Passkeys replacing passwords

[mpeirce]

And when you lose your passkey (physical device or your cellphone is SIM-swapped) what then?

What happens when you lose a password?

To use passkeys you'll want to either use the system provide infrastructure (Apple, Google, Windows, etc.) or a password manager supporting passkeys like Dashlane, NordPass, One Password, etc. These systems provide various types of backup.

Not sure what SIM swapping has to do with it.

 

[Alan]

Not sure what SIM swapping has to do with it.

I agree. SIM swapping is what happens when a thief manages to obtain your phone number on your phone then attempts a login to one of your accounts and uses that phone number to gain access by clicking lost password and using that phone number to get in, so having a passkey or an authentication app on an actual device defeats that method.

It became so common a method of hacking into accounts a few years ago that the EU legislated that all EU regulated banks had to use a different method of 2FA than an SMS code sent to the registered phone number.

 

[CaptTom]

Don’t you backup your phone?

Sure. But that doesn't help me get into my account when my phone is sitting on the bottom of the ocean until I can get to a phone store to buy and set up a new phone.

...So we would only be hosed if both iPhones were unusable...

This works for us because we are oldies that have shared everything for many years. I actually trust her.

This is the approach I'm moving toward. Two phones, either of which can do the important stuff. For when we're not together, I also have my old phone with a data-only SIM card. That doesn't have my "regular" phone number but I can keep an alternative VoIP number in it.

 

[Lsbcal]

I agree. SIM swapping is what happens when a thief manages to obtain your phone number on your phone then attempts a login to one of your accounts and uses that phone number to gain access by clicking lost password and using that phone number to get in, so having a passkey or an authentication app on an actual device defeats that method.

It became so common a method of hacking into accounts a few years ago that the EU legislated that all EU regulated banks had to use a different method of 2FA than an SMS code sent to the registered phone number.

From what I understand the SIM swapping occurs because someone posing as the customer gets access to the telecom account. A good telecom company does not allow employees to talk with customer support without use of a password. For instance, at TMobil our account is protected by a more then 10 digit account password which is saved on our Lastpass account.

So do not use a short password and keep it secure.

 

[dixonge]

After having read up on this, I have developed the following understanding (possibly incomplete):

1. If I lose *all* my devices, I will then need to rely on some service that syncs the passkeys, whether that is a password manager or Apple iCloud keychain or whatever the equivalent is over on Google's side. This probably involves a PIN number of some sort. Alternate contacts can also be used. Possibly a set of backup codes that one can save or print off.
2. If someone steals a device from me, they will not be able to instantly gain access to all my stuff unless they know my device password or have cut off my fingers. Or maybe knock me out and use my fingers or face to open the device. In this case, there are probably worse things to worry about than having my accounts breached. Like not dying.
3. In Scenario 2 a physical passkey (like YubiKey) would be theoretically *less* secure, since stealing it gives full access without needing fingers or faces or physically assaulting the owner.
4. Some of the procedures to reset things if you lose access to a device are similar to the current procedures for using MFA or 2FA. This, in effect, makes passkeys a smoother, easier, faster way to unlock apps and websites while still maintaining a 2FA structure underneath, one that you will rarely need.

Feel free to correct any of my misperceptions here, but my current thinking is - bring on the passkeys!

 

[Lsbcal]

...
This is the approach I'm moving toward. Two phones, either of which can do the important stuff. For when we're not together, I also have my old phone with a data-only SIM card. That doesn't have my "regular" phone number but I can keep an alternative VoIP number in it.

It's also a good idea with iPhones to set up the Find My app. That way you can locate the phone and even wipe it clear if necessary.

I lost my iPad on a United plane flight and found this out the hard way. I called them as soon as we got home from the airport and even gave them the seat location, left in the seat pocket. United recovery of stuff left on planes is a joke. It is given to a third party and the stuff is flown in boxes to Texas. It may take some weeks before the box is opened if they have a backlog. That is, the stuff that isn't stolen.

 

[jim584672]

The whole thing stinks. Looks like a way to force you into a physical device or device brand or OS in order get access to your accounts. Hard pass.

 

[mpeirce]

The whole thing stinks. Looks like a way to force you into a physical device or device brand or OS in order get access to your accounts. Hard pass.

Passkeys are a demonstrably more secure account login mechanism than passwords.

They're new. So supporting is being added to new software as it comes out. That's generally how things work.

If you have older phones or computers and for some reason don't want to upgrade your OS, then look to the existing password managers for passkey support. They will probably provide passkey support in their offerings that run on (somewhat) older hardware or OSes.

And finally, it's going to be a looong time before sites drop support for password based logins and force you to use passkeys INSTEAD.

 

[jim584672]

The reason it is being pushed is to force people into walled gardens, not because it is more secure. I have to go adjust my tinfoil hat now.

 

[Zathras]

There is no forcing involved.
You can buy a brand new device that uses passkeys, and when you get to a website that uses passkeys, you can choose not to use it.

Eventually that may not be the case.
But for now, if you don’t want to use an Apple, Google/Android or Microsoft device you don’t have to. And by the time passkeys are required, if ever, all devices will be capable of using them.

 

[jim584672]

There is no forcing involved.
You can buy a brand new device that uses passkeys, and when you get to a website that uses passkeys, you can choose not to use it.

For now. But just a matter of time and, sorry we don't like your device, or we don't like your OS, go away.

Added more tinfoil. A password is subpoena resistant and can be forgotten. A device can be legally demanded by subpoena.

 

[Alan]

From what I understand the SIM swapping occurs because someone posing as the customer gets access to the telecom account. A good telecom company does not allow employees to talk with customer support without use of a password. For instance, at TMobil our account is protected by a more then 10 digit account password which is saved on our Lastpass account.

So do not use a short password and keep it secure.

Exactly, but you are relying on the good training of telecom support staff. One of the big mobile phone companies in conjunction with a customer allowed BBC Money box to play an interaction between a scammer and one of their customer service reps on their weekly podcast. The scammer played the part of a single very harassed mother at a busy airport who had just bought a new SIM card and needed her number assigned to it. She was extremely convincing and the customer service rep fell for it hook, line and sinker, not following the company’s security procedures, letting the scammer ham her way through the security questions without knowing the exact answers. The target fortunately noticed that he suddenly lost signal and also had notifications set on his bank account for withdrawals. The scammer did steal money out of his account before being blocked and the bank refunded everything since he had done nothing wrong at all.

I’m sure the rep was either fired or re-educated and the phone company issued a statement that this should not have happened and would be re-training all its staff etc, etc.

 

[Alan]

Another common effort at scamming was tried on me just last week by someone attempting to get access to my mobile phone account. I got a call purporting to be from my mobile phone company saying that I was eligible for a 30% reduction in my monthly bill and she was going to text me a verification code that I should read out to her. I heard the text come through and it certainly seemed to come from my phone company but I refused to proceed, partly because the person could not tell me what my current monthly charges are and what they are moving to, telling her that I would look at it later.

I called the phone company to report fraud which it absolutely was and the company rep was relieved that I hadn’t given the code to the caller. Of course what had happened is that the scammer had attempted to log in to my account and clicked wrong password so the system had sent a reset code to my number which, if I had given the number to the scammer would have given her access to my phone account.

 

[braumeister]

Of course what had happened is that the scammer had attempted to log in to my account and clicked wrong password so the system had sent a reset code to my number which, if I had given the number to the scammer would have given her access to my phone account.

That seems to be a very popular technique, and I would guess that it succeeds relatively often. The key, which you obviously know, is that it was initiated by a call to you, not from you. The old "don't click a link in an email and don't respond to a phone call out of the blue".

 

[Gumby]

From the above link it explains how bluetooth is used so you must be within a short distance of your desktop computer. If you have chosen to use a passkey and linked your phone to that account then on logging in you will have an option to select a login using your passkey, then as long as your phone is with you and you have unlocked it then the account will open.
......

Then perhaps I need to learn about bluetooth. I have never used it. How do I know if it works on my desktop?

 

[Alan]

Then perhaps I need to learn about bluetooth. I have never used it. How do I know if it works on my desktop?

Go into settings to turn it on, all devices support it I think, it has been around for a great many years. Named after Harald Bluetooth a Nordic king over a thousand years ago who became famous for his diplomatic skills in uniting the tribes of Denmark into a single kingdom.

https://en.wikipedia.org/wiki/Harald_Bluetooth



If you have ever used wireless earbuds for phone, playing music etc then you have been using Bluetooth.

 

[Lsbcal]

Go into settings to turn it on, all devices support it I think, it has been around for a great many years. Named after Harald Bluetooth a Nordic king over a thousand years ago who became famous for his diplomatic skills in uniting the tribes of Denmark into a single kingdom.

https://en.wikipedia.org/wiki/Harald_Bluetooth

If you have ever used wireless earbuds for phone, playing music etc then you have been using Bluetooth.

The obvious question ... did that king really have a blue tooth?

And also, what motivated the choice of that rather cool nickname?

 

[Gumby]

..... If you have ever used wireless earbuds for phone, playing music etc then you have been using Bluetooth.

Never have done that. I do know about Harald Bluetooth, though.

Edit to add - I just checked. Apparently, I do have Bluetooth on my desktop, and it is connected to my phone. I have no idea why or how.

 

[Alan]

The obvious question ... did that king really have a blue tooth?

And also, what motivated the choice of that rather cool nickname?

He actually did have a blue tooth

The byname is given as Blachtent and explicitly glossed as "bluish or black tooth"

Never have done that. I do know about Harald Bluetooth, though.

It’s only been around 29 years, maybe you’ll come across it at some point.

https://theauris.com/blogs/blog/the-history-of-bluetooth

Harald was famous for uniting Denmark and Norway, and Kardach thought that this was similar to what they were trying to accomplish by uniting PC and cellular industries with short-range wireless links. He suggested the name Bluetooth as a placeholder.
However, when it came time to come up with a serious name, patents and licensing issues made it impossible to come up with something else. Because of that, Bluetooth became the only option, and it has stuck ever since.
The iconic Bluetooth logo is a combination of the nordic characters for “H” and “B,” the initials of Harald Bluetooth.

 

[Zathras]

For now. But just a matter of time and, sorry we don't like your device, or we don't like your OS, go away.

Added more tinfoil. A password is subpoena resistant and can be forgotten. A device can be legally demanded by subpoena.

Passwords are less subpoena resistant than devices. And passwords are far more public than you might think.

Best Buy gets hacked, there goes your Best Buy password.
Your bank gets hacked, there goes your bank password.
Credit Rating agency gets hacked, there goes your password & SSN.

Replace "hacked" with "subpoena" as that works as well.

With passkeys none of the above will put your information at risk.

Are passkeys perfect? Certainly not.
Are passkeys leaps and bounds better than passwords, absolutely.

 

[SecondAttempt]

I agree that passkeys are theoretically better than passwords. But that does not mean they are actually better if people don't understand them and how to protect them.

I was a moderator on another forum about 10 years ago. One of my co-moderators was the head of IT for a commercial website. He made some claims about password security, specifically that rules made everything more secure that were mathematically dead wrong. He and I talked about it privately and his ignorance was scary given that he was actually in charge of IT security for a site with millions of users. It was like he had never taken a discrete math course.

 

[Zathras]

This is one of the great things about passkeys.
The user doesn’t create their own passkey. Weak passwords are a thing of the past.
Every passkey is encrypted. If I use my iPhone to access a fake version of my bank, it doesn’t matter, as every passkey ‘handshake’ is a 1 use passkey.

I have often heard it said that the weakest part of passwords is the human that creates the password. Now, not so much.

 

[marko]

Just got the offer to go with a passkey. Started down the path and found that it only applies to my phone and tablet, not my laptop. Fingerprint, face recog etc.

Well, I've been using fingerprint ID to unlock my phone (and all the Google apps behind it) already for a few years, so I'm not sure what they're talking about.

 

[braumeister]

Amazon today announced that it has added passkey support to its desktop sites and mobile apps, allowing customers to sign in to their accounts without the need for a password.

https://www.aboutamazon.com/news/retail/amazon-passwordless-sign-in-passkey

 

[ERD50]

Just got the offer to go with a passkey. Started down the path and found that it only applies to my phone and tablet, not my laptop. ...

So what's the point? I still use a laptop/desktop, so I still need a password.

This is one of the great things about passkeys.
The user doesn’t create their own passkey. Weak passwords are a thing of the past. ....

I have often heard it said that the weakest part of passwords is the human that creates the password. Now, not so much.

But if I'm understanding this right, it is automatic once you have your phone/tablet unlocked? So it's less secure than a locked phone plus a password. And strong passwords aren't hard, I have a system that makes it easy to remember, I can even write them down, and store them on my computer, as the long portion is something I have memorized (an easy but meaningless mnemonic), and I only add a short unique phrase, and that's all I need to write down/remember ( like Hymatyri187_myb$_opfgutY where I memorize "Hymatyri187_" and "_opfgutY" and "myb$" stands gor "my bank".

If someone grabs my phone off the table at a restaurant/bar or out of my hands while I'm using it out on the street, it's unlocked and they get into my accounts w/o a password? I don't like that.

... If I use my iPhone to access a fake version of my bank, it doesn’t matter, as every passkey ‘handshake’ ...

That part sounds good.

Amazon today announced that it has added passkey support to its desktop sites and mobile apps, allowing customers to sign in to their accounts without the need for a password.

https://www.aboutamazon.com/news/retail/amazon-passwordless-sign-in-passkey

And how do I get into an account on a public, or friend's computer/phone if I need to? The passkey is on my device. A friend of ours recently dropped her phone, and it slid off the bridge into the Chicago river. She had a heck of a time, since some of the stuff she needed to access to get home used 2-factor authentication, texting a code to that underwater phone.

I haven't found fingerprint or face recognition to be very reliable on my Samsung phone, and my PIN isn't too tough to break, but I don't worry too much, since the apps would all require passwords anyhow.

Maybe this is all addressed and I'm just not getting it. But I was skeptical of 2 factor for the very reason our friend experienced. Am I wrong this time?

-ERD50