You can’t phish users with passkeys.
While true, session hijacking is the already prolific vulnerability left wide open that passkeys actually make harder to deal with.
Instead of a scammer getting grandma to read her SMS TOTP on the phone (easier than Sim swapping, but only barely), she gets a call to go to a URL and enter her passkey manager PIN to OK sessions across everything she has passkeys for. Most already open in 800 open browser tabs.
And when her passkey is compromised, how quickly will Google customer service act to get her a new one? A few days? Longer?
What problem is actually solved here? Passkeys are about saving money for the companies on password reset server time.
Passkeys are about saving money for the companies on password reset server time.
Lol, no. They don’t care about the extra 0.001% expense. Passkeys are mainly to protect the average user from their own stupidity. Grandma is far more likely to use the same shit password across many sites. Most average users are.
Yeah this guy is grossly overestimating the intelligence of businesses when it comes to software. I’ve seen a major company spending 20000+ a month on aws for servers they never used. And that was just for a single site, I can only imagine what’s going on in other branches of the company.
The goal is basically to prevent end users from using weak passwords and to make it much harder for phishing to occur, both of which IMO are kind of necessary. The vendor lock-in and the slow development of FOSS implementations are not great though. It’s also not great how passkey support on at least Android seems to require proprietary blobs.
Bitwarden / Vaultwarden are OSS and work fantastic across all my devices. IMO it’s more convenient than passwords now, ESPECIALLY if you’d have to enter a 2fa code as well.
IIRC it took them a little while to add support, but I was more thinking of stuff like KeePass. KeePassXC has passkey support, but AFAIK none of the Android apps do yet (although it sounds like KeePassDX is getting close, finally). Also, when I was using Bitwarden, I had issues with some services not liking its passkey implementation (despite being fine with Proton Pass for whatever reason). May be fixed now, but it was incredibly annoying at the time.
Hm, yes, that sounds annoying indeed. Maybe I just have not encountered such an app/site yet, but louckily, the bitwarden integration has been working flawlessly for me.
Honestly that’s been my take on the whole thing. And now my bank app forces Google’s manager instead of my preferred password manager.