I continue to reject every attempt by Google and anyone else to switch me over to "passkeys". Where would my "passkey" be stored? On my phone? On your servers? Both of those sound less secure. What happens if I lose the passkey somehow? Am I just fucked? Not great. How is signing in with a cryptographic key substantively any different to signing in with a key of my own creation? It's not.
- He/Him
I use outdated technology just for fun, listen to crappy music, and watch a lot of horror movies. Expect posts about These Things. I talk a lot.
Check tags like Star Trek Archive and Media Piracy to find things I share for others.
Mastodon
mastodon.social/@pendellBearblog
pendell.bearblog.dev/Letterboxd
letterboxd.com/aependell/You must log in to comment.
in reply to @pendell's post:
they should be stored on magnetic cards you get to swipe every time you need to log into something
if you want some answers:
- its public key cryptography, the private key is stored on your device. definitely not stored on their servers, which normal passwords are (and managing the storage of regular passwords is a common source of security problems)
- public key cryptography is already the backbone of internet security om a connection level, this moves it up to a user level too
- losing your passkey is the same as losing your password and up to the website, maybe its a reset email maybe its a more involved process. just like passwords you might be fucked depending on the site (having passkeys on multiple devices can make thos easier as well)
- the biggest difference is that you dont have to remember a password! more technically minded people might not mind memorizing or using a password manager but the average user has a password that is both easy to brute force and easy to guess. for these users, passkeys are a massive security upgrade.
- it's not perfect security, but in most cases it's better security and in the rest it has similar problems to passwords.
by all means keep using passwords if you're confident in your ability to generate them and your counterpart's ability to store them, i'm only slowly moving over myself. that said, i'm not hesitating to tell my friends and family who hate maintaining passwords to switch over
the one thing that's never made clear to me is like literally where is the key being stored? Is it a file I download? Does it go into some special siloed partition on my phone? Do I interact with that siloed passkey area through some app or settings menu? How would this work for PCs?
(please note i'm not an expert and partly just reading up for myself because your question got me interested) i use bitwarden to manage my passkeys, they go into my phones trusted execution environment, which is a special siloed bit of hardware where my other cryptographic keys also live. depending on your phone, there are also even more secure bits of hardware that can manage this - i saw articles about how google pixel phones and samsung phones have some advanced security features around passkeys
for windows, they're stored in the trusted platform module, which is again specialized security hardware
for both - you will likely manage your passkeys through the app that generated them (password manager or browser). on windows you can also manage them directly through the os, but i'm less confident on mobile