Apple, Google, and Microsoft will soon implement passwordless sign-in on all major platforms

Yes, I understand its limitations. I store URLs in password manager so even if someone sends me a email I would compare domains.
I know that some people use browser bookmarks as antiphishing measure.

 

Thanks, I think I understand it a bit better now. And if it's possible to authenticate on a PC (desktop/laptop) without having to use your smartphone, then I'm all for it. So perhaps I was being a bit too negative about this PassKey stuff.

No, because you will still need to provide confirmation via touch ID or face ID if I understood correctly.

Yes good point, however Intel Online Connect should prevent this, see link. I suppose PassKey will work like this too, but without the need for a 2FA code.

https://www.pcworld.com/article/407...wo-factor-authentication-from-your-phone.html

 

Biometrics suck more than passwords. If someone knocks you out and takes it they can press your finger on it or hold it to your face and get in.

 

I would give my smartphone password or (PIN to debit card if I would have one) to aggressor if he/she would hold a knife to my neck or held me at gunpoint. Especially that I don't have my most valuable bank account connected to my smartphone and don't have nor any debit card. No way to substantially decrease my chance of survival for ~$3000 (including a phone price).
I also think that in that case in my country I could win a legal battle with my bank and they would have to return money to my account.

 

This is why I don't do bank apps on the phone. Someone else gets the phone, it is worth nothing but the value of a stolen phone.

 

Aren't you having debit/credit card with you and only have cash in small amounts, are you? Because I don't really see a big difference being mugged when I have a smartphone with banking app vs debit/credit card.
And frankly I am more concerned about some mistake by accounting department that leads to not receiving paycheck or receiving it in lower amount than some unauthorized money transfer during assault by skillful criminals. Dentistry could cost me much more than what they can transfer during perfect circumstances when everything goes according to their plan.

 

Can't you just... password protect them? I run my most sensitive stuff inside of a work profile, with a separate password.

 

Yes this is indeed a problem, but they can also force you to give up your PIN/password. But I'm not sure yet how I feel about stuff like Windows Hello, I never used it.

Yes, I would of course also give up my smartphone. Luckily I don't do anything of importance on my smartphone, so no banking, no social media, no email. Because it's just too risky in case you get robbed while your smartphone is unlocked.

 

https://tidbits.com/2022/06/27/why-passkeys-will-be-simpler-and-more-secure-than-passwords

 

Thanks, I haven't read the whole article yet, but I think this Passkey stuff might not even be a bad idea. Especially if you will not have to use your smartphone to login onto other devices like laptop and desktop. Because I've read that many major banks in Holland are planning to ditch hardware token devices (like from OneSpan) and force people to use their smartphone, to hell with them!

https://www.onespan.com/products/hardware-authentication/product-comparison

 

You say that... good luck to them. If someone is willing to injure you or take your life for that info, there is nothing to stop them from doing so after they get it. Better yet, tell them the code is 911.

 

I think you watched too many action movies

 

About our discussion in this thread about the safety of smartphone banking apps, I have just once again read about crooks that got sentenced to jail because they scammed users on the Dutch version of eBay. What they did is they send a fake banking site to the victims, because they acted like they wanted to make sure that the buyers were for real, so they asked them to send them €0.01 cent.

So the victims typed in their username and password/PIN, which was recorded by the crooks, and then they could login into their bank accounts, and they actually made about €50.000 by scamming multiple people. So my question is, how the heck is this possible, where is the 2FA on mobile banking apps? And apparently banking apps are also not tied to smartphones, because the crooks could login from their own smartphones.

 

I’m confused: what role do bankings Apps play when using fake websites?

 

Earlier in this thread we had a discussion about how safe mobile banking apps are, compared to online banking via websites on desktops and laptops. In The Netherlands, just about all banks make use of either 2FA via smartphone banking app, hardware token device or 2FA via SMS. So in other words, hackers can't login with only your username and password/PIN.

But on mobile phones it doesn't seem to work this way, as soon as crooks get access to your credentials, they can login into your bankaccount via mobile phones, unless I'm missing something. So there is no 2FA on mobile phone banking apps. To me it would make more sense if you could only login on your own smartphone device. But anway, Passkeys should fix this problem since it's not supposed to be phisable.

 

Cool use of Passkeys, to secure SSH, on iOS: https://docs.blink.sh/advanced/webauthn

 

Google has now introduced Passkeys to Android and the Chrome browser, now we will have to wait on web services that will actually implement this Passkey stuff. And of course I also hope this will soon be adopted by other Chromium based browsers too, like Vivaldi.

https://android-developers.googleblog.com/2022/10/bringing-passkeys-to-android-and-chrome.html

 

Here's one of the first major web services supporting Passkeys (PayPal):

https://newsroom.paypal-corp.com/2022-10-24-PayPal-Introduces-More-Secure-Payments-with-Passkeys

 

Now 1Password has come up with its own implementation of passkeys. And of course it wants to make 1Password play a role in how these passkeys are stored and managed. Perhaps people who make use of 1Password can try the live demo and post their findings.

https://www.future.1password.com/passkeys/

 

Works great.

PS: Don't confuse implementation & specification. 1Password implements the WebAuthn specification, just like Apple, Google, and Microsoft did (platform authenticators), as well as Yubico (roaming authenticator).

 

I guess what I meant is that 1Password has implemented a couple of extra features that are not yet found in Apple's implementation if I understood correctly. Or at least, they tried to make it more userfriendly.

BTW, these are the websites that already support 1Password passkeys, but not all of them are MFA based? I don't get it, isn't passkeys always a form of MFA?

https://passkeys.directory/?utm_source=future1p&utm_campaign=passkeys

 

Once more: there’s no such thing as a “1Password passkey”, just passkeys (open standard).

Sites listed as MFA allow a passkey as second factor (instead of TOTP, SMS, YubiKey, etc.), but still require a separate username and password. Sites with “Sign in” only need the passkey (no username or password).

 

OK thanks for the info, and I understand what you mean. There's indeed no such thing, all passkeys will work the same. I was just talking about the additional features that 1Password brings to the table.

 

This might be a major step forward in support for passkeys:

https://blog.chromium.org/2022/12/introducing-passkeys-in-chrome.html

 

Yes I saw it, I suppose it will soon be available for all Chromium based browsers, quite exciting!