To summarize this comment chain, the initial argument is 'passkeys are not impervious to all attacks therefore they are security theater' vs 'passkeys help significantly in the most common attacks, therefore they are worthwhile.'
Statistics are hard. People have a bad habit of seeing 'not 100% fullproof' and thinking that said something is therefore worthless. Same senseless argument people made in the 80s against wearing seatbelts, and 4 years ago thinking it was a legitimate argument against wearing masks in the middle of a pandemic.
I believe that the crux of it is that password managers with autocomplete already have about the same level of protection and are both more flexible and have less lock-in
passkeys imho are being pushed because:
1) a lot of people will not use a (good) password manager
2) it allows more lock-in for the providers (ios/android/1password/etc.)
To a first approximation no normal person uses a password manager (people find them extraordinarily hard to use; source: did trainings with a bunch of different cohorts), and the two solutions do not have "about the same level of protection". I watched a fintech company try to get people to stop relaying credentials through SMS with scammers, and that problem was practically insurmountable. I do not believe "autofill" is the fool-proof defense you think it is.
I have physical security tokens from multiple vendors which support passkeys. I have Windows machines with passkeys. I have Android devices with passkeys. Tell me again how it is a vendor lock-in? I'm not seeing it.
> All the big implementations are locked into some big player
Often repeated. Doesn't make it true. As mentioned, I've got passkeys for services registered on multiple brands of physical authenticators and several platforms.
About the only site I've come across that still only limits a single authenticator is the only one you've already mentioned. If I pointed out a site that only allowed five character upper case passwords with no lockout policy and really fast responses is that also proof passwords are completely untenable? Or just one actor with poor policy decisions
And in the end one can just choose to not use passkeys with sites like PayPal. But the extreme majority I've used allowed multiple, as that's what the specifications recommended.
In the end you can use passkeys without involving Google or Microsoft or Apple at all. Any argument that passkeys lock you into their platforms isn't based in reality and are repeating untruths. You don't need to use them to use passkeys.
Correct, AWS was one of a small handful of services I was thinking about which did have this restriction but now haven't had that restriction for multiple years.
Well for me it's 50% as the only two sites that I use and do passkeys are Microsoft and PayPal.
Adoption is really slow. But yeah ok, if multiple are allowed then yes it's no longer a problem. I'm sure I read of more sites that had this problem but it is indeed possible they're fixed now.
Generally people who assert that Passkeys are "lockin" also object to the notion of using a Google account as your primary online identity. Of course, you don't have to, but that's the concern: a world where they will have to.
(You should use a Google account as your primary online identity, unless you have religious reasons not to. Back up your authenticators, set up back up accounts, all that stuff; Google doesn't want you locked out any more than you do, because that requires them to attempt customer service, so they have a bunch of tools here.)
It's not an assertion. It's a fact. You need to be in control of the auth method or you can be controlled through it, plain and simple.
People that by into systems they don't control are shooting themselves in the foot because, when push comes to shove, a for-profit company will always chose profit over individually choice. It's short sighted to think otherwise.
Yeah that's great, I don't subscribe to that particular religion but respect your beliefs. I think most people are best served having their primary online identity be a Google account, for multiple reasons. I'm aware that a vocal contingent of technologists on HN find that take appalling, but I assure you, my take is a normie take, and also the modal take among security people.
Either way: Passkeys themselves don't require you to use Google, or any particular big tech firm. It's an open protocol.
This was more than two years ago. Despite the title, many parents are victims to this. To this very day, Google continues to defame them and deny access to their accounts. Long after the police cleared these victims' names. Long after the NYT confronted Google about this.
So is this what "normies" should be subject to? A digital totalitarian hellscape in which a trillion dollar advertising giant rummages through people's digital lives, randomly takes away their entire digital identity every time their flawed cyber-oracle tells them to, and uses their vast corporate resources to harass and defame?
That's not a world I want to live in. I don't want anyone to be subject to that kind of tyranny. It's not about any "religious belief," but rather basic human decency.
Are you responding to the right comment? My argument has nothing to do with how passkeys work. I was responding to this:
> Yeah that's great, I don't subscribe to that particular religion but respect your beliefs. I think most people are best served having their primary online identity be a Google account, for multiple reasons. I'm aware that a vocal contingent of technologists on HN find that take appalling, but I assure you, my take is a normie take, and also the modal take among security people.
Do you have an argument that would be persuasive for someone who does not find Richard Stallman rhetoric compelling? It's OK if you don't, but then there isn't much for us to talk about.
It's compelling to everyone who doesn't randomly want to lose access to all of their online accounts. Everyone who doesn't want the police turned on them when they haven't done anything wrong. Everyone who doesn't want to be wrongly labeled a criminal for the whole world to see. That's basically everyone. If you want these things to happen to you, just like they did to the parents in the NYT article, I guess you'll be the sole exception. But why?
Also, Richard Stallman? Where did that come from? This has nothing to do with free software at all. I'm also capable of drawing my own conclusions without someone else whispering in my ear, if that's what you're suggesting.
He's attempting to discredit you because your belief is strongly held. His comments about 'religious' beliefs are similar... trying to suggest you shouldn't be listened to because you're driven by irrationality.
Yeah I agree. I'm not interested in being locked into an ecosystem I don't control. I want my authentications to be reliablely tied to my choices and actions. Not some system that has a for-profit motive to tie me into a system that does not work to my benefit.
Statistics are hard. People have a bad habit of seeing 'not 100% fullproof' and thinking that said something is therefore worthless. Same senseless argument people made in the 80s against wearing seatbelts, and 4 years ago thinking it was a legitimate argument against wearing masks in the middle of a pandemic.