Passkey technology is elegant, but it’s most definitely not usable security

Data breaches have little to do with passwords - they are 100% the fault of this or that company and lax security practices. Every few days, someone leaves a 100GB cloud bucket wide open on the net, with tons of private data, including addresses, phone numbers, identity numbers, and more. Passwords are irrelevant in this equation.

Weak passwords? Easily solvable. Every service out there can mandate strong passwords, today - something like min. 20 characters, 112-bit entropy, etc. So if someone has a weak password, it's because the system allows it, and this is the IT security owner's fault, not the end users. Passwords are a manifestation of the problem, not the root of it.

But the reason why services don't do this - it's not profitable. It costs a lot of money to do security right.

Also, following the logic of the article, we can solve 30% of online hacks today. Simply by using strong passwords. Immediate effect.

I know I'm repeating myself, but my fear isn't some random hax0r somewhere - it's knowing that companies WILL lose my data, sooner or later.

Mrk

 

Right, but nevertheless passkeys make data breaches less likely. If an attacker somehow gets your password (because it's too weak or for another reason) he has full access to your data on that website (unless you're using 2FA). This is not the case with a passkey: the attacker might have the public key but without the private key on your device it's pretty worthless.

Another advantage is that passkeys are a good protection against phishing attacks. The private key won't work on a bogus site. (This is admittedly also the case if you're using a password manager as it wouldn't insert the login credentials on a bogus site, either.)

 

If you look at that article, 30% of users suffer "hacks" - that means 70% don't. So the existing solution ain't bad. And theoretically, if there are no "bad" passwords, the number drops to zero. Passkeys have some value - I would say IT/service providers people ought to use them, or at least a variation thereof. But common users? No way.

Also, they don't mitigate the cardinal problem - the clicky internet. What would happen if tomorrow every single email is plain text and there are no hyperlinks?

Mrk

 

Not always. I am copy pasting password between password manager and browser on a laptop and not using extensions to do that for me.

 

Yes, you're right. My remark was too general. So this is even more so an advantage of passkeys.