this post was submitted on 29 May 2026
41 points (100.0% liked)

Privacy

48841 readers
306 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 6 years ago
MODERATORS
k_o_t@lemmy.ml
tmpod@lemmy.pt
Yayannick@lemmy.ml
ranok@sopuli.xyz
41
Passkeys (lemmy.world)
submitted 1 day ago by MrKoyun@lemmy.world to c/privacy@lemmy.ml
34 comments fedilink hide all child comments
 

Do you people trust companies with passkeys?

I feel like big tech have started pushing for passkeys really hard lately. Microsoft has been asking me if I want to switch to passkeys pretty consistently. Google just automatically brings up the passkey registration fingerprint scan system dialogue every single time I've been signing in on Android. Without even asking if I want a passkey or not, it just does it without saying anything. I think the intention is pretty clear, an unknowing person sees the completely random fingerprint scan dialogue, doesn't think much of it, scans their fingerprint, a passkey gets created automatically.

Well, I fell for their trick. I've been avoiding the passkey dialogue pretty consistently for a while now, but just now I was signing in while distracted and accidentally tapped my finger on the scanner by reflex on the prompt. I guess I have a passkey now. Yay.

I did some digging on my Google account settings and the internet, and I couldnt find a way to completely remove the passkey. It seems you can only disable the use of passkeys, but the passkey itself remains. There is also a setting called "Skip password when possible", which is clearly what has been causing the non-stop passkey prompts. It's on by default. It's a shame I'm only aware of it now that its too late.

Theoretically, the passkey standart itself should be private and secure. Throughout the process, the biometric information used for the cryptographic challenges never leaves the device, and the server only gets access to a signature that has been signed with the client's private keys that it can use to authenticate but can't derive the private keys back from because of complicated math I didn't spend enough energy to understand. Google automatically syncs the passkeys with its private keys with E2EE in the Google Password Manager tied to the account, which is where I start to get uncomfortable because I can't bring myself to trust Google with E2EE.

What do you people think?

top 34 comments
sorted by: hot top controversial new old
[–] dropdrip@lemmy.ml 1 points 2 hours ago* (last edited 2 hours ago)

From what you've written you've conflated separate things. Passkeys are not related to biometrics. Google wants your biometrics. Full stop. Google is a surveillance mega-corp. Full stop. Why are you still using Google? or Microsoft, which you clearly are uncomfortable with? That's rhetorical. Don't answer that. No one's interested in your pissing and moaning for why you can't leave this abusive relationship. Passkeys say nothing about biometrics. They're unrelated.

The surveillance corps implementation of passkeys will always be in their interest. Hardware passkeys are superior to device-locked passkeys that are stored in a TPM. Such schemes are nothing but vendor-lock ins. Oh, I don't want to buy a new phone; all my logins are stored on this phone. It's too much hassle. I can't leave Google's Android, it contains all my credentials securely. Hardware passkeys have no such friction. I can use them on any hardware.

The surveillance corps software-implementation is dodgy too. They've opted not to use some of the spec, which objectively weakens security. They'll claim it's for user-ease and whatever else they want to spout. The ease of silently using passkeys to access data they shouldn't, or to migrate the users passkeys to their new Google android phone--only Google android can migrate you to a new Google android device. You need Google android. Hit me harder daddy.

I mean, really, what are you trying to ask? You clearly don't trust these surveillance-companies. Passkeys are a good. Just like cryptography is just maths. There's no issue with the maths or passkeys. The issue lies in these mega-surveillance-corps that parasitically extract value from your computers--whether that's a desktop, laptop, server, smartphone or some other mobile-computer. You pay for the hardware, electricity, data-connection and you labour on them and these corps take everything from you. That's why Alphabet, Facebook and whatever other shit software-company has valuations in the billions or trillions.

Security is something they want. They want to be the sole holder of your information. They want a market monopoly. Strong cryptography helps them do that. Much like how a serial rapist and the police both like steel bars: one to keep their victims locked up in, the other to keep their victims locked up in too... huh... point is everyone likes strong cryptography.

[–] monovergent@lemmy.ml 2 points 7 hours ago* (last edited 7 hours ago)

As much as I trust them with passwords. Which is not too much trust. Implementations of passkeys also tend to be frustratingly bad.

[–] lemming@sh.itjust.works 2 points 9 hours ago (1 children)

I know very little about passkeys and would like to make use of this question to ask my own. How does backing the passkeys up work? Can I just keep a backup somewhere like with a password manager database? Can I use it anywhere, even if I want to use it one time on a friend's device, for example? If it's tied to a device, what if I lose it? What other practical advantages and disadvantages are there?

I know these are probably naive and simple questions and I could find the answers myself, but I remeber when I was trying to find similar things out about authenticators. I didn't want to use them until I learned how to make backups, use it on different devices, including those that are not mine etc. It took quite some time (of not that active looking, but still), most easily-found sources tend to not offer alternatives, especially when most people just use Google, Microsoft or Apple. I would very much appreciate some basic guidance from someone who has experience. I could probably ask AI, but honestly, I probably trust a kind internet stranger more.

[–] dessalines@lemmy.ml 1 points 5 hours ago

Yes you can use your own password manager to store the passkeys. Like keepassxc on android. Then all your devices can use it.

[–] utopiah@lemmy.ml 2 points 23 hours ago (1 children)

Yes precisely because I don't rely on Microsoft or Google to handle that.

I have my own physical keys. I started like most with YubiKey, including a YubiKey Bio, then learned about NitroKey https://www.nitrokey.com/ thanks to NLNet https://nlnet.nl/project/Nitrokey-3/ so now I have passkey that I could verify https://certification.oshwa.org/list.html?q=nitrokey as they are certified and audited https://www.nitrokey.com/news/2015/nitrokey-storage-got-great-results-3rd-party-security-audit

That being said... IMHO your doubt raises an interesting question, why? Why do you NOT trust them? Do you imagine they have your data? Do you think an interactive explanation where one exchange data would help to understand why no trust is required or maybe better, where it matters?

[–] dropdrip@lemmy.ml 1 points 2 hours ago

I'm also in favor of hardware passkeys & 2FA. They help alleviate vendor-lock in and are more secure.

Usually only YubiKey is mentioned. I do prefer NitroKey's aims of transparency. If other users know of other vendors please list them.

[–] voxel@feddit.uk 39 points 1 day ago (3 children)

Passkeys themself are a very good security measure, better than Password + 2FA via TOTP apps.

But having your passkey tied to a specific device on a specific OS is not good, you should try to avoid those and instead use a hardware key with passkey support or password manager.

[–] 73QjabParc34Vebq@piefed.blahaj.zone 9 points 1 day ago (1 children)

Giving websites control over (or even knowledge of) which client the user is using is a very bad part of the spec. There has already been threats to an Open Source password manager to "be blocked by relying parties".

We can all imagine a future where each website pushes you to their individual, proprietary app for verification. We live in a world of enshitification. Passkeys can, and probably will, be used for vendor lock in.

[–] voxel@feddit.uk -2 points 19 hours ago* (last edited 17 hours ago) (1 children)

It will happen if nobody does something about it. And doomsayers like you only contribute to it; it's a self-fulfilling prophecy.

Edit: Ever heard of spoofing? Brave does it to circumvent blocks.

[–] vapor_body@lemmy.ml 1 points 17 hours ago (1 children)

I don't think lawyers are scouring forum comments to go "see! the doomers have lowered their expectations!" before going ahead with destroying the fabric of reality

[–] voxel@feddit.uk 1 points 17 hours ago* (last edited 17 hours ago) (1 children)

Your perception of reality seems very limited and partially falsified.

It is also unrelated to my statement.

Take a look at for example European legislation.

[–] vapor_body@lemmy.ml 1 points 17 hours ago (1 children)

Do you have an example of European legislation citing Reddit comments?

[–] voxel@feddit.uk 0 points 17 hours ago (1 children)

It is also unrelated to my statement.

[–] vapor_body@lemmy.ml 1 points 17 hours ago

You seem obtuse

[–] eldavi@lemmy.ml 6 points 1 day ago

an untrustworthy provider like Google, Microsoft, or Apple is not a good idea

amen. lol

[–] unitedwithme@lemmy.today 7 points 1 day ago* (last edited 1 day ago) (4 children)

How is passkey better than PW + MFA? Serious question. Everywhere I read online tells me "it's better" but doesn't get into the nitty gritty. Also, I don't use biometrics of face scans on any device.

Edit: I should add, doesn't this make online less anonymous/private? Once a site or browser is uniquely identified, couldn't that be used for better fingerprinting across other sites, hindering anonymity? I feel like data is still going to be extracted or gathered.

[–] dessalines@lemmy.ml 1 points 5 hours ago

Too many people (i'd guess over 90% of internet users) don't know about, or use password managers, so their default is to use the same easy to remember password for everything.

Also webauthn only lets the server see the public key, so servers can't get away with storing unhashed passwords in their db.

[–] kevincox@lemmy.ml 12 points 1 day ago

There are a few main benefits.

  1. For hardware-backed keys they can't be stolen aside from physically stealing the hardware. So unless your machine has malware there is no way for an attacker to authenticate using them.
  2. Even for software keys the site you authenticate to doesn't learn enough to impersonate you. For example if for some reason your bank leaked some logs with PW + MFA someone could use that to log in as you (although admittedly short timeouts on MFA validity makes that window very small).
  3. The browser ensures that you only authenticate to the correct domain. So it prevents phishing. (Although a password manager that only fills into the correct domain also accomplishes this.)

So I think if you are using unique passwords with an automated password manager the effective benefit is quite small. However for the "average computer user" who likely has less than 5 passwords that they use for everything it forces a pretty high base level of security.

[–] psycotica0@lemmy.ca 4 points 1 day ago (1 children)

These answers will be theoretical, because it's possible some browser or system will do things stupid and negate these positives:

It shouldn't make things less anonymous, because different websites get unique passkeys made for them. This also makes them more secure, because if one site has a complete DB leak, that doesn't impact other sites at all.

Also, the passkeys are used for auth, so there's already no "anonymity" here, you're logging into a website. They know who you are, at least which user you are, maybe not which human, which is as true as it was before with passwords.

Also they should require your device to ask you if you want to use the passkey, they're not supposed to be automatically leaking to every site you visit without your knowledge.

Also, they are not stored via cookies. Unless you mean the login session, in which case that part is stored via cookies, but just the same way that a password login gets a session key via a cookie to use after you've logged in. So if someone can steal your cookies that's already a huge problem, but they don't get any extra information with passkeys. The actual secret material for a passkey is stored outside of the browser entirely.

The biometrics aren't supposed to leave the device, they're prompted for by the hardware on the device asking if you'd like to allow the keys to be used. The browser asks the passkey hardware "I'd like to sign this thing please" and then the hardware pops up the biometric thing as part of its decision making process on whether it should do that or not. Crucially this is not the website asking for biometrics, it's your device. And if you unlock it, then it chooses to sign what it was asked to sign, and all the browser gets back is the signature.

In theory.

[–] unitedwithme@lemmy.today 1 points 1 day ago

Thank you for the more detailed explanation of use and practice. That does help! Gives a little more piece of mind too.

[–] manualoverride@lemmy.world 4 points 1 day ago (1 children)

Had this a few weeks ago, my partner had her email hacked, she used the same password on a service that was hacked and email/passwords stollen. They first used a ‘forgot password’ on her phone operator account, reported the SIM as lost/stollen and registered her number to a new SIM. Then they could change the passwords on anything they liked as they had her phone number and got the 2FA calls and SMS. They then went through accounts downloading apps and setting up or re-registering MFA once the passwords were changed.

[–] unitedwithme@lemmy.today 0 points 1 day ago (1 children)

Gotcha. OK so maybe a little less applicable to some more than others.

I already use mostly unique passwords (like a random root word(s) with varying numbers and special characters mixed in) for accounts, and only have my mfa app allowed, not email or SMS. My PW & MFA apps have unique PINs. I also have multiple email aliases for those varying accounts and rotate through after they're sold every so often. Helps cut down on spam A LOT vs manually unsubscribing. Retail sites are especially guilty of selling info IMO.

Mine might be slightly overkill, and maybe less necessary with passkeys, but I'll wait until there are goods self-hosted apps for that.

[–] manualoverride@lemmy.world 0 points 1 day ago (1 children)

Yeah you are going far beyond most people, but passkeys will be a major step up for the majority of the population who still use the same or similar passwords for everything.

[–] unitedwithme@lemmy.today 2 points 1 day ago

OK, thank you.

[–] BakedCatboy@lemmy.ml 11 points 1 day ago

I don't which is why I use my selfhosted vaultwarden instance to store mine. I refuse to add passkeys to any service if they don't properly invoke the standard passkey prompt in a way that's compatible with bitwarden, otherwise I love passkeys and use them everywhere possible as long as I have complete control over them.

[–] manxu@piefed.social 6 points 1 day ago

I think the thought process from the site's perspective is simple: most of the attempts to hack into an account come from devices they have never seen, from places the user has never been. All a passkey does is tie your account to a "logical place," a device (whether a browser, a phone, or a specific hardware key).

The passkey itself doesn't tell the server anything it doesn't know already, it just confirms it, so there really isn't a whole lot of privacy implication beyond general concerns.

The big problem, and it's a more universal problem, comes when you are trying to log in from a device that has no passkey. Maybe you forgot your phone, or you bought a new computer, or something else. The "forgot password" flow, and the related "I am on a new device" flow are some of the weakest spots for computer security, because they presume that something happened that automatically lowers security credentials.

What I like about one-time codes like GAuth is that you can transfer the keys from device to device yourself. You are very rarely going to be in a position where you can't access the keys, and as a result it's fine to put you through extraordinary measures to reset your security. The issue with passkeys is that it's pretty common that you'll be using a new device, and as such you can't be forced to go through hoops every time you need to register a new one.

[–] nate3d@lemmy.world 7 points 1 day ago* (last edited 1 day ago)

I think your problem is more to do with how shitty google is anymore more than the technology of passkeys. From a cryptography perspective passkeys are much more secure than simple username/password authentication as there’s no effective way to brute force or acquire through tools like key-loggers. Like another commenter said, start looking at self hosting your own services like Vaultwarden or the like and de-Google first and foremost. One other massive benefit with passkeys is the fact that they are cryptographically unique so even if an attacker acquires one, it’s only able to be used to access a single site/account.

[–] umbrella@lemmy.ml 3 points 1 day ago* (last edited 1 day ago)

don't mention it. back when this was new, i told everyone this was gonna happen and got downvoted and laughed at.

who is laughing now? well not me because it sucks anyway.

[–] shortwavesurfer@lemmy.zip 3 points 1 day ago (1 children)

I have recently started using pass keys, but only because my keepass password manager supports them. Since the database is local to my device, I'm okay with it. I definitely wouldn't be using any kind of cloud thing for those though.

[–] dessalines@lemmy.ml 1 points 5 hours ago

Same. They seem great for local apps like keepass, but it could potentially be as dangerous as passwords if using a provider like google.

[–] LadyMeow@lemmy.blahaj.zone 2 points 1 day ago

Because of how passkeys work, they are better by default. The site you are logging into doesn’t get any secrets to keep, the passkey identifies you and the control of it is on your side.

Where you are correct is that if the company has ‘I forgot my passkey please email me’ that makes the security no better than email, which is a shame.

The issue of storage of passkeys is also one to consider, like another comment said, pick something like Bitwarden to store them, not something vendor specific like Apple or Google.

[–] galoisghost@aussie.zone 2 points 1 day ago

I bought a nitrokey because of this trend. Though I haven’t started using it yet. Just gotta get my head around it.

[–] normonator@lemmy.ml -1 points 1 day ago

In theory yes, but in practice no. Most companies have implemented them in the dumbest ways and have not used them to increase security. They can pretty much all be worked around with your phone number or email. It should also be a choice not trying to trick users into using it.

Amazon can fuck right off with their prompt to save on every single login. Microsoft will still try to save passkeys even when you turn it off in windowsso you can use a password manager. They are just creating a fucking mess.

Password + Passkey as 2fa would be nice.

[–] Steve@communick.news -2 points 1 day ago* (last edited 1 day ago)

Do you people trust companies with passkeys?

Not sure what you mean. Passkeys are vastly better than passwords. Who are you giving you're passkeys to, that you're worried about trusting them? Do you mean trusting they'll work, and you won't be locked out of your account?