PASSKEYS
A passkey is a password that you are not allowed to know. Your phone knows it, but you do not.
Do not use passkeys. Here is why:
- The passkey ecosystem is complicated. I have read articles and listened to podcasts from techies, people that normally understand these things, and they all have questions about how passkeys work. Using a system that you do not fully understand is like diving into a pool where you don't know how deep the water is.
- If something goes wrong with passkeys, you will still need a password as a fallback mechanism
- Unlocking an account using passkeys on a phone, increases the reliance on our phones for security. Phones inevitably get lost, stolen or broken, so passkeys makes the loss of a phone that much worse.
- Passkeys are built on the assumption everyone has a smartphone. People who don't, who get Internet access at a Library, are screwed by the passkey system.
- Why are passkeys being pushed by Google, Apple and Microsoft? Really, why? Some have said the real reason is to lock you into their ecosystems. This makes all the sense in the world to me. Even in a year or two (I am writing this in May 2023), when passkeys are more widely available, I doubt that an Apple user will be able to use their passkey on an Android device or Windows PC. Time will tell.
- For passkeys to catch on, the vast majority of websites that now accept passwords, will need to be updated to also accept passkeys and then, eventually, to only accept passkeys.
And, there are many computer systems that are not websites and they too need to be upgraded to support passkeys. To me, this seems impossible.
- Even if passkeys are the future, the ecosystem for them will not mature for many years (as of May 2023). Maybe it will never mature.
ARTICLES
This May 2023 article by Jared Newman is one that I mostly agree with: Passwordless logins are a confusing mess. The article says that a goal of passkeys is to make account logins easier. But, by definition, this means less security. In the article, the issue of not having your phone assumes it was lost. But, what if the phone was stolen? Bad guys may unlock your phone by forcing you to look at it or force you to press your finger on it. Or, if the phone unlock code is all that it takes to access the passkeys, they may just watch you unlock the phone, note the code, then steal your phone. Some quotes:
- Getting rid of passwords will be a long, messy, and occasionally maddening process, especially without clearer documentation and guidance from the companies involved.
- All of this falls apart when you try to start using passkeys in earnest. The technology is so new that every website handles it differently, and things that are supposed to just work often don’t.
- I have a pretty solid handle on technology, and I still find this to be overwhelming.
- As of now, none of the systems' biggest backers have provided clear documentation on what happens if you phone goes missing. ... In Google’s latest post about adding passkey support, the possibility of losing your phone doesn't even come up, and its support page offers no guidance for users who've lost all their devices.
- All of this, by the way, is separate from the 'Sign in with Google' and 'Sign in with Apple' buttons that are already ubiquitous around the web. While those options are also passwordless, they're separate from this new passkey system that's now being created.
- This May 2023 article in Ars Technica Google passkeys are a no-brainer. You’ve turned them on, right? by Dan Goodin is supposed to argue that passkeys are great. I think Goodin is completely wrong. As I read this article, I ended up with a many questions. Rather than being a good thing, the article, in my opinion, shows passkeys as a bad thing.
- This May 2023 article in the Wall Street Journal by Nicole Nguyen also argues for passkeys. Hate Passwords? It’s Time to Try Passkeys.
But, to me, the case is weak. And, the article makes many factual mistakes, such as:
- Even the title of the article is false. It is absolutely not the time to try passkeys. Far far from it. This is not a matter of opinion, it is a fact.
- Nguyen claims passkeys are both easier and safer. Nothing that is easy is either safe or secure. Never has been, never will be. The two concepts are always at odds.
- Nguyen says that a passkey is "an encrypted bit of software code". It is not. A passkey is a number, not software code.
- The article says that a passkey lives in a password manager. This is literally true, for now, but they do not live in what most people know as password managers. KeePass, for example, can not handle passkeys.
- The article says "the key only lives on your device (a phone or laptop, for instance)". This assumes we only have one computing device. If you have both an iPhone and an iPad they should end up on both devices. This also shows a lack of understanding of the technology. The passkey on your device is part of a pair of numbers. One stays on the server for the system you are trying to deal with, the other stays on your devices. This is a big contrast with passwords.
- The article says passkeys are easier than 2FA. Again, anything easier is less secure. And is it really easier? That is a matter of opinion.
- The article suggests testing passkeys on the webauthn.io website. I did, on a Windows PC. The site failed to load at all using the Mullvad web browser.
Using Brave, it wanted me to turn on Bluetooth which it said is required to use my passkey on a different device. What different device?
Using Chrome, it said Bluetooth was required and stopped. Again, the issue of passkeys being easier to use is a matter of opinion.
- The article says "Passkeys already work with the password managers built into ... Google Chrome ... desktop web browsers". It did not for me.
At least not without Bluetooth enabled. Why is Bluetooth needed? Neither browser said why.
FYI
The Security Now podcast of May 9, 2023 raised an interesting issue. Someone who does not own a computer or smartphone and uses the Library for their Internet access, can not use passkeys.