this post was submitted on 09 Apr 2024
503 points (92.7% liked)

Technology

59605 readers
3438 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
L3s@fry.gs
L4s@fry.gs
L4s@lemmy.world
enu@lemmy.world
503
Big Tech passkey implementations are a trap | Proton (proton.me)
submitted 7 months ago by AnActOfCreation@programming.dev to c/technology@lemmy.world
221 comments fedilink hide all child comments
 
  • Big Tech has implemented passkeys in a way that locks users into their platforms rather than providing universal security
  • Passkeys were developed to replace passwords for better account security, but their rollout by Apple and Google has limited their potential
  • Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.
you are viewing a single comment's thread
view the rest of the comments
[–] EncryptKeeper@lemmy.world 1 points 7 months ago

account is passkey locked, but I need to check my email from my friend's laptop. Would that require that I install passkey on their laptop

Yes but you would not want to do that. I can’t imagine a scenario where you could make it to your friends house without your phone, and also need to check your email so bad that you borrow their laptop, but in that case you would not be able to log in. Unless your passkey for that service is stored in your password manager, in which case you’d have to log in to that first.

Does that also mean that if I forget to log out of passkey, they can access all of my accounts correlated with my passkey account?

There is no “Passkey account”, it’s not a service or an app. It’s a file stored either on your device or in your password manager.

what happens if my passkey account is compromised? All of my accounts are linked to a single point of failure?

I already brought up that you have no “passkey account” to compromise, but if your passkey was somehow stolen, the only thing compromised would be the service that passkey is for.

A friend of mine had to break out some kind of USB dongle to log into his Google account on a new machine the other day. Is that a form of passkey?

You can get hardware devices to store passkeys on, yes.

What happens if that dongle gets lost/stolen/broken? Or what if you just forgot it at home? Are you SOL?

If it’s lost or stolen you’d want to make new passkeys yes. If you forgot it at home, you wouldn’t be able to log in if the hardware device was the only thing you had a passkey stored on.

I wonder how often you truly forget important every day articles at home, despite you needing to get connected to things at a moments notice. I don’t think I’ve forgotten my phone anywhere once in the last 15 years.

The thing is, all these scenarios you’re coming up with are no different for passkeys than they are for complex, unique, secure passwords. It sounds like your usual MO is being able to recall your password (In the case you’ve forgotten your phone and are in a borrowed device), which means your passwords likely aren’t secure, and you’re probably reusing them, which is more of a “single point of failure” than passkeys ever could be.

Honestly, my advice to you is before you even start considering passwords vs passkeys, you need to fix yourself up man. You need to get your shit together a lil bit.