This is a most excellent place for technology news and articles.
I'm still annoyed that "OPAQUE" never seemed to catch on. Uses a username/password combo as normal, but never actually sends the password to the server, only a proof of knowledge. Even if the server is hacked and the DB leaked the attackers can't actually recover anything resembling a password from it, since the server simply never possesses it.
Passkeys are superior (No password at all), if only the UX around them was better.
I'm still mad SQRL never got off the ground. It was smartphone based initially, though they quickly made it work in browser. You had a private key that was 'you' and it generated unique user assertion certs per domain, and you completed the login flow by scanning a QR code with the app, which pinged a URL with the user assertion. It was really cool since it had the option of working alongside a password, or you could set it to only work with SQRL logins. No password or anything for the login, just pure math and key material.
But given it put all recovery on the user (if you didn't back up your shit, it's fine if you lose it), I can't say I'm that surprised.
Okay, so long as a passkey is something I can memorise. Otherwise, it's significantly worse than a regular password (assuming you use good passwords and don't reuse passwords etc).
It seems like they want to tie it to a physical computer (like the one in your pocket), which sucks big time. What happens if I don't have access to that computer at all times, or it breaks, or is lost?
I'm planning on getting rid of my smartphone for something that just does calls and texts for example, because I'm sick of how unhealthily reliant I, and everyone, have become on this thing, and I want to be more connected to the real world. What then?
My brain is the best place to store passkeys, it can't be hacked, stolen, lost, etc, unlike every other option. It's easily capable of storing lots of randomised unique passwords for each service (surely I'm not the only one that can do this?). It's the clear winner.
Passkeys are cool but you still need 2fa. Which may as well be a passkey itself.
One factor is not great even if it's a passkey.
- Built-In Two-Factor Security – Passkey logins use your private key stored on your device and your face or your fingerprint or your PIN. Unlike password, these cannot be easily replicated by a scammer.
I like passkeys but ONLY as the second factor. Using them as the primary makes no sense in majority of cases.
I've been mostly too lazy to look into how to use passkeys. If my normal flow is using 1password for 2fa (on mobile and on the computer), is there a way I can still use that with passkeys? It says they're supported but I'm not sure how that'd work, because aren't they device specific?
I just don't want me losing access to my phone for whatever reason mean that I lose access to my accounts.
Hardly anyone supports it: https://www.passkeys.io/who-supports-passkeys
So to use it I will have to log in with my google/microsoft account everywhere? Thanks but no thanks.
I've used it with many sites not on that list. Including this one. It's not comprehensive.
No, you do not need Microsoft/Google account.
My company’s online product uses passkeys (I implemented it) more as a convenience method for login. 2FA is the base standard, and authenticated users can create a passkey for each device they want to use. Subsequent logins can then use the passkey or 2FA. Rather than having to dig out my phone, open the authenticator app, and put in the digits, I can simply use the fingerprint reader and I’m right in.
That doesn't sound like a TOTP vs passkey situation though. It sounds like the program just releases the passkey when you give it the fingerprint. There wouldn't be anything stopping the program from generating a OTP and passing that along when you identify with the fingerprint.
I think a big issue is how difficult it can seem to be to get easy access to TOTP codes, like in your example digging up your phone. But that's more of a browser/operating system failure for not implementing a way to generate those codes like they can already store usernames and passwords.
