> If Google/Amazon/Apple/Meta/whoever locks your account out, you now lose access everywhere.
Fortunately, both iOS and Android also support "detachable passkeys" a.k.a. Yubikey and co. ("roaming authenticators" in WebAuthN/FIDO parlance).
Unfortunately, only Android is planning to offer [1] a first-party Passkey provider API, because that's what I'll probably be using 99% of the time (finding my external authenticator for every login is frustrating).
> Also, Passkey providers now get sweet sweet metadata about your accounts around the web.
To my knowledge, both Google's (for Android) and Apple's sync backends are end-to-end encrypted. I'm not sure if that includes the metadata as well as the private keys, though.
> Fortunately, both iOS and Android also support "detachable passkeys" a.k.a. Yubikey and co
That’s good to know.
Although my concern would be, that’s really good for people who use YubiKeys, but regular people won’t, and they can then get bitten by account lockouts.
Is there something regular users can do to use Passkeys (let’s say they use Google) and have some recourse if Google locks them out?
Also, what happens if they use Android, have no other computing device (this is fairly common in some parts of the world), and their phone gets stolen?
Right now, the identity of an account is tied to knowledge of the email address and the password. Something you know.
If you forget the password, you need access to the email account.
With passkeys,the identity of the account is tied to either a BIGTECH account, or to physical devices.
If BIGTECH locks you out or you lose access to all your physcial Yubikeys at the same time, you will never access the account tied to the passkeys again.
Agreed. This whole thing seems incredibly user hostile. At the very least, there should be severe legal recourse (criminal liability and also large, material-to-earnings statutory damages) if one of these providers intentionally locks you out of a third-party account.
That third party account should be treated like your personal property, and them denying you access to it should be treated like their CEO breaking into your house and stealing your stuff.
If they don't want to take on the liability, and it kills the passkey spec, that's fine with me. The current system avoids the issue by allowing people to store credentials in a decentralized way.
Lol. If something does happen Google will immediately and repeatedly remind you with every communication that they have no liability. Once your account gets flagged or locked, Google adds the following to damn near every email:
“We have concluded the review of the information you’ve submitted. To prevent possible fraud and abuse, your services will remain suspended. It is our policy to not discuss the specific reasons for these suspensions.
Note that in the Google <PRODUCT> Terms of Service, we reserve the right to change, suspend, or discontinue any aspect of our services at any time, including availability of a service or any feature, without notice and without liability. We also reserve the right to impose limits on certain Service features or restrict access to some or all of the Services without notice and without liability.”
Giving your passwords to a company that cares about money more than you is risky. But losing devices with passkeys is a big problem too. Even if passkeys are saved to your Google, Apple, or Microsoft account, if that account itself is behind a passkey, how do you access it if your phone holding the key breaks? If a disaster or fire happens, all your devices could be gone.
Passwords are good because you remember them in your head, so long as the head works, so do the passwords. This might be an obvious statement, but it's clear passkey providers kind of glance over it.
I don’t know about privacy, but the lockout risk doesn’t seem worse than losing your phone or Yubikey. You should have multiple independent ways to log in for any account you care about. Passkey will be one way.
Possibly two ways, if you have both Android and iOS devices and you register both? (I assume Android and iOS remain independent.)
What if one loses all their devices in a natural disaster, a house fire, or burglary, or lost baggage while traveling?
A password is in your head. If you lose that, there's not much use for the said password. But otherwise, it's secure. And it's pretty secure from an infosec perspective if it's a passphrase.
I think it's more likely that you'll lose your password by forgetting it? People forget many things without losing their heads.
There's no perfect solution. Having a printout of backup codes in a fireproof safe is pretty good, but it's of no use while traveling. A Yubikey is good, but it might not work (wrong USB port) and it's a device that could break.
Having multiple ways to log in reduces your risk of lockout, but also makes it more likely that someone unauthorized could get access.
Passwords, particularly passphrases, are easy to remember and you can reuse a similar structure for probably decades:
- There-are-three-ducklings3-in-the-lake
- There-are-five-swans5-in-the-lake
- There-are-six-hedgehogs6-in-the-bush
And so on. You only need to remember the latest number and animal, but the entropy of the whole string is much higher unless someone also knows your personal password structure (which is kind of like a second factor).
With a password manager, you only need to remember that one passphrase. If you have to enter it daily, I think it’s very difficult to forget.
You can access your passwords mostly independently from any device and it’s probably about as secure if good generated password hygiene on websites and services is used.
You are right, choosing the right one (reading its whitepaper and what encryption it uses where), and backups are very important for those. I suppose logging into all of the services we use these days is complicated and not very secure no matter the method.
So if passkey is just yet another way to log in, then all the security aspects are moot, no? The attacker could still attack the other login methods. E.g., even if the passkey is a secure surface, it does not replace the insecure attack surfaces.
If Google/Amazon/Apple/Meta/whoever locks your account out, you now lose access everywhere.
This isn’t a theoretical risk. You’ll see lots of people complain about this online.
Also, Passkey providers now get sweet sweet metadata about your accounts around the web.
But yeah, authn is hard to do right. Equally, asking your users to fall into $BIG_PROVIDER’s arms seems wrong.
My personal hope is that various accountable nonprofits will begin to offer passkeys.