I do think that we need more standard procedures around what a reset/authorize new device looks like in a passkey world. There's a lot about that process that just seems like it's up to the implementer. But I don't think that invalidates passkeys as a whole, and most people are going to have access to their mobile device for 2 factor no matter where they are.

Incidentally I have no idea who this is or whether his opinion should be lent more weight.

I just wish that companies enabling passkeys would still allow password+MFA. There are several sites that, when you enable passkeys, lock you out of MFA for devices that lack a biometric second factor of authentication. I'd love to use passkeys + biometrics otherwise, since I've often felt that the auth problem would be best solved with asymmetric cryptography.

EDIT: I meant to say "would still allow passkeys+MFA." hooray for sleep deprivation lol.

Yeah I didn't understand passkeys. I'm like why is my browser asking to store them? What if I'm using another browser? Why is my password manager fighting with my browser on where to store this passkey?

I felt so uneasy.

So I decided not to use passkeys for now until I understood what's going on.

I am very shitty on security (I would not write this reply on a post on the cybersecurity community), and I resisted MFA for several years as being too annoying having to login to mail/SMS. After finding open source apps supporting TOTP, I feel better about it and I manually do the syncing by just transferring the secrets between my devices offline.

Passkeys are another foreign thing that I think I will get used to eventually, but for now there are too many holes in support, too much vendor lock-in (which was my main distaste for MFA, I didn't want MS or Google Authenticator), and cumbersome (when email and SMS were the only options for MFA, difficulty of portability for passkeys).

All the major password managers store passkeys now. I have every passkey I’ve been able to make stored in Bitwarden, and they’re accessible on all my devices.

Article is behind the times, and this dude was wrong to “rip out” passkeys as an option.

Whenever I read an article about security (and read the comments, even here on Lemmy) I'm constantly frustrated and depressed by a couple of things.

1. Corporations making things shittier with the intention of locking customers in to their stupid proprietary ecosystem. And of course, they are always seeking more data harvesting. Security itself is way down the list of their priories, if it's even there at all.

2. Users being lazy trend-followers who quickly sacrifice their security on the altar of convenience and whatever shiny new FOMO thing is offered up for "better security".

It's a very bad combination. Doing security right is a bit inconvenient (which users hate) and expensive (which corporations hate).

His "just use email" like that isn't very obviously worse in every respect kind of undermines his whole premise.

I wish all sites using 2FA would just support hardware keys instead of authenticator apps. It's so much easier to login to a site by just plugging in my hardware key and tapping its button, than going to my authenticator app and typing over some code within a certain time.

It's even sinpler than email 2fa or sms 2fa or vendor app 2fa.

For authenticator app you also can't easily add more devices unless you share the database which is bad for security. For hardware security key you can just add the key as an additional 2fa, if the site allows it.

The problem with passkeys is that they're essentially a halfway house to a password manager, but tied to a specific platform in ways that aren't obvious to a user at all, and liable to easily leave them unable to access of their accounts.

Agreed, in its current state I wouldn‘t teach someone less technically inclined to solely rely on passkeys saved by the default platform if you plan on using different devices, it just leads to trouble.

If you're going to teach someone how to deal with all of this, and all the potential pitfalls that might lock them out of your service, you almost might as well teach them how to use a cross-platform password manager

Using a password manager is still the solution. Pick one where your passkeys can be safed and most of the authors problems are solved.

The only thing that remains is how to log in if you are not on a device you own (and don’t have the password manager). The author mentions it: the QR code approach for cross device sign in. I don’t think it’s cumbersome, i think it’s actually a great and foolproof way to sign in. I have yet to find a website which implements it though (Edit: Might be my specific setup‘s fault).

Passkeys are only good if they aren't in a online password manager. They are better than TOTP 2FA in terms of security and phishing resistance. I see 2FA as a last resort when someone even gets into my password manager. Storing passkeys completely makes this useless, as I'm sure anyone that can log into my accounts would've done so by getting a hold of my unencrypted password manager database. Unless android provides a real offline way of storing passkeys in the device, I am not interested alot.

I thought passkeys were supposed to be a hardware device?

This is typical embrace/extend/extinguish behavior from the large platforms that don't want their web-SSO hegemony challenged because it would mean less data collection and less vendor lock-in.

The whole idea of passkeys provided by an online platform should have been ruled out by the specification. It completely defeats the purpose of passkeys which is that the user has everything they need to authenticate themself.