Take your passkey and shove it where the sun don't shine

Uhhh... Can someone ELI18 to me the problem with passkeys? I use them wherever available and find them very convenient.

Has this energy...

You can store passkeys in your password manager lol

Passkeys are one exception to the familiar pattern of "we give you more SeCuRiTY so we can spy on you more and control your behaviour better". They actually are more secure. Problem is, a lot of technical issues with it still, a ton of stuff not working correctly yet

Remember when tap-to-pay was new and didn't work at a lot of places and some people were freaked out over it?

And now most of us use it without a 2nd thought.

I speculate passkeys will be like that.

On the contrary i want more services using passkeys instead of 2fa methods that are less secure (sms).

sure, you can use a passkey as a primary authentication, but only "a device" or "system"(keypass/1pass etc) knows the passkey detail. with only passkey, if my passkey provider/ device is compromised then everything is lost. having single factor auth seems like a bad idea.

a password is something that I can know, so is still useful as a protection mechanism. having two factor auth should include password and passkey, which seems entirely reasonable whilst also providing an easier path forward for people used to TOTP.

ITT: people who think only SMS, email and TOTP exist as 2FA.

And people who think only your phone can be used as passkey.

Unless I've missed something big, passkeys are pretty easy for me if the website supports them imo.

Using KeePassXC, I click register on the website, register the passkey with KeePass, then it just works when I need to authenticate or login. My database is then synced across all my devices.

Passkey support is yet to come to KeePassDX on Android though, so I'll be awaiting that feature

Passkeys are a great idea, but everyone involved seems like they want the process to be as much of a pain in the dick as possible. So until the industry pulls it's collective head out of its collective ass (not going to hold my breath on that one), it'll be passwords+2FA for me.

There's been a lot of pain in the attempt to portray it as "Just click the passkey button, and that's it! Your login is secured for life!"

No - Buddy. It is secured for this one specific device that I have biometric authentication for. What about my computer? What about my other computer that isn't on the same operating system? I have a password manager that stores these things, why didn't you save to that when I registered? Why is it trying to take this shit from my Apple Keychain when it's in Bitwarden?

And, the next ultra-big step: How would a non-techie figure this shit out?

The amount of people in this thread that don't understand passkeys surprises me. This is Lemmy. Aren't we the technical Linux nerds of the Internet?

I'll use banks as an example

If they cared about your security there would not be a mobile app or website.

Hell, credit cards would still require a signature.

It's about cost first and foremost and then convenience.

Has nothing about you as a consumer. They don't give 2 shits about you as a consumer.

Passkey is "something you own" right?

I have something I own, it's a Yubikey

My primary and backup yubikeys: "Am I a joke to you?"

I use passkeys through 1Password and it’s vastly less irritating to me than anything involving passwords, especially 2fa. I really don’t like having to wait for email to arrive or copying down digits from a text message, which seems to be how 2fa typically works 90% of the time.

Passkeys are light years ahead of 2fA in user experience. Why do you dislike them?

Security based on devices is one of the positive innovations of smartphones and perhaps the only area where they've improved over the desktop experience.

I thought passkeys were supposed to be more secure?

It's not for your security, it's for the company's. People suuuuuuuuck when it comes to credentials.

I have no idea what a passkey is and I will probably only learn what it is when they become mandatory

I will just use passwords + 2FA for the moment

Passkeys are phishing resistant, or so they say... but the web app still needs to let you in with password + 2FA... So I'm not sure how much that's really worth.

I guess if the users are typically never seeing a 2FA prompt then it should be more suspicious when they see one?

Y’all are my people.

I just wish Google would stop overriding my passkey on Android for specific apps including their own.

Coincidence or did you get that email from eBay today, too?

They probably got hacked and we'll find out about it next year.