You are viewing a single thread.
View all comments View context
3 points

it can be compromised in a breach

Sure, and then that one password is compromised. Password managers make it trivial to use unique passwords for every service, so if a service is breached, you’re basically as screwed with passwords as passkeys.

The switching cost here is high, and the security benefits are marginal in practice IMO. I’m not against passkeys, but it should be something password managers handle, and I don’t have a strong preference between TOTP baked into your PW manager and passkeys.

permalink
report
parent
reply
8 points
*

Sure, and then that one password is compromised.

Which means that entire service you used that password to login to is compromised. If you were using passkeys however, you would have nothing compromised.

so if a service is breached, you’re basically as screwed with passwords as passkeys.

No… with a passkey you would be not screwed at all. You’d be entirely unaffected.

the security benefits are marginal in practice

I mean in your own example that’s a reduction of 100%. That’s kind of a huge difference.

permalink
report
parent
reply
-3 points

that entire service you used that password to login to is compromised

If the password is compromised, it means the service is compromised and the password isn’t really protecting anything anymore. So to me, there’s no functional difference between passwords and passkeys once a service is compromised, the data is already leaked. If I’m using proper MFA, there’s no rush to reset my PW unless the service has a stupid “backdoor” that can just bypass MFA entirely, in which case passkeys wouldn’t help either (attackers would just use the backdoor).

The main value of passkeys, AFAICT, is that they’re immune to phishing attacks. Other than that, they’re equivalent to TOTP + random password, so a password manager that supports both provides nearly equivalent security to a passkey (assuming the service follows standards like storing salted hashes). And honestly, if you use a solid form of TOTP (i.e. an app, not text or email), password security isn’t nearly as critical since you can make up for it by improving the TOTP vault security.

I honestly haven’t bothered setting up passkeys anywhere, because I don’t see any real security benefit. If a service provides passkeys, it probably already supported decent MFA and random passwords. The services that should upgrade won’t, because they’ve already shown they don’t care about security by not providing decent MFA options.

In short:

  • passkeys > passwords
  • passkeys == random passwords + TOTP

The venn diagram of companies that support passkeys and companies that supported/support random passwords + TOTP is essentially a circle, with the former enclosed in the latter. So I don’t really see any rush to “upgrade.”

permalink
report
parent
reply
6 points
*

Not even close. To be honest you’re operating on so many incorrect assumptions and have such a lack of general knowledge of common attack surfaces or even the average scope of modern breaches, that digging you out of this hole would take so much more than what I can fit in a single comment.

So

If the password is compromised, it means the service is compromised and the password isn’t really protecting anything anymore

No… just no. That isn’t how it works. In reality, what commonly happens is metadata around the service is what’s targeted and compromised. So your password, email, and other data like that are what’s stolen. Maybe in plain text, maybe something hashed that a malicious actor can brute force offline without you knowing. If you’re someone using a password in this situation, your password is then used to access your account, and that actor can do any number of things while masquerading as you, potentially entirely undetected. If you’re using a passkey on the other hand, this isn’t even something you need to worry about. They cannot get access to your passkey because the service doesn’t even have it. You are entirely immune. That is something that no amount of Passwords or bolt-ons will fix.

This is the main value of passkeys, they are not shared secrets. Not only is that a huge difference, it’s the single largest paradigm shift possible. The secondary value of passkeys is that they are immune to phishing. This is also huge, as phishing is hands down the most successful way to break into someone’s account, and happens to even the most security conscious people. If a cybersecurity researchers who write books on the topic can be phished, so too can a layman such as yourself. Hand waving away a phishing immune authentication system is unhinged behavior. And it goes to show you’re not even coming from a place of curiosity or even ignorance, but likely misinformation.

In short:

  • Passkeys > Passwords
  • Passkeys > Random Passwords + TOTP.
permalink
report
parent
reply

Technology

!technology@lemmy.world

Create post

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


Community stats

  • 15K

    Monthly active users

  • 13K

    Posts

  • 567K

    Comments