Problems with PassKeys

Problems with PassKeys.

image

Q: How is this different than a long password in a password manager?
A: No more phishing! Password managers are an okay phishing deterrent, assuming every time it fails to autofill you carefully check the page details and don’t just assume they didn’t label their fields correctly and tell it to fill anyway. Maybe you do, but I guarantee your mom doesn’t. Passkeys are a) asymmetric, so if you accidentally authenticate with a fake page, they don’t get any sensitive info, and b) include hostname validation as part of the protocol, so making sure you’re on the right page is a first-class concern and not a super fragile layer on top.

Q: What if I lose the device with my keys on it?
A: What if you lose the device with your passwords on it? Either a) they’re backed up to the cloud and accessible from another device, or b) you click “forgot my password” and verify over email or something. Why would passkeys be any different? Now it would be great if there was a cleaner solution than that, but this is a parallel problem not one introduced by passkeys

Q: Biometrics can’t be changed and are the same everywhere. Doesn’t that make them terrible passwords?
A: Yes. That’s why your biometrics aren’t your password! I blame Microsoft for this one, since their marketing has relied weirdly heavily on the ‘your fingerprint is your password’ thing. But so we’re clear: Your private key is what you use to authenticate. Your fingerprint is just what you use to authorize your computer to use that key. And that authentication method could be anything. If you’ve used Windows Hello, you know how that works - you can set up fingerprint or face recognition if you have the hardware for it, or you can use a Yubikey, or you can just use a pin/password. They all work the same for all the same sites, because what you enter there isn’t going to the site, it’s just satisfying Windows that you’re the user owning the key. Think SSH private key passphrase, not login password.

Problems

  • Relies on Bluetooth and QR-Codes
  • You cannot track websites, in theory this is good but for developers and webmasters this might be problematic to test several things.