“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.
“Passkeys,” the secure authentication mechanism built to replace passwords, are getting more portable and easier for organizations to implement thanks to new initiatives the FIDO Alliance announced on Monday.
I still have no idea how to use passkeys. It doesn't seem obvious to the average user.
I tried adding a passkey to an account, and all it does is cause a Firefox notification that says "touch your security key to continue with [website URL]". It is not clear what to do next.
ITT: Incredibly non-technical people who don’t have the first clue how Passkeys work but are convinced they’re bad due to imaginary problems that were addressed in this very article.
The real problem is not passwords so much as trusted sources. Governments should have an email account that citizens have a right to and will not go away and have local offices to verify access issues.
I'll switch when it's fully implemented in open source and only I am the one with the private key. Until then its just more corporate blowjobs with extra steps.
I'm not convinced this is a good idea. Resident keys as the primary mechanism were already a big mistake, syncing keys between devices was questionable at best (the original concept, which hardware keys still have, is the key can never be extracted), and now you've got this. One of the great parts about security keys (the original ones!) is that you authenticate devices instead of having a single secret shared between every device. This just seems like going further away from that in trying to engineer themselves out of the corner they got themselves into with bullshit decisions.
Let me link this post again (written by the Kanidm developer). Passkeys: A Shattered Dream. I think it still holds up.
I always feel like an old granny when I read about passkeys because I've never used one, and I'm worried I'll just lock myself out of an account. I know I probably wouldn't, but new things are scary.
Are they normally used as a login option or do they completely replace MFA codes? I know how those work; I'm covered with that.
My password manager supports passkeys just fine, across Windows, macOS, Linux and iOS (and probably Android but I haven't tried). Surprisingly, iOS integrates with the password manager so it's usable just like their own solution and it works across the system (not just in the browser).
This seems to be more about finding a standard way to export/import between different password managers/platforms?
Whenever I read stuff like this, my mind goes a bit hazy. Because I'm just finding myself asking 'Why and when did the simple mechanic of passwords get this difficult?'
Maybe if password requirements weren't stingingly stupid, companies cared more about actual security and not an obstacle course they've gotta send people through to do one thing. We wouldn't ever know or need to know systems like this.