkey. I think I might be able to do it from my phone, since it has a fingerprint reader, but I wouldn't want to. I never access my financial accounts with my phone.
Click to expand...

From the above link it explains how bluetooth is used so you must be within a short distance of your desktop computer. If you have chosen to use a passkey and linked your phone to that account then on logging in you will have an option to select a login using your passkey, then as long as your phone is with you and you have unlocked it then the account will open.

It is similar to how I have used my Macbook this past few years. I have linked my AppleWatch to the MacBook so that I don't have to enter a password every time I wake it up. (It sleeps when I close the lid or I haven't used it for a certain period). When I click the mouse or open the lid and I am wearing my AppleWatch then it unlocks my account without me needing to enter my password.

This is all optional, no one needs to use a passkey, you can stick with a password unless your bank or financial institution insists on it.
 
Last edited:
Here's a try at explaining the details... ;-)

There's really two parts to all this passkey stuff: 1. using the passkey to login to a site and 2. managing your passkeys.

1. Logging into a site.

With a password, you send the actual password to the remote site along with your account identifier. The remote site has a master list of the account id's and their associated passwords and it checks this to see if they match.

Because the remote site has to store passwords and account IDs somehow, this data is what is stolen during a data breach and allows hackers to potentially access your account.

With passkeys the remote site doesn't store your secret (password). Breaking into, say, Fidelity and stealing their data won’t get the hacker’s anything useful since there is no password stored at Fidelity to steal.

Rather passkeys use public-key cryptography when you set up the account to allow authentication without exchanging a password. This is why it’s better than passwords

At account setup time, your local system generates a public and private key pair. It keeps the private key and gives the public key to the remote site. Stealing the public key from the remote site is not enough information for the hackers to log into your account.

To actually login with passkeys, the remote site uses the public key you gave it to encrypt a single use secret (basically a random number) and sends this to you. You then decrypt this secret with your private key and send it back. If it matches, you are authenticated.

Because of how this works, as long as you keep your private key a secret, there is no way for a hacker to break this system - the public key is public so having it isn't valuable (unlike a password). Also, intercepting the data exchanged between the remote site and you isn't useful since it's only used once.


2. Managing your private key.

This varies a lot depending on what is managing your private key.

You could just printout the passkey on paper and type it each time you login. But then you'd have to secure that and type in a very long number each time.

Notice that there isn't any requirement for biometrics or key fobs or whatever.

BUT the various implementations from system vendors and password management companies that support passkeys DO provide secure management of your passkeys - often using biometrics or other secure schemes.

For example, Apple's implementation stores your passkeys in iCloud Keychain and protects that via either Face ID or Touch ID biometrics as well as sharing the passkeys across all your Apple devices.

There are lots of schemes for providing good protection.

NOTE: passkeys are NOT two factor authentication. Passkeys are a more secure direct replacement for the passwords we all have used before.
 
Last edited:
And when you lose your passkey (physical device or your cellphone is SIM-swapped) what then?
 
My main concern with passkeys is how good the people who run the passkey system are.


My former password manager was pretty good, but apparently at least on employee loaded the customer's encrypted data base on a computer that was not safe from attack. Bad guys cracked the computer and got all that encrypted data. And some of the encryption options used were based on obsolete tech and thinking, thus making some of the encrypted data easy to crack. Not so good.
 
Last edited:
For those worried about loosing their phone or being locked out:

DW and I share a Lastpass account (cheaper to do too). We also share a passcode into our iPhones. So we would only be hosed if both iPhones were unusable. Both phones have individual FaceID for normally getting into them and the same shared passcode.

This works for us because we are oldies that have shared everything for many years. I actually trust her. ;)
 
W*rk was using physical keys when I left and they were a pain in the butt. . . not reliable, glitchy. And I am not giving a face print . . . hard to get a new face after all. . . but I had the impression this thread was resurrected because we might be FORCED to use this stuff. IDK. I don't want to think about it.
 
You must log in or register to reply here.

Similar threads

A
PC security and hacking!
Replies
21
Views
1K
walkinwood
walkinwood
A
Need to Repair or Replace Cell Phone
2
Replies
33
Views
1K
Another Reader
A
S
Google Password Manager Failed
Replies
10
Views
997
rk911
rk911
Qs Laptop
The Best Smartphone Camera?
Replies
16
Views
797
skyking1
skyking1
I
Simple Checklist App for Android Phone (Galaxy S)
Replies
10
Views
575
Qs Laptop
Qs Laptop

Latest posts

Back
Top Bottom