This seems like just a rant from someone who doesn't provide any grounds, argumentation or information about supposed security flaw. What's the value of posting this?
It's even fundamentally misguided - passkeys behave the same as random passwords stored in a password managers (they're... pretty much the same without the copy/pasting). What's the flaw here?
I agree with you. The only thing I can find is that the author alludes to the fact passkey auth relies
"completely on device authentication security which for many users is extremely weak"
... but you need physical access to the device too. Plus, for most modern devices with TPM-like ICs, it's probably more secure than a PC with a password manager?
I am not sure this is true or not, but I feel the companies are moving away from web services toward smartphone apps, in the name of security. It's not going to be good for consumers, because these are closed ecosystems.
> anyone who has authenticated access to your device (that includes the creep that watched you access your phone in that bar before he stole it) will have full and unrestricted access to your Google passkeys and accounts on the same basis.
shrugs
I understand that this lapses certain security boundaries, but if you get my phone unlocked then it's game-over anyways. Hell, same for pretty much everything I own, regardless of the software on it. If the device is unlocked, you have guaranteed access to pretty much everything that matters. For all I know, you could have copied down my notes app with my WiFi password in it and exfiltrated my entire camera roll. You have access to Google Authenticator, my email, my phone and pretty much 90% of the data I would have otherwise wanted to hide.
It's once again this XKCD converging on every modern security model imaginable: https://xkcd.com/1200/
Having my phone shouldn’t be game over. This mindset can be pushed too far.
In general "game over devices" tend to be a bad idea. I’ve seen people type in their passcodes. People may have seen me type in mine when FaceID gives me trouble on my iPad. I’m not at all comfortable with the idea that someone jacking my iPad will have root access to my life.
>> guaranteed access to pretty much everything that matters
> "game over devices" tend to be a bad idea
If you have something worth stealing, don't put it on your phone.
If you have $1000 in Robinhood or Coinbase along with passwords for TikTok and Instagram in your password manager, sure, put it all on your phone for convenience. It wouldn't be a catastrophe if they were stolen.
But if you have anything that's worth protecting, trade convenience for security. Keep banking, brokerage and crypto apps off the phone. Don't use your phone for password managers and 2FA.
Use a Chromebook with no extensions for sensitive stuff. It's less convenient, but there's no chance of life-changing theft if someone takes your phone at the club.
So we should stick to game over passwords, that don't even require device access, just a clever phishing email or hacking a weak website that has a copy of your password that, oops, you reused on 10 other websites?
Passwords aren’t game over though. Access from a different region usually triggers a verification email.
I don’t think we should stick with them, but there’s a difference between sticking with something and forcing everyone to use something else. Is it true that you won’t be able to use passwords at all in the new scheme? If so, this seems… risky.
Question. Suppose I have a passkey on my device. Obviously it gets synced to some sort of cloud, so that if I lose my device, I don’t lose my account. But does everyone who has access to any device get all my passkeys?
I hope not, but part of the blog post was to raise awareness. This is a nice reminder it’s time to look into passkeys deeply.
> If the device is unlocked, you have guaranteed access to pretty much everything that matters.
Some applications support requiring a login with either a dedicated PIN, password or biometrics upon each activity launch (e.g. Telegram, Signal). The only way for an attacker to breach that is to either scrape the phone for credential stuffing or to force me to unlock the app.
Unfortunately, at least for Telegram and Signal neither support a "duress PIN", and iPhones and Android don't as well. Basically, a PIN code that when supplied to any app leads the device to lock itself down completely - force-close all applications immediately, wipe all encryption keys from RAM to prohibit a "freeze" attack, and shut down the device. Ideally it would also distribute a trigger to all other devices and services one owns that these lock themselves down as well, and only let themselves unlock after being supplied with a dedicated password.
> Some applications support requiring a login with either a dedicated PIN, password or biometrics upon each activity launch (e.g. Telegram, Signal). The only way for an attacker to breach that is to either scrape the phone for credential stuffing or to force me to unlock the app.
And this is how applications storing passkeys behave (e.g. 1Password). Where's the security issue here?
It's literally in the first Google result for "passkey", the Google documentation itself [1]:
> Important: When you create a passkey, you opt in to a passkey-first, password-less sign-in experience. Create passkeys only on personal devices that you control. Even if you sign out of your Google Account, once you create a passkey on a device, anyone who can unlock the device can sign back into your Google Account with the passkey.
This! If they pown your phone, they've got all your passwords that you've stored on it. Passwords, passkeys, it doesn't matter.
I hate all the resistance to even small improvements over passwords (like passkeys). The only question we should be asking is, "does this improve on passwords?" In this case, yes it does. With passkeys, it's only the person who powns your phone that gets to log into all your accounts. With passwords, it's the person that powns your phone, or gets your password through phishing, or hacks one the the many websites that also has a copy of your password. This is an improvement! Let's do it!
There is a counter-argument that passkeys are more complex for folks who are already pretty good with security, without really adding any value. It removes some control from people who know what they're doing. Google's track record on abandoning things doesn't help me feel more confident.
I don't trust my phone with my passwords store, they are on a password manager (some in firefox, some in other sw) on a laptop (and backed up to another encrypted machine).
Oh, they "only" need to get access to the phone which is already logged into a Google account, shows all the emails, personal photos, contacts, messages and everything else? Including personal notes?
Disagree. Accessing my phone will only get you so far. If you manage to crack my password manager then you'll have many, but not all the keys to my kingdom. For instance, there's a lot of randomly generated passwords in there, but you won't have access to my disk encryption keys for instance. Those are also different by machine.
Security will never be automated to be fool proof; there is a modicum of thought the user needs to put into their security profile.
your phone, but the complaint in the original article is about those who don't use great security practices, which is most of us. Passkeys limit the attack surface to just your phone. With passkeys, attackers can't get your password (that regular people reuse everywhere) from some weak website or from phishing and then use that to impersonate you. We must go to something like passkeys.
I was trying to acknowledge that. Passkeys, passwords, same result if someone has physical access to your phone. The improvement is that passwords don't require physical access to your phone, there are other ways to steal those like with phishing or hacking a website that has a copy of a password that you reused. Passkeys solve that problem.
The author does not seem to provide any proof or example of why Passkeys are "weak" or "flawed". Anyone has some references about that? Would love to know if it's the case.
passkey is not week, passwords are week. if someone compromises a server, they steal all the passwords. but with crypto keys they have nothing. to compromise a user, you have to target that user. you can only compromise one user at a time.
Passwords are shit, this is widely known. Password managers are a stopgap. I'm not sure whether Passkey is the solution. Maybe... I don't know enough about it.
phishing, password reuse on easily hackable websites, strong unguessable passwords require more work that most people will do and they require storage on some device just like passkeys anyway.
My family does use strong passwords and we rotate through 32 character Wi-Fi PWs every 3 months (in addition to changing the SSID name). We're big fans of 1password
It's even fundamentally misguided - passkeys behave the same as random passwords stored in a password managers (they're... pretty much the same without the copy/pasting). What's the flaw here?