> In the world that passkey advocates want this is impossible via the passkey flow.
That's incorrect. I use passkeys to login automagically with many services, but nothing precludes me from logging in with my (20 character) passwords.
> If you can't authenticate via a primary device that contains your private key, you're f-ed.
That's also incorrect, for multiple reasons — accounts support multiple passkeys, those passkeys are securely sync'd across multiple devices, recovery and backup mechanisms exist, etc.
> That's incorrect. I use passkeys to login automagically with many services, but nothing precludes me from logging in with my (20 character) passwords.
That is not the world which passkey advocates envision. In the case of those services you mention, passkeys are nothing but convenience; they provide no extra security. In the world passkey advocates envision, passkeys improve security, meaning the removal of password authentication options.
I've already been temporarily locked out by one such service, because a Firefox update made the passkeys I store in Bitwarden inaccessible (Firefox would pop up a macOS Touch ID modal rather than the Bitwarden passkey). That is the world which passkey advocates want, because it "improves security".
The phishing site will just ask you for a password, maaaaybe with some text explaining some BS reason why you can't use your passkeys but if it's a website which the user knows they have a password to, the kind of person who's prone to non-targeted phishing attacks likely won't even think to question why the passkey thing didn't trigger.
Honestly don’t care to spend time on looking up the various states of 2fa proxies. But I’ve learnt so far that attackers don’t build/use the most advanced tooling you can think of at all times. They often use the simplest thing that gets the job done. If it’s not targeted, it’s fine to not get the credentials of people with a passkey. Up until a significant portion of targets use passkeys, which I highly doubt to be the case as of now.
Additionally, “the kind of person who's prone to non-targeted phishing attacks” is actually everyone — including infosec professionals spending lots of time on phishing campaigns for red team engagements. You just need to be lucky enough to reach them at the right (emotional, stressful, …) moment. Getting grammar and spelling correct and even potentially even slightly customising each email is made much easier by AI. Knowledgeable users might, however, stop once their passkey doesn’t work and try to understand why.
Okay? What relevance is this, if the phishing site just asks for a password then some users will enter their passwords even if they also have a passkey for that service. They aren't "not getting the credentials of people with a passkey", they are "not getting the credentials of some of the people who remember that they have a passkey and get extra suspicious because the passkey thing doesn't pop up".
I’m saying most people who do phishing likely don’t care to implement passkey detection to display a relevant error message to the user, as it’s not worth the effort, as of now
I'm saying that the world which passkey advocates want is a world where if, for any reason, you can't log in with your passkey (due to a lost/broken device, a software bug, whatever), you'll be locked out of your account. I'm saying that to contrast with my parent comment, which claims that the world passkey advocates want is one in which passkeys offer some slight convenience advantages but no security advantages because they'll be an alternative to passwords. Obviously they don't want the software bugs, but we know bugs happen.
> I'm saying that the world which passkey advocates want is a world where if, for any reason, you can't log in with your passkey (due to a lost/broken device, a software bug, whatever), you'll be locked out of your account.
And a world where people only use passwords has the same problem if you can't log in with your password.
Moving from one single point of failure to another isn't great, but it's not a downgrade.
(And just like it's possible to back up a password, it's possible to back up a passkey. And I know passwords can be memorized, but in practice it's bad passwords that get memorized.)
I use Bitwarden for critical passkeys. Most people do not. Passkeys, as currently implemented, for the vast majority of people, do not allow for effective back-ups in ways the user controls. You can't back up the keys from your iCloud and then use them on your friend's Windows PC to access something when you lost your iPhone. You can do that with passwords.
> You can't back up the keys from your iCloud and then use them on your friend's Windows PC to access something when you lost your iPhone.
Just enroll a second device like a hardware token. Then plug your hardware token into your friend's computer and you can log in to sites on your friend's PC without having to copy over and unlock your entire password safe.
I am. I'm not convinced that this will allow me to back up passkeys in any way. I wouldn't be surprised if Apple were to allow you to transfer passkeys out in such a way that they don't work on the original device anymore, which would make this standard irrelevant for what we're talking about.
No group is unanimous and completely homogeneous. But judging by how often the security benefits gets brought up by those in favor of passkeys in these kinds of discussions (including this thread), my impression is that most of its advocates view it as a security benefit. Which means they need to replace passwords, not be an optional extra.
For important sites like your email you'll add multiple passkeys. On less important ones you can just reset which passkey you use to login, using your email, if you lose one of your passkeys.
> I'm saying that the world which passkey advocates want is a world where if, for any reason, you can't log in with your passkey (due to a lost/broken device, a software bug, whatever), you'll be locked out of your account.
Can you point me to a citation or two where passkeys advocates claim that passwords must go away and/or account recovery mechanisms must be abolished?
Elsewhere in this thread [0], passkey advocates go on for quite a bit about how vulnerable passwords are to phishing. Really, any account recovery mechanism not linked to hardware would seem to be vulnerable to phishing in the way they don't want it to be.
Passkeys provide better security regardless of whether passwords continue to be supported. Two reasons off the top of my head:
• Passkeys stop phishing. Using your passkey instead of a password (when both are available) ensures you're actually signing in to the site/service you expect.
• Passkeys have zero value when leaked. Users' private keys remains secret and safe even when public keys are stolen and distributed.
That said, passwords aren't going extinct anytime soon. It will likely become more popular to require 2FA for password users in the meantime, as it should.
Passkeys don't stop phishing. If the user has both a password and a passkey to a service, a phishing site needs to just ask for a password and not mention passkeys and people will just enter their password.
>It will likely become more popular to require 2FA for password users in the meantime, as it should.
A lot of folks/services/engineers mistakenly think that layering 2FA on top of passwords will help defend against phishing attacks.
But attackers have been phishing 2FA codes since at least 2012 and it's gone from an advanced attack to bog-standard. The only way to defend against phishing attacks in 2024 is to use phishing-resistant credentials like passkeys.
That's incorrect. I use passkeys to login automagically with many services, but nothing precludes me from logging in with my (20 character) passwords.
> If you can't authenticate via a primary device that contains your private key, you're f-ed.
That's also incorrect, for multiple reasons — accounts support multiple passkeys, those passkeys are securely sync'd across multiple devices, recovery and backup mechanisms exist, etc.