The passkey ecosystem is far from complete, but Google's implementation is now ready to use.
See full article...
See full article...
Passwordless Google accounts are easier and more secure than passwords. Here’s why.
- Thread starter JournalBot
- Start date
It all sounds well and good... right up to the point Google decides to abandon the program in three years.
Will it happen? I've no idea. But I've given up on depending on Google for anything.
Will it happen? I've no idea. But I've given up on depending on Google for anything.
Upvote
208
(311
/
-103)
Eh...
From what I understand this is a new industry standard and not just a Google thing. I'll wait for Apple and Microsoft to fully implement it before I bother, seeing how I don't really use Google products other than YouTube.
From what I understand this is a new industry standard and not just a Google thing. I'll wait for Apple and Microsoft to fully implement it before I bother, seeing how I don't really use Google products other than YouTube.
Upvote
161
(181
/
-20)
I'm not sure having to go find your phone, find the app to scan the QR code with, I guess you'd have had to go thru some setup for fingerprints...and hope it accepts your fingerprint (I have issues with fingerprint unlock on the devices I've tried it, such as after working in the yard or on the car it won't accept until my skin heals fully for several days).
That doesn't fit what I would call "easy"
That doesn't fit what I would call "easy"
Upvote
195
(246
/
-51)
No, it's cross platform support is trash and that doesn't really work. So, wake me up when they get it right, I'll keep using these yubikeys.
Upvote
148
(174
/
-26)
From the article:
"Some passkey skeptics have expressed concerns about entrusting Apple, Google, or Microsoft infrastructure with the secret key. Some of these critics have gone so far as to say that passkeys are a power play designed to give these companies control of authentication secrets not previously possible. These claims simply aren’t true."
For me at least, this is a mischaracterization of the concern. There are horror stories for example (reported here on ARS) of Google disabling a man's account for sharing photos of his child with his doctor. If all of my passkeys are tied up in Google's ecosystem and something like that happens, I'm totally screwed and would be unable to work.
The solution is simple enough though: don't trust a hardware vendor, instead only store passkeys in something cross-platform and open source like Bitwarden. For me, that is the only way that I am going to start using passkeys.
Edit to add:
Yes I am aware that Bitwarden does not have full passkey support today. It is in the works:
View: https://www.reddit.com/r/Bitwarden/comments/136j90t/did_you_know_bitwarden_is_working_on_passkey/
"Some passkey skeptics have expressed concerns about entrusting Apple, Google, or Microsoft infrastructure with the secret key. Some of these critics have gone so far as to say that passkeys are a power play designed to give these companies control of authentication secrets not previously possible. These claims simply aren’t true."
For me at least, this is a mischaracterization of the concern. There are horror stories for example (reported here on ARS) of Google disabling a man's account for sharing photos of his child with his doctor. If all of my passkeys are tied up in Google's ecosystem and something like that happens, I'm totally screwed and would be unable to work.
The solution is simple enough though: don't trust a hardware vendor, instead only store passkeys in something cross-platform and open source like Bitwarden. For me, that is the only way that I am going to start using passkeys.
Edit to add:
Yes I am aware that Bitwarden does not have full passkey support today. It is in the works:
View: https://www.reddit.com/r/Bitwarden/comments/136j90t/did_you_know_bitwarden_is_working_on_passkey/
Upvote
228
(236
/
-8)
Passkeys are cool and fine. But no, I will not be using one from google, et al. I'll take something that is fully open source and lets me maintain independent backups of my keys, thank you very much.
Upvote
176
(200
/
-24)
As far as I can tell, the point of this is replacing the Thing You Know (i.e. the password) with a Thing You Have (your phone) in conjunction with the Thing You Are (biometric verification on your phone).
That is itself an improvement, but the downside is that there are way more moving parts, increasing the number of failure modes and making it harder to reason about them. The simplest question is: what happens if you lose your phone? Another one is: there are multiple Passkey implementations, right? How do they interoperate?
Speaking of moving parts, I'm somewhat concerned about the Bluetooth requirement. I don't think I've ever used a desktop computer with Bluetooth, for example. And how does the web page you're logging in to make an outgoing Bluetooth connection to your phone? Doesn't this require cooperation between the browser and the OS? What standards does this use? What happens if you're on a system which doesn't have this, for some reason? Is there a fallback?
Edit: Also, for a primer this document is kinda missing a simple explanation of what passkeys actually are and how they operate!
That is itself an improvement, but the downside is that there are way more moving parts, increasing the number of failure modes and making it harder to reason about them. The simplest question is: what happens if you lose your phone? Another one is: there are multiple Passkey implementations, right? How do they interoperate?
Speaking of moving parts, I'm somewhat concerned about the Bluetooth requirement. I don't think I've ever used a desktop computer with Bluetooth, for example. And how does the web page you're logging in to make an outgoing Bluetooth connection to your phone? Doesn't this require cooperation between the browser and the OS? What standards does this use? What happens if you're on a system which doesn't have this, for some reason? Is there a fallback?
Edit: Also, for a primer this document is kinda missing a simple explanation of what passkeys actually are and how they operate!
Upvote
330
(340
/
-10)
4 full pagescrolls later... yep, sounds like something that will get easy buy-in...
Upvote
112
(118
/
-6)
Yeah and while passwords are archaic at least my password manager workflow with BitWarden works on all platforms even if it’s sometimes less convenient. If it’s a website or app that isn’t made by maroons and doesn’t have some obnoxious markup where the user and pass fields are obfuscated, which isn’t most, it works quickly and flawlessly. Might be followed by a TFA prompt but I don’t need that every login.
More annoying but far far more certain
Upvote
103
(105
/
-2)
Passwords are better than passkeys.
They can be changed, are not based on some item that can be lost or stolen, and are not based on some type of biometry.
They can be changed, are not based on some item that can be lost or stolen, and are not based on some type of biometry.
Upvote
7
(111
/
-104)
Why limit your (dis-)trust to a hardware vendor? Do you have any reason to believe Microsoft won't nuke your account without clear cause or form of recourse? Sorry for the Google translate-link: horrorstory
I agree with your roll-your-own open source route, without dependencies on external parties.
Upvote
37
(43
/
-6)
I imagine all the desktop Windows computers used in businesses and government would need a whole lot of Bluetooth dongles to implement this.
Upvote
122
(129
/
-7)
Maybe it is just me but I just have no interest in the Bluetooth requirement. I don't connect my phone to every device because I don't need to and I don't want to have to do the rigamarole of changing it when I forget to disconnect from one device. If it were WiFi network this would not be an issue. Also, how would this work for a VM? What about a VM located in a data center somewhere else in the country? Won't be usable for me until that is figured out as well.
Upvote
125
(137
/
-12)
If they're synced using iCloud Keychain - then isn't there, by definition, a way to extract the keys from the device they're created on? Wasn't there an article just recently about new macOS malware that could steal iCloud Keychain items?
Upvote
50
(60
/
-10)
No and absolutely fucking not.
Every single system that seems to be able to store passkeys seems to require you to trust the big three (Apple, Google, Microsoft) not to delete your account without warning. In my case, if Apple deletes my iCloud account and the keychain, I lose access to everything that's secured with a passkey. Compare that to what happens right now, if I destroy my main Yubikey: I go to my bank, show them two forms of ID, use my physical key to retrieve the backup Yubikey from the safe box, and move on with life.
Until and unless there are serious and lasting consequences for companies that provide infrastructure services that act unilaterally, there is no way I will use this. KeyPass/BitWarden can generate arbitrarily strong passwords, you can buy as many Webauthn keys as you want from a variety of vendors. With passkeys, you're one (automated, non-negotiable) deletion away from being locked out permanently from your entire online life.
If you want to give that power to a company, be my guest. I'll wait until it's treated like water or power companies cutting off service for no apparent reason: large and hurting fines.
Upvote
227
(270
/
-43)
I'm working on a security system that requires a desktop, smart phone, bluetooth headphones, e-reader, and home assistant. It will be the easiest, most fool-proof yet
Upvote
167
(180
/
-13)
ColdWetDog
Ars Legatus Legionis
Yeah, I'll watch but the current list has nothing that I'm using. Maybe in six months. Maybe not.
Good to have these primers to prepare us but so far it is 'Reply hazy, ask again later'.
Upvote
33
(33
/
0)
Maybe not for you but my fingertips also regularly wear out from hand work, even when I wear gloves as much as possible. It’s basically inevitable.
Sorry but your flex of “my fingers are more scuffed than yours” is silly
Upvote
65
(85
/
-20)
- Add bookmark
- Featured
- #22
The passkey system doesn't use SMS. A SIM-swap attack is pointless. In the case of a phone, the adversary needs access to the physical device, plus its biometric authentication.
Upvote
95
(95
/
0)
- Add bookmark
- Featured
- #24
The passkey does not depend on biometry. Biometrics are used only to authenticate the user on the local device and never leave it.
Upvote
54
(75
/
-21)
I recently had an experience while traveling where a phone fell and broke and was not usable and my friend had 2 factor authentication turner on with the Duo app as well as a password manager when they tried to get their new phone operational.
Were it not for breaking best practices and getting someone back home to log into their laptop my friend would have faced an expensive trip home to sort everything out.
This isn't to say that security isn't important, it's just I've been shown in a very real way that multi device authentication can be a very dangerous thing. If my friend had been limited to passkeys in this situation they would have been stuck because the old phone didn't work. And they wouldn't have had any way of turning off the passkey option except by getting someone else to do it for them .
Were it not for breaking best practices and getting someone back home to log into their laptop my friend would have faced an expensive trip home to sort everything out.
This isn't to say that security isn't important, it's just I've been shown in a very real way that multi device authentication can be a very dangerous thing. If my friend had been limited to passkeys in this situation they would have been stuck because the old phone didn't work. And they wouldn't have had any way of turning off the passkey option except by getting someone else to do it for them .
Upvote
176
(187
/
-11)
BitWarden is actively working on the incorporation of passkeys. I'm looking forward to that.
Upvote
25
(25
/
0)
Having had a google account arbitrarily suspended, then having to deal with google's support to try and figure out why ... there is no way I am putting all of my authentication eggs into google's basket.
Upvote
126
(136
/
-10)
Well now I do have to ask: Are you a luthier, perchance, or just repairing instruments here and there? Either way, the glue-covered hands reminded me of the last time I did any fret work on one of my guitars. Coincidentally(-ish) it also reminded me of why I let a local shop do my fret repairs, these days
Upvote
9
(11
/
-2)
I don't want to make any single company the gatekeeper for all my online logins. If I lose access to that account I lose access to all my accounts.
And I don't want to make it dependent on any single physical device. Lose the device, lose all access.
Generated strong passwords kept in a password manager neatly avoids both issues.
And I don't want to make it dependent on any single physical device. Lose the device, lose all access.
Generated strong passwords kept in a password manager neatly avoids both issues.
Upvote
93
(107
/
-14)
Why is there all this news pushing and pushing people to adopt something that is not fully ready? Passkeys replacing passwords or not, I find it very strange all these articles coming out constantly reminding us to switch to passkeys. There was literally one on Ars just last week.
Upvote
112
(127
/
-15)
Well, you just log into Find My, using your passkey, to locate/remote wipe your phone and….. oh
Upvote
89
(93
/
-4)
I think the ARS audience is way ahead of the curve in terms of using a password manager and having their credentials safely in order. Lots of normal people have no real system of keeping their passwords and have a total mess where they end up having to recover the password practically every time they login. Getting those people on to a secure and reliable system would be a big improvement for them. We'll see if passkeys are helpful for that. At this point it sounds way too confusing and incomplete to be something I'd suggest someone like that try.
Upvote
119
(121
/
-2)
Like the time I worked for a hospital and the same surgeon called in every, single, frickin, day for a password reset because he forgot it from yesterday.
Every. Single. Frickin'. Day.
We had logs.
Upvote
111
(113
/
-2)
This Ars article from a few days back mentions this being a terrible idea right now...
https://meincmagazine.com/gadgets/202...-are-here-you-can-now-switch-to-passkey-only/
https://meincmagazine.com/gadgets/202...-are-here-you-can-now-switch-to-passkey-only/
Upvote
168
(173
/
-5)
Still not enough... you'll also need something borrowed and something blue. You'll need an old priest and a young priest. You'll need a raven's egg, blood of a hen, eyeballs of a crocodile and resticles of a newt.
Upvote
64
(64
/
0)
Dan Goodin: Google passkeys are a no-brainer. You’ve turned them on, right?
Ron Amadeo: Switching [to passkeys] is probably a terrible idea right now
You do have a Ars Technica Slack, right? I'm wondering if there was a discussion there about the current maturity of Google's passkey implementation...
Ron Amadeo: Switching [to passkeys] is probably a terrible idea right now
You do have a Ars Technica Slack, right? I'm wondering if there was a discussion there about the current maturity of Google's passkey implementation...
Upvote
253
(256
/
-3)
At least on the Apple side, passkeys are synced via iCloud Keychain. So if you have multiple devices, then passkeys will work on all of them. I can sign in seamlessly using my phone, my desktop Mac, my iPad, etc.
I think a lot of the problems and concerns around recovery and multi-device support go away once you start getting third party Passkey solutions from companies like 1Password and Bitwarden (and I'd guess someone is working on a FOSS option). Millions of people already trust them with all their passwords; trusting them with passkeys isn't really any different, but it is more secure. I expect at some point we'll also get easier options to backup or export passkeys, similar to how you can for passwords today.
Still, I wonder about the "average user" problem. Passkeys are targeting better security for people like my mom, who use the same few passwords everywhere and for whom any kind of 2FA is such an annoyance that they never use it. If a person is the ideal who stays within the same unified ecosystem, passkeys are definitely far more secure.
But not everyone, or even most people, are like that. There's no guarantee my mom will stick with Android for her next phone, and she doesn't live inside the Google ecosystem everywhere - instead she has a hodgepodge of accounts across many devices and services. She's been doing things this way forever, and I'm not sure she'd be willing or even able to change now.
I'd go as far as to say that ease of use could actually cause problems for passkeys. Because the login flow is so simple, the average person might not even really understand what is happening beyond "I login with my phone". Would my mom even know how to solve the problem if she lost her phone, or was switching from Android to iOS?
I'm sure much is the same for many, many more people. Eventually people will learn and the technical kinks will get worked out, but that means that realistically it will be years, or even a decade, until passkeys are truly ubiquitous.
Last edited by a moderator:
Upvote
83
(87
/
-4)