this post was submitted on 16 Oct 2024
270 points (86.3% liked)

Technology

59378 readers
5786 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] Boozilla@lemmy.world 12 points 1 month ago* (last edited 1 month ago) (1 children)

Whenever I read an article about security (and read the comments, even here on Lemmy) I'm constantly frustrated and depressed by a couple of things.

  1. Corporations making things shittier with the intention of locking customers in to their stupid proprietary ecosystem. And of course, they are always seeking more data harvesting. Security itself is way down the list of their priories, if it's even there at all.

  2. Users being lazy trend-followers who quickly sacrifice their security on the altar of convenience and whatever shiny new FOMO thing is offered up for "better security".

It's a very bad combination. Doing security right is a bit inconvenient (which users hate) and expensive (which corporations hate).

[–] EncryptKeeper@lemmy.world -4 points 1 month ago* (last edited 1 month ago) (1 children)

You would be less constantly frustrated and depressed if you learned a little bit about security, instead of getting upset about imagined problems with technology you don’t understand.

[–] Boozilla@lemmy.world 3 points 1 month ago

I'm not against passkeys. They have some real advantages. And I understand more than you think.

My comment is primarily about the preferred ecosystems that tend to come along with these newer solutions (like Apple's iCloud or Google's Password Manager) and how the corporations take advantage of user laziness and bandwagon jumping.

They may not force you to be exclusive with them, but they definitely want you to be. And over time they will likely make it more and more inconvenient not to be locked in with them.

For contrast, I use BitWarden for password management and Bitwarden Authenticator for TOTP (and I keep safe copies of TOTP secret keys elsewhere). This is a generic open-standards-first approach to things, with relatively easy recovery should you lose something. You can export your passwords. You have copies of your secret keys. You are in no way locked in to BitWarden forever.

Passkeys can also work within that type of operational framework! Like TOTP which normally uses RFC6238, Passkeys tend to use CTAP or WebAuthn. All of the above are open standards. And this is a good thing!

But do you really think Apple, Google, Microsoft, etc, want to play nice long term? Hopefully they will. But I have also run into evil nonsense like LastPass, which even though they also used open standards, their software would not allow you to do simple things like recover your own secret keys, export your data, etc. (Not to mention the embarrassing security breach they had and the wretched response, the main reasons to dump them).

While I am not directly comparing an idiot company like GoTo Tech with Apple et al, they all have the same types of big brain MBA types working for them who love to constantly brainstorm new ideas on how to screw the users over by taking features away and calling it a "software upgrade".

So, passkeys as a security mechanism: sure, this gets my vote. But trusting the big corporations not to change the rules on us later....come on, get real. They love limiting or removing portability and recovery options whenever they can.

Bottom line: don't assume passkeys are inherently good or bad. It's simply a security standard that can work well if implemented correctly. Passkeys make logging in easier. But will they also make recovery / export / migration easier....? Because if it's not easy, people won't do it.