Passkeys were supposed to be secure and simple; here’s how they fail

I’ve been arguing Passwords are terrible For the better part of a decade, he was an enthusiastic early adopter of the better Master Key approach.

master key We should implement the Holy Grail of a method that is both more safe Easier to use than passwords, everyone adopts them. But a new article outlines four problems with the technology…

Keys are more secure than passwords

There are many security issues with passwords:

• Websites may know about them even though they are considered encrypted
• Non-technical people tend to reuse passwords, so data breaches are a big problem
• Passwords vulnerable to phishing attacks

Master Key solves all this. When we log in, we are not asked for a username and password, but are invited to use a key. With this system, the website or app will ask our equipment Authenticate us using Face ID or Touch ID. The device tells the website who we are, and it has confirmed our identity.

The web server trusts your device to authenticate you, just like a payment terminal trusts your iPhone or Apple Watch for Apple Pay transactions, because it knows you’ve authenticated locally using biometrics.

In theory, a master key is much simpler

When we set up our account, there should be an option to use a key, all we have to do is agree. Our device authenticates us and the service creates our account. The next time we log in, we only need to use Face ID or Touch ID to log in.

But there are four major problems

If you only use Apple devices and use Safari as your web browser on all devices, the key will be closure It’s that simple. iCloud synchronization means that an account created on one Apple device is accessible on all other devices.

but as alstenica pointed out that there is a a lot of When reality is very different from what was promised, the first is inconsistent user experience.

The experience of logging into PayPal using a password on Windows is different from logging into the same website on iOS or even using Edge on Android. Forgot to try to use password to log in to PayPal on Firefox. Payment sites do not support this browser on any operating system.

To make matters worse, the key is tied to a specific browser.

Another example is when I created a key for my LinkedIn account on Firefox. Since I use a variety of browsers on the platform, I chose to use the 1Password password manager to sync keys. In theory, this option allows me to automatically use this key anywhere I can access my 1Password account, which is not possible otherwise. But it’s not that simple. When I look at the key in LinkedIn settings, it appears to have been created for Firefox on Mac OS X 10, even though it works on all browsers and operating systems I use.

The third problem is that companies like Google and Apple may force you to use their own key management systems, even if you have a different preference, and sometimes even when you have already set up a key.

I just want to use the key that 1Password syncs to all my devices to open LinkedIn. Somehow, the mysterious entity responsible for this message (in this case, Google) hijacked the process in an attempt to convince me to use their platform.

Also, consider your experience at WebAuthn.io, which demonstrates how the standard works in different scenarios. When users want to register a physical security key to log in to macOS, they will receive a dialog box directing them to use the key instead and sync it through iCloud.

Finally, the fact is that while the whole purpose of Master Key is to eliminate security holes caused by passwords, almost every service forces you to create a password login.

As far as I know, of the hundreds of sites that support keys, none allow users to give up their passwords entirely. Password is still required […] Threat actors will exploit this flaw to design hacking and social engineering attacks. Then we were back to where we were before.

a complete piece Well worth reading.

photography: Registry exist Not splashed