Ancestors

Toot

Written by Joe B on 2025-01-09 at 02:49

[#]passkeys : a fragile solution that nobody normal wants or understands to a problem everybody has.

Why would we put these things on inherently unreliable electronics? It's a big enough pain when your 2FA device dies or is lost. This would be worse.

=> More informations about this toot | More toots from joeblubaugh@hachyderm.io

Descendants

Written by tim on 2025-01-09 at 03:46

@joeblubaugh all my friends and family, 90% of which are not tech savvy, understand the problem and have embraced the solution...

=> More informations about this toot | More toots from timcappalli@infosec.exchange

Written by Royce Williams on 2025-01-09 at 04:29

@timcappalli

Not to speak for Joe, but part of his concern might be summarized as "Users may not understand -- because per-site UX often fails to convey, for complex reasons -- that users probably need a few passkeys per site to achieve resilience similar to what they expect from passwords -- and are going to instead find out the hard way." ?

@joeblubaugh

=> More informations about this toot | More toots from tychotithonus@infosec.exchange

Written by tim on 2025-01-09 at 04:29

@tychotithonus @joeblubaugh the average user needs one passkey per account

=> More informations about this toot | More toots from timcappalli@infosec.exchange

Written by Royce Williams on 2025-01-09 at 04:34

@timcappalli

Ah, because of whichever synchronization framework they choose, they end up with more than one passkey on the "back end", across devices? Or does it work differently from that?

@joeblubaugh

Does that synchronization address some of your fragile-device concerns?

=> More informations about this toot | More toots from tychotithonus@infosec.exchange

Written by tim on 2025-01-09 at 04:39

@tychotithonus @joeblubaugh the whole reason passkeys exist and were brought to market was to solve that problem.

=> More informations about this toot | More toots from timcappalli@infosec.exchange

Written by Royce Williams on 2025-01-09 at 05:43

@timcappalli

Ah, indeed. And yet this isn't the first user who's walked away from the passkey creation process having gotten the wrong impression. (Not that I have a strong idea of how to communicate this more effectively during onboarding!) Hmm.

@joeblubaugh

=> More informations about this toot | More toots from tychotithonus@infosec.exchange

Written by tim on 2025-01-09 at 13:45

@tychotithonus @joeblubaugh it will take time. no technology is perfect out of the gate. Every quarter there are significant improvements.

I'd also add that the OP didn't actually describe any experience. They just made a rather generic statement without any examples or facts.

=> More informations about this toot | More toots from timcappalli@infosec.exchange

Written by canard164 on 2025-01-09 at 07:32

@joeblubaugh

Passkeys can be synced, so if a device dies or is lost, you can use your credentials from another device if they were synced before the loss.

For example, you can sync passkeys between a computer and a phone. If you lose one device, you can access your accounts from the other.

=> More informations about this toot | More toots from canard164@mastodon.social

Written by bertrand 🏃 👨‍💻 🎸 on 2025-01-09 at 08:51

@joeblubaugh

Why would we put these things on inherently unreliable electronics?

Maybe because putting them in our inherently even more unreliable brains have proved being a bad idea? 🙃

[#]Passkeys

=> More informations about this toot | More toots from bertrand@piaille.fr