iCloud Keychain users: Where do you put non-logins?
I’ve been jumping between password managers for a bit and I feel like sooner or later I’ll end up with iCloud Keychain, but currently I’m still sticking with something else because it only supports logins (website, username, password has to always be there).
For people already using it, where do you put your non-password stuff? PIN codes, software licenses, memberships, etc.
I've been sticking with others for this exact reason. I wish I had a better answer for you but I'm stuck on 3rd parties until the Keychain is more flexible.
I’d like to know where you came to the conclusion that something you know is better than something you have. Passkeys are way less likely to be phished, nearly impossible. The only thing stored externally is a public key. Those are useless without the private key on your device. FIDO2 is an open standard (like html and SQL) and there are open source servers.
If a website has a data breach, they can’t log into your account because they don’t have your private key. Security professionals recommend a combination of something you know, something you have, and something you are.
Passkeys are not stored on some third party website, they are physically in your possession. Passkeys do not need to be biometric. I have a physical usb passkey. Apple already has your face or fingerprint if you use biometric login anyway if you’re worried about using a phone as a passkey. I’m not sure where the claim that they are singularly protected by large corporations.
Passwords are also inherently insecure by nature. In so many ways. That’s why MFA exists in the first place.
In this case it would be something you have and something you are if we are talking about phones as passkeys. Which is an acceptable combination of the above. And I want to point out again that passkeys are not inherently biometric. I, in fact, possess a non-biometric passkey.
Just quickly, let me ask you of what or to whom PassKeys benefit besides you if phishing isn't a "real" threat in all practicality? Why would you give up your control over your information because some old or technnically-inept sucker might get scammed. That's awfully civic-minded of you, I commend your tender-heartedness.
A password is a product of your mind for the most part while the genius of PassKeys ultimately in terms of accessibillity is that all of that can be overriden because its in some sense authenticated as a product of your body or biometrics. Your fingerprints and face are not really "yours" in the sense that only you can make use of them to help "Trusted Partners" sign in and have any latitude to refuse.
See any issues or do you mind if I breathylize you real quick and unsolicited-like? Just kidding, don't care if you consent or not. PassKeys similarly and basically opts you in, bro. The flesh is weak.
Passwords are more difficult. They don't really opt you in to shit per se. At the end of the day, if there's not a post-it laying around and its sufficiently complex+implemented and you respectfully decline to share it, that's sort of the end of the matter.
Phishing is a huge problem. Over 80% of companies experience phishing attacks yearly. 40% of all US data breaches are a direct result of phishing. This means the data you have provided these companies (sometimes whether you want to or not). Almost every healthcare provider has been phished in the last 3 years. That’s a lot of important data on me.
I have no idea what you’re talking about with giving up my data. Passkeys don’t give up any day. Passwords are easily guessed and stolen. It’s even easier since the requirements on websites make it easier to predict. I do care about technologically uninformed people. They work at the companies that have my data. And also I care about people in general. Because we are all people and should not be so hateful of each other.
Again, it’s not trusted partners. There is a private and public key. You are the only one with the private key unless you choose to give it away. Hey that’s the same as passwords! You remember every single complex password for every single website and login?
And there’s no need for the snark and insulting implications. Do you work in the industry out of curiosity? Idk why you’re acting like I’m some ignorant and uninformed person.
My bad dude. Yeah, was wayyy outta line. Sorry. But my point was that PassKeys seem to depend on biometrics to authenticate/"use" and biometrics are not technically protected to the extent you can be forced to "produce" them ina way that is distinct from the protection passwords can theoretically provide.
I suppose as long as you use alphanumeric for your main passcode, its not such a problem to use PassKeys but what I said above seems to be true although there may be a gap here or there overall in my understanding of them.
Do PassKeys replace the actual passcode for the device or is that more for online accounts and websites? I haven't found that spelled out specifically anywhere?
I assume you’re talking about the entire "shouldersurf PIN, steal phone" storyline? That’s also something I’m considering. But there’s a few things that seem a lot nicer with keychain. Autofill on iOS 17 only works with keychain (maybe my PM is just not yet supporting it), no subscription price etc. Also the chrome extension (which my PM also doesn’t have, I’m using Minimalist btw).