I see the great history of educating users on security continuing as a website offers to save a "passkey" on my computer with no explanation of what a passkey is
-
I see the great history of educating users on security continuing as a website offers to save a "passkey" on my computer with no explanation of what a passkey is
-
replied to jcoglan last edited by
I am a software developer with some understanding of security and cryptography and *I* have found passkeys hard to understand from existing available information
-
replied to jcoglan last edited by
e.g. are biometrics an essential part of passkeys, and if so: A. that is really silly and B. how does this work when I am not using a phone
-
replied to jcoglan last edited by
do they replace passwords, do they perform some auxiliary function, am I responsible for retaining them, what happens if they get lost, how do they work across devices
I am finding them absolutely impenetrable to understand which bodes poorly for them actually helping users
-
replied to jcoglan last edited by
replacing passwords with biometrics is a terrible idea, sorry
-
replied to jcoglan last edited by
ok now I've remembered the rest of how passkeys work and they're *really* stupid
-
replied to jcoglan last edited by
you're replacing passwords with "the user has to retain a set of private keys or else they lose access to their accounts", which implies stealing a physical device with said keys gets you into the victim's accounts
-
replied to jcoglan last edited by
I actually don't understand how you can look at the ux and security problems with passwords and conclude that making users retain a set of private keys, a concept that is completely opaque to most people, will help at all
-
replied to jcoglan last edited by
given the opaque nature of the essential state, it requires a ux solution that boils down to "the user must retain a particular physical device, or access to a vault where the keys are stored, which is secured with a password"
-
replied to jcoglan last edited by
my current password scheme: has no essential state, requires storing nothing, cannot be breached by stealing my phone, its keys can be written down on paper, I cannot be physically compelled to reveal any of it
passkeys+biometrics: the opposite of all these
-
replied to jcoglan last edited by
passwords are very problematic but people do understand what they are and what it expected from them. asking the user to adopt passkeys without explaining their obligations if they want to retain account access is just offering to lock them out of their account
-
replied to jcoglan last edited by
the really baffling thing about a lot of "security" design is that it doesn't account for the fact that it is an extremely common event to have one's phone stolen. my phone is the most vulnerable thing I own, stop tying my credentials to it
-
P [email protected] shared this topic
