Comments
nicuramar t1_izrud3p wrote
Well, if you want cross platform sync, you’d best use a cross platform credential manager that can handle passkeys. They exist :)
Sites should make it easier to add multiple passkeys, which would also help.
Chris77123 t1_iztnqdp wrote
dont use same password across multiple applications because these password applications get hacked and you are expossed eventually
edvorg t1_izrb5yk wrote
I'm already using long randomly generated passwords, what would be the difference in adoption of passkey? So instead of a password, an attacker can steal your private key? I'm genuinely curious, what are the benefits
nindustries t1_izrpn2x wrote
They cant steal your passkey and its bound to the real domain name.
edvorg t1_izrqv48 wrote
Sorry, could you clarify this bit about a domain name? How does it work?
nicuramar t1_izrugs7 wrote
I don’t know what he meant by that. But the passkey only works for that specific login. So in that sense it would be like having 100% unique passwords in all cases.
nindustries t1_izrxiu5 wrote
The key that is generated for eg google.com will not be used for fakegoogle.com and there is no way for them spoof it. So your key never leaves your device and only works for the specific, valid website.
sweetmorty t1_izrcqno wrote
Nah, I'll keep KeePass
nicuramar t1_izruhgk wrote
They could add passkey support. Other apps have or are.
beef-o-lipso t1_izsaaal wrote
And this is the problem right here
> The Google Password Manager on Android is ready to sync all your passkeys to the cloud, and if you can meet all the hardware requirements and find a supporting service, you can now sign-in to something with a passkey. [added emphasis]
Passwords are familiar, easy to use, and are implemented everywhere. Other schemes, no matter how good they are, don't tick all of those boxes and won't gain wide adoption.
Hell, I can't use standard based TOTP/HOTP tokens on any of my financial sites. If financial sites support it, you must use their app.
I would love to see standards based 2FA mandated for financial and healthcare sites.
golf18golf18 t1_izu7le3 wrote
LastPass?
EndofGods t1_izpikec wrote
Online password vaults are not a great idea.
happyscrappy t1_izpong9 wrote
It's not a password vault.
Gesha24 t1_izpjgrj wrote
And yet almost most of organizations are using it. If implemented right - where you have encrypted passwords stored and it's the client that does the decryption locally - they are quite secure. Now, whether you trust the vendor to implement it properly is a whole different conversation.
EndofGods t1_izpqrfi wrote
There is absolutely no way you can guarantee your data's safety when it's constantly accessible online. I hear the arguments, but at the end of the day it is an absolute security risk that can be avoided for the average person at home. Work can do as it like, but you're choices should be more well informed.
Gesha24 t1_izpsb0w wrote
You can not guarantee data safety at home/within your org either. Remember all the home/prosumer devices that get infected and become part of the botnet? Well, that botnet is not only used for ddos, it can also scan your local systems for vulnerabilities. So don't be so sure your data is safer at home/org. At least Google is very likely to discover data leak quickly, will you even notice your data leaking at home/your company?
ItchyAcnestis t1_izpzi75 wrote
You’re getting downvoted, but you’re right. Accessibility and security of data are two parts of the triad that require the most balancing. By its very nature, security is reduced as you increase accessibility, and vice versa.
The key word here is guarantee though. It is possible to make it extremely difficult to get the data without proper access—just not impossible. Some of the methods used today are pretty slick, but I’ve already forgotten most of what was covered in my network security course. I mostly just remember thinking “this isn’t for me” and “please make this stop”.
[deleted] t1_izp9rhw wrote
[removed]
maru11 t1_izpc31i wrote
Do you even know how the PassKey standard is working? You don’t give Google anything with this.
mididaw t1_izpypro wrote
It’s going to take time for people to grasp key exchanges unless you have been in tech awhile.
The fact is one way key exchanges happen everyday with various things. The fact this is FIFO based and FIDO2 while nothing is foolproof this is the only step in the right direction to potentially eliminate a vast majority of exposure for anyone.
maru11 t1_izq0t1z wrote
I agree, forcing a non technical user to have a unique “password” (private / pub key pair) on every account will already be a huge improvement compared to todays standards.
[deleted] t1_izqvhjy wrote
can you escape from Google after you go all in on this?
nicuramar t1_izrulbu wrote
You don’t have to use Google in the first place. I can have a passkey on my iPhone and use it to log into some website on a computer using Chrome. I already tried that with Edge, which supports it.
Part of the system is where you can use your own device to handle the credentials.
[deleted] t1_izpjrkk wrote
[removed]
maracle6 t1_izqwhim wrote
What I haven’t been clear on is whether cross platform passkey sync can even be on the long term roadmap…as I use Windows, Mac, and iOS.