A Defensive Computing Checklist    by Michael Horowitz
HOME | About | Domain Names | VPNs | Rules of the Road | DC Presentation | ChangeLog | Stats |

PASSKEYS

TOPICS BELOW
Why Not To Use Passkeys, Passkeys Bad, Passkeys Good, FYI

A passkey is a password that you are not allowed to know. Your phone knows it, but you do not.

WHY NOT TO USE PASSKEYS

Do not use passkeys. Here are some (not all) reasons why:

  1. The passkey ecosystem is complicated. I have read articles and listened to podcasts from techies, people that normally understand these things, and they all have questions about how passkeys work. Using a system that you do not fully understand is like diving into a pool where you don't know how deep the water is.
  2. If something goes wrong with passkeys, you will still need a password as a fallback mechanism.
    In December 2024, Dan Goodin described the current state of things: "Of the hundreds of sites supporting passkeys, there isn't one I know of that allows users to ditch their password completely. The password is still mandatory. And with the exception of Google's Advanced Protection Program, I know of no sites that won't allow logins to fall back on passwords, often without any additional factor. This fallback on phishable, stealable credentials undoes some of the key selling points of passkeys."
  3. Unlocking an account using passkeys on a phone, increases the reliance on our phones for security. Phones inevitably get lost, stolen or broken, so passkeys makes the loss of a phone that much worse. I suspect that many people who jumped on passkeys initially, live in low crime areas.
  4. Passkeys are built on the assumption everyone has a smartphone. People who don't, who get Internet access at a Library, are not allowed to play the passkey game.
  5. Why are passkeys being pushed by Google, Apple and Microsoft? Really, why? Some have said the real reason is to lock you into their ecosystems. This makes all the sense in the world to me. Even in a year or two (I am writing this in May 2023), when passkeys are more widely available, I doubt that an Apple user will be able to use their passkey on an Android device or Windows PC. Time will tell.
  6. For passkeys to catch on, the vast majority of websites that now accept passwords, will need to be updated to also accept passkeys and then, eventually, to only accept passkeys. And, there are many computer systems that are not websites and they too need to be upgraded to support passkeys. To me, this seems impossible.
  7. Even if passkeys are the future, the ecosystem for them will not mature for many years (as of May 2023). Maybe it will never mature.

PASSKEYS BAD   top

PASSKEYS GOOD   top

FYI   top

The Security Now podcast of May 9, 2023 raised an interesting issue. Someone who does not own a computer or smartphone and uses the Library for their Internet access, can not use passkeys.

 This page: 5 views per day (over 626 days)   Total views: 2,967   Created: May 11, 2023
This Page
Last Updated

January 21, 2025
Site Page
Views TOTAL

 1,080,385
Site Page
Views TODAY

  345
Website by
Michael Horowitz
@defensivecomput
top
Copyright 2019 - 2025