You are viewing a single thread.
View all comments
19 points

The problem with PassKey is simply that they made it way more complicated.

Anyone who has worked with SSH keys knows how this should work, but instead companies like Google wanted to ensure they had control of the process so they proceeded to make it 50x more complicated and require a network connection. I mean, ok, but I’m not going to do that lmao.

permalink
report
reply
6 points

Private keys on an anonymous, untraceable smartcard. PIN or Matching-on-card fingerprint for the second factor Everything else can go directly into the garbage bin

permalink
report
parent
reply
4 points

Would love for you to describe exactly how it’s more complicated. From my perspective I click a single button and it’s set up. To log in I get a notification on my device, I click a button and I’m logged in.

permalink
report
parent
reply
2 points

they must have meant technically complicated, which is also meaningful in consumer technology.
like if it’s true that it requires an internet connection, that’s quite bad, partly because of yet another avenue for possible tracking, and what if the service you want to access is not on the internet, but the passkey doesn’t work without it still

permalink
report
parent
reply
5 points

Would love for you to describe exactly how it’s more complicated.

YOU JUST DID, below

From my perspective

neat.

I click a single button

… on your device tethered to a single app by a single vendor and their closed data store

and it’s set up.

… and tethered to prevent you from churning.

To log in I

… wait online to …

get a notification on my device,

… or send it again. Or again. Try again. Maybe mail it?

I click a button and I’m logged in.

Yeah. Just click (tap) a button (enter a code).

Using a big-brand MFA setup at one job that requires ‘one button’ and ‘get a notification’ and ‘click a button’, I know you’re glossing over the network issues HEAV-I-LY.

Now do it in airplane mode. Do it when the token organization is offline. Do it when there’s no power because the hurricane hit and there’s no cell, no data, no phones, and your DC is on its last hour of battery and you have to log in because the failover didn’t run.

Do it when your phone fell on its face in the rain into a puddle and it’s not nokia.

Do it when you either have cell service and 5% battery, or 100% battery from inside the DC and no cell service.

Do it when you’re tired, hungry, drunk, lost your glasses in the car accident.

The D in DR means DISASTER. Consider it.

permalink
report
parent
reply
7 points

For somebody complaining about making things complicated you certainly complicated the s*** out of a short post.

Storing your passkey in any of the shared password managers solves almost every problem you’ve listed.

With bitwarden and I have offline access to my passkey. I don’t know why the hell you’d need offline access to your pass key because they’re designed to protect online systems, But it could if I wanted it to.

With Bitwarden I can use my phone, or I can use my browser, or any one of four other browsers, or any other computer.

If I need to reset one of my pass keys I reset it in one place and it gets reset everywhere.

permalink
report
parent
reply
1 point

Would love for you to describe exactly how it’s more complicated.

“More” is relative, ofc, so YMMV on whether you agree with me or not on this.

But the problem with pass key is that it has all of the downsides of 2FA still – you need to use a mobile device such as a cell phone, that cell phone must be connected to the internet and you often can’t register a single account to multiple devices (as in, there’s only ever 1 device that has passkey authorization.)

This isn’t an issue with ssh keys, which is a superior design despite it not being native to the web browsing experience. SSH keys can be added or removed to an account for any number of devices as long as you have some kind of login access. You can generally use SSH keys on any device regardless of network connection. There’s no security flaws to SSH keys because the public key is all that is held by 3rd parties, and it’s up to the user in question to ensure they keep good control over their keys.

Keys can be assigned to a password and don’t require you to use biometrics as the only authentication system.

I feel like there’s probably more here, but all of this adds up to a more complicated experience IMO. But again, it’s all relative. If you only ever use password + 2fa, I will give them that it’s simpler than this (even though, from the backend side of things, it’s MUCH more complicated from what I hear.)

permalink
report
parent
reply

Technology

!technology@lemmy.world

Create post

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


Community stats

  • 15K

    Monthly active users

  • 13K

    Posts

  • 567K

    Comments