For World Password Day this year, check if your accounts have the option to eliminate passwords altogether 😉

Fellow @privacyguides team member Fria covers how Passkeys are the password replacement we've been waiting for:

privacyguides.org/articles/202

@jonah @privacyguides Oooof, ooof, ooof, this is really irresponsible.

This article only mentions the cons of passwords and only mentions the pros of passkeys.

Most paskey solutions are completely non-portable, proprietary, locked to a single device, and have no backup. So if you lose your device, you lose everything.

I don't think we should be advocating for a passkey usage until there's a coherent story about what happens when you lose your device.

@jonah @privacyguides Sorry, maybe that was too harsh, but I really think the article should be amended to... Place a explicit bold red warning about the risk of loss at the top of the passkey section.

I know that it does mention that it's possible to sync them and it's possible to have multiple passkeys, but... It doesn't show how, and it doesn't mention that that's not the default.

@forestjohnson I'm unfamiliar with passkey implementations that operate in this way by default (besides hardware YubiKeys) 👀

Follow

@jonah well for starters if you register on a site on your phone, opt for pass key, and then lose your phone, you lose the account access.

It takes another system like strictly disciplined redundant device use or more realistically, a password manager, to be able to keep the passkey across device loss.

Note im not including google or apples own password managers in this, IMO they dont count because

1. It can be taken away from you, you use it at the pleasure of the company.

2. they don't allow export AFAIK

· Edited · · 1 · 0 · 1

@jonah mostly my complaint is with the way the mainstream passkey UIs hide whats happening from the user and take a "we know better than you" approach; there's no affordance for backup.

IMO its similar to how totp 2fa started. Then 2-3 years later after everyone started losing access to thier accounts end masse and complaining loudly, 2fa backup codes became the norm.

Same will happen with passkeys IMO. I'll wait.

@jonah to be fair the "lose phone = lose account" problem also happens with passwords, because of the issues with passwords outlined in the article: people chose passwords that are hard to remember, and then don't write them down.

I just don't like how with passkeys, there was an explicit design desicion by apple and google to _prevent_ someone from writing them down or copying them.

So maybe my complaint is only valid for a specific kind of person who wants to have their own copy of their credentials.... But IMO if you don't have your own copy, do you really have it at all?

I tend to lean heavily into the A and I parts of the CIA triad because in my experience that's where 90% of losses and issues occur for average computer users, while at the same time I believe the public consciousness has a bit of a blind spot around it, and usually blames the victim when loss does occur. "You should have backed up", "you should have used vaultwarden", etc.

Sign in to participate in the conversation
Pixietown

Small server part of the pixie.town infrastructure. Registration is closed.