A Defensive Computing Checklist    by Michael Horowitz
NOTE: I gave a presentation on Defensive Computing at the HOPE conference in July 2022
HOME | Full Site Index | Domain Names | VPNs | iOS | Android | About | Rules of the Road | DC Presentation |

PASSKEYS

A passkey is a password that you are not allowed to know. Your phone knows it, but you do not.

Do not use passkeys. Here is why:

  1. The passkey ecosystem is complicated. I have read articles and listened to podcasts from techies, people that normally understand these things, and they all have questions about how passkeys work. Using a system that you do not fully understand is like diving into a pool where you don't know how deep the water is.
  2. If something goes wrong with passkeys, you will still need a password as a fallback mechanism
  3. Unlocking an account using passkeys on a phone, increases the reliance on our phones for security. Phones inevitably get lost, stolen or broken, so passkeys makes the loss of a phone that much worse.
  4. Passkeys are built on the assumption everyone has a smartphone. People who don't, who get Internet access at a Library, are screwed by the passkey system.
  5. Why are passkeys being pushed by Google, Apple and Microsoft? Really, why? Some have said the real reason is to lock you into their ecosystems. This makes all the sense in the world to me. Even in a year or two (I am writing this in May 2023), when passkeys are more widely available, I doubt that an Apple user will be able to use their passkey on an Android device or Windows PC. Time will tell.
  6. For passkeys to catch on, the vast majority of websites that now accept passwords, will need to be updated to also accept passkeys and then, eventually, to only accept passkeys. And, there are many computer systems that are not websites and they too need to be upgraded to support passkeys. To me, this seems impossible.
  7. Even if passkeys are the future, the ecosystem for them will not mature for many years (as of May 2023). Maybe it will never mature.

ARTICLES

FYI

The Security Now podcast of May 9, 2023 raised an interesting issue. Someone who does not own a computer or smartphone and uses the Library for their Internet access, can not use passkeys.

 This page: 5 views per day (over 206 days)   Total views: 928   Created: May 11, 2023
This Page
Last Updated

June 1, 2023
Site Page
Views TOTAL

 737,636
Site Page
Views TODAY

  230
Previous
Website View

43 seconds ago
Website by
Michael Horowitz
@defensivecomput
top
Website Average Daily Page Views: November 2023: 687   See the website change log
Copyright 2019 - 2023