This piece on Passkeys is stellar, and shows what happens when Big Tech does its best to extinguish a good idea through "enthusiastic" adoption.
-
This piece on Passkeys is stellar, and shows what happens when Big Tech does its best to extinguish a good idea through "enthusiastic" adoption.
Passkey technology is elegant, but it’s most definitely not usable security
Just in time for holiday tech-support sessions, here’s what to know about passkeys.
Ars Technica (arstechnica.com)
-
R [email protected] shared this topic
-
serious business :donor: :heart_cyber:replied to funnymonkey last edited by
If I'm being honest, I still don't really get the idea behind passkeys. It's not clear to me what advantages they offer over a hardware token or authenticator app.
-
Ian Campbellreplied to serious business :donor: :heart_cyber: last edited by
@ceresbzns platform capture, at the moment. And making IT/Support jobs tougher.
That's all I see.
-
-
-
serious business :donor: :heart_cyber:replied to Matthew Exon last edited by
@mat @lupus_blackfur @neurovagrant
It's recommended to keep two: one for daily use, one as a spare in a safe location as a backup.
-
Matthew Exonreplied to serious business :donor: :heart_cyber: last edited by@lupus_blackfur @neurovagrant @ceresbzns I see, still no solution then. The problem is that you're left with only one key, so you need to buy another spare and then register it on 500 different websites by hand. And that's completely impractical.
-
serious business :donor: :heart_cyber:replied to Matthew Exon last edited by
@mat @lupus_blackfur @neurovagrant
OK, what's your preferred solution?
-
Matthew Exonreplied to serious business :donor: :heart_cyber: last edited by
@lupus_blackfur @neurovagrant @ceresbzns I actually have a question there.
Generate pair A_pub A_priv. Register A_pub on a website. You can log in to the website with A_priv. Generate pair B_pub B_priv. Use A_priv to sign CERT_a_b saying that B is authorised to act as A for all purposes. You can log in to the website with CERT_a_b + B_priv. Lose A_priv, it's gone forever. Generate pair C_pub C_priv. Use B_priv to sign CERT_b_c saying that C is authorised to act as B for all purposes. You can log in to the website with CERT_a_b + CERT_b_c + C_priv. No need to tell the website (any website) that you lost A.
My question is: what's that called? I'm no expert. I occasionally wonder if someone's implemented this, but I don't know what to google for.
