this post was submitted on 09 Apr 2024
503 points (92.7% liked)

Technology

63572 readers
2794 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s
enu
technopagan
L4s
503
Big Tech passkey implementations are a trap | Proton (proton.me)
submitted 10 months ago by [email protected] to c/technology
220 comments fedilink hide all child comments
 
  • Big Tech has implemented passkeys in a way that locks users into their platforms rather than providing universal security
  • Passkeys were developed to replace passwords for better account security, but their rollout by Apple and Google has limited their potential
  • Proton Pass offers passkeys that are universal, easy to use, and available to everyone for improved online security and privacy.
you are viewing a single comment's thread
view the rest of the comments
[–] viralJ 16 points 10 months ago (29 children)

Could someone ELI5 (if possible) what passkeys actually are?

[–] asmoranomar 6 points 10 months ago (7 children)

From my understanding it's the concept of trust. Basic passwords are complete trust that both ends are who they say they are, on a device that is trusted, and passing the password over the wire is sufficient and nobody else tries to violate that trust. Different types of techniques over time have been designed to reduce that level of trust and at a fundamental level, passkeys are zero trust. This means you don't even trust your own device (except during the initial setup) and the passkey you use can only be used on that particular device, by a particular user, with a particular provider, for a particular service, on their particular hardware.....etc. If at any point trust is broken, authentication fails.

Remember, this is ELI5, the whole thing is more complex. It's all about trust. HOW this is done and what to do when it fails is way beyond EIL5. Again, this is from my own understanding, and the analogy of hardware passwords isn't too far off.

[–] [email protected] 4 points 10 months ago (6 children)

so it's basically what a SSH key is? can I not log in to an account from my laptop if I set it up on my phone then? that seems like a massive hassle if it's the case

[–] ShittyBeatlesFCPres 2 points 10 months ago

You setup passkeys for all your devices with biometric features. I know I have a Yubikey for my desktop, facial recognition on my phone, and a fingerprint reader on my laptop. So, I setup 3 passkeys using biometric (fingerprint or face). I also kept my password and 2FA for now because it’s all new. I wouldn’t recommend jumping in face first.

I only am using it on a few key sites and partly because I’m a web developer testing it all out. I wouldn’t advise it for the average user at the moment but it’ll mature and many password managers can store passkeys now. As it matures, I’m hopeful it becomes seamless like FaceID and fingerprint readers.

load more comments (5 replies)
load more comments (5 replies)
load more comments (26 replies)