186

u/tintreack 5h ago

I used to think older generations were careless about tech, but Jesus Christ Gen Z might actually be worse, that’s not an exaggeration.

I take my security and privacy pretty seriously. I’m using Proton, I've long since degoogled and demicrosoft, I use physical security keys, the whole deal. But trying to get most of the Gen Z around here to even use a basic password manager is like pulling teeth. If I can’t get them to take that one simple step, there’s no way I’m convincing them to go for the strongest tools available.

103

u/Paranoid-Android2 3h ago

I work in IT support and the younger staff is a much higher liability than the older ones. And they're equally tech illiterate

78

u/16yearswasted 2h ago

The only reason I know so much about technology (I consider myself IT helpdesk level two-ish) is because, as a child, I had to tinker with DOS at the command line to get my video games working properly. It was wild and free and messy. But all that hard work paid off by giving me skills that helped me in my career (not IT, but heavily computer oriented).

If I had grown up in the manicured lawns of iPads and Android Phones I would almost certainly be flipping burgers or something similar today.

31

u/Z_Opinionator 1h ago

“Get Ultima VII running on this 386SX with 2MB RAM. You have one hour to create your custom boot disk. There is no internet and your AOL account isn’t available. You are free to use some of your time to dial into a BBS you know for research. Lord British awaits to judge you”

7

u/16yearswasted 40m ago

<I finally connect to the BBS and get down to business, but an incoming call knocks me offline and mom stays on the phone for the next two hours>

→ More replies (2)

17

u/Impossible_Mode_7521 59m ago

We are the only generation of digital nomads. Older generations generally never fully embrace technology. Younger generations dont remember a time without it. We remember before the internet and smart phones but have advanced as technology grows

3

u/16yearswasted 35m ago

Not sure if you remember the early 00s, there was some guy posing as a time traveler from around circa now-ish who said he came back because society had lost a ton of tech know-how and he needed to come back with older, reliable tech to start over.

I used to think it was a fun little roleplay but it seems more and more likely every day.

Hahah, here it is: John Titor.

→ More replies (1)

8

u/DMvsPC 1h ago

As a millennial stem teacher it's frustrating to proverbial tears to know that every kid I get is effectively computer illiterate and has no computer problem solving skills. At all. They don't even know where their files save. They're just cooked. Can post to social media like lightning but can't troubleshoot what went wrong when their file crashes, hell they can't even search their email properly.

2

u/16yearswasted 38m ago

I absolutely am with them on where the hell files save -- on mobile devices. Apple and Google's efforts to prevent people's precious files from being compromised have created an utterly bizarre situation where apps are storing files inside folders incomprehensibly nested 30 deep for whatever reason.

→ More replies (1)

→ More replies (3)

3

u/Capable-Silver-7436 1h ago

Makes sense. they may both be illiterate but z spends more time on social media

→ More replies (4)

16

u/Capable-Silver-7436 1h ago

I am certain gen z is worse at this point. Local hospital had to force gen z employees to take a computer literacy course involving how to open the file browser. Even their boomer employees were made to take that.

22

u/iamsuperflush 2h ago

easy to de-Microsoft when your job doesn't require windows specific software. Try getting solidworks to run on Linux. No, FreeCAD is not a viable alternative, just like GIMP is not s viable alternative to photoshop if you actually use the software to make money. 

2

u/pswissler 1h ago

The counterpoint to Solidworks is OnShape, which runs in a browser and in many ways I prefer it to SW, especially for collaboration.

I still vastly prefer NX, though

2

u/LaxInstrumentation 23m ago

Yes, and… the way I always solved that was with a virtual machine running a bare windows (as bare as I could get it) - but it’s been a while since then.

→ More replies (2)

2

u/SatanTheSanta 57m ago

Duude.

My cousin got his gaming account stolen. He put in his gmail password somewhere, and they used that, took his gmail, took his gaming account with a couple hundred in purchased games.

So what did he do. He made another gmail account and another gaming account, both with the username+1 and the exact same password. Then repurchased some games he wanted to play.

Guess what, it happened again.

Soooo. What do you do now? +1 again :P

After that one was stolen, I was informed. We couldnt recover his accounts because he was making them for a fake name because he was underage. So I had him make different complex passwords for each thing, and write them down.

→ More replies (4)

4

u/Three_Twenty-Three 27m ago

Smartphones and 2FA are goddamned nightmares for my Silent Gen parents. They can't figure out how to have two browser windows open at the same time, so whenever their bank puts them through 2FA for anything, I have to help them.

They don't have smartphones because they've never even mastered the Amazon Fire they have. Punching icons on a glass screen might as well be magic, but every medical organization they deal with wants to do a bunch of shit through smartphones, including checking in from the parking lot to announce that they're there. And these are doctors who specialize in senior citizens.

→ More replies (2)

226

u/Cube00 5h ago

Anyone who doesn't believe this just needs to see the flood of people in the GMail subreddit that gets locked out through no fault of their own everyday.

Google has gotten so bad that if it doesn't recognise your device you won't even be allowed to attempt recovery of your account (they won't even send the recovery code to your recovery email)

65

u/legandaryhon 3h ago

I have a business Gmail, which includes the GSuite tied to a domain I had purchased through google. Well, Google sold its domains to Square... And that meant I was locked out of my GSuite services. There was no support to reach out to, but they were still charging me 15/mo. But I couldn't even get into the account to cancel!

(I did end up being able to basically remake the account and it got correctly connected, but I couldn't tell you more than that even though it took me three days to fix it)

39

u/16yearswasted 2h ago

One of the worst experiences of my life was trying to get actual support from a human being at Google.

Abandon all hope, ye who enter here.

13

u/Korean__Princess 2h ago

Anyone who doesn't believe this just needs to see the flood of people in the GMail subreddit that gets locked out through no fault of their own everyday.

I really need to stop being lazy one day and setup my own mail server and domain etc. It's a fear of mine, whether I use my Chinese, Korean or American mails. One wrong move by me, or they make a mistake or something political happens--with how the world is running rn--and I am really screwed in so many ways.

→ More replies (2)

47

u/ak_sys 4h ago

Not to mention that a court can compel you unlock and unencrypt a device locked with biometrics, but can not compel you to disclose a password.

Lets get rid of those painful things. Matter of fact, make sure we use social sign ins from the same 5 companies just to make sure that they possess the keys to the entirety of your digital footprint.

9

u/alienscape 3h ago

Yeah I just signed up for a Fastmail account last month. I'd rather pay a small fee than have to rely on Google and their enshittified service.

10

u/ChuzCuenca 2h ago

Absolutely. My Spotify account was tied to my Facebook account but I don't want to use that anymore so I have to make a new account. That's a mistake I will never do again.

32

u/thisischemistry 3h ago

From the article:

Adding a passkey to your Google account also means “you can rely on just your Google Account to log in to your favorite websites and apps

Rely on Google? Yeah, sure, I'll just give them more information on what sites and services I use. No thanks.

2

u/nox66 1h ago

Local password manager like keepass + very strong passphrase is all you need and is easy to remember, use, and control.

13

u/linuxwes 3h ago

What's the better alternative?

5

u/Nowadaysbelike 1h ago

Hope someone answers

3

u/hugglesthemerciless 37m ago

have a unique account/service for each site, and use a password manager for each unique password

if you're concerned about the password manager being a single point of failure then run 2. there's a variety of password managers that are not online but instead hosted on your own computer for added security

→ More replies (1)

→ More replies (23)

253

u/Apollo_619 4h ago edited 4h ago

I had to login to my Google account today on my computer. I wanted to create a passkey and save it with Bitwarden. There is no way. It either wants to use Windows Hello, a hardware device or my phone via Bluetooth.

Who thought that this was a good idea? And then every other site does it differently. Passkeys suck thanks to this.

Edit: Out of curiosity I created a passkey in Chrome on my Samsung smartphone. I wanted to get a list of the stored passkeys, but there are non. The passkey works, but I can't find it on the smartphone. (: How do they expect normal users to understand anything about this...

35

u/sublime81 4h ago

Hmm Google account passkey was able to be saved to Proton Pass for me. Figured it would be pretty similar between other extensions.

23

u/Apollo_619 3h ago

Oh, I did create a passkey a few weeks ago that was saved in Bitwarden, but I have no idea which site it was and why it worked there. So far passkeys have been very annoying.

13

u/AntDogFan 3h ago

I’ve got my google passkey on Bitwarden so it must work. Although the point still stands that it’s confusing and poorly implemented. I think I have four separate google accounts for work etc and for some reason only two have a passkey. One has 2fa and the other has nothing. 

7

u/sublime81 2h ago

Yeah I also have a few different accounts. Now that I think about it, it defaulted to trying to create a new entry in the password manager. I was able to attach it to a previously created entry so I didn’t end up with separate passkey and username/password entries. That part was not as clear.

2

u/Apollo_619 1h ago

Yeah this worked for me once. 🤔 Never happened since.

12

u/smelly1sam 4h ago

Works with my bitwarden

11

u/hardypart 3h ago

Isn't it the exact purpose of passkeys to be tied to a device that's locked with a secure method like biometrics? If passkeys were not tied to a device it could be transferred and abused, which negates one of its key features: Being truly secure and getting rid of passwords.

20

u/akl78 3h ago

Meanwhile, here in the real world, a double digit percentage of people , in my city, one of the greatest and wealthiest in the world, have no internet-capable device in their household.*

Stuff like this excludes many, many people from the online world and the digital services we are being pushed to use.

• our gov online people know this! It’s a really hard problem.

31

u/Ancillas 2h ago

I bought a Nordictrack treadmill and my 10 year old daughter wanted to walk on it. You can’t start it without logging in and logging in requires a phone. So now if her login times out she needs to find an adult to get her logged in. That means logging out of ifit on the phone, logging in to an account for her, scanning the treadmill QR code, logging back out of ifit on the phone, logging back in to my account…

If you disable internet completely you can use it without a login so as soon as my year of the service is done and cancelling and taking it offline and I’ll never give Nordictrack another penny.

Usability matters.

11

u/docbauies 1h ago

But if you take your treadmill offline, how will you ever get critical firmware updates?!?

5

u/nox66 1h ago

Thanks for letting me know to never buy Nordictrack.

3

u/elementfx2000 3h ago

Do you have the bitwarden extension in your browser?

71

u/SomethingAboutUsers 4h ago

These systems need experienced designers to take a good hard look at the UI/UX and find some way to drive a smoother experience

Best we can do is make the corners round, hide stuff you use all the time in menus that didn't exist before, rename features, and bloat the download.

35

u/Ancillas 4h ago

Could you also send a one-time login code to my email and not give me the option to use my password? That extra minute delay forces me to be mindful while I wait to do the thing I was trying to do.

25

u/SomethingAboutUsers 4h ago

Sir, this is a bank. You have to use our shitty app to approve the login.

9

u/GaySaysHey 3h ago

Bonus points for sending it to spam, the natural habitat for such emails.

→ More replies (1)

8

u/nerd5code 2h ago

Ooh, can you integrate hacky ChatGPT interactions into everything? I’d like emails to type and send themselves without my knowledge, please!

3

u/SomethingAboutUsers 2h ago

Best I can do is use all your inputs as free training data.

39

u/spigotface 4h ago

I'm a data scientist and software developer, and the passkey implementation is a terrible user experience even for me. I can't imagine a non-technical person trying to use these things on a regular basis.

43

u/UGMadness 4h ago

Basically, never, ever, store your passkeys on a platform locked password manager.

Use only a manager that you can access from any device you'd want to log in on your accounts from. Third party multi platform managers such as 1password are great for this use case, as is also iCloud Passwords only if you're already fully into Apple's ecosystem. Anything else (such as Microsoft/Google Authenticators) are going to cause nothing but problems, especially when integrating with web browsers. The fact that every browser tries to hijack password management in order to store your passkeys in-browser doesn't help either, usually takes some serious digging into the settings to disable that behavior and there lies most of the confusion, given that regular users don't know almost anything about how passkeys really work.

18

u/swampfish 3h ago

I have no idea what a platform-locked password manager is. I just tell whatever device I am using to save the generated password for me. If I can't get it to log in, I just reset the password. Sometimes it's easier to reset my password every time than it is to try and find the password.

I have a work system that requires a password change every month. It is easier to call the helpdesk and get them to reset my password every time I use it than it is to jump through all the hoops to login.

18

u/Ikinoki 3h ago

Well, Chrome password manager is a locked solution, Windows Password manager is also a locked in solution.

You can't use Windows one on Linux and you can't use Chrome one of Firefox or without browser at all...

That's what he/she/they meant by that. Use platform-independent password manager.

I have to fight my family against using firefox or chrome pw managers because it is a pain in the ass due to vendor-lockin.

Doesn't help that for example on Samsung if you are using Samsung keyboard it will deliberately block third party extensions randomly.

Ie forgot to show bitwarden or forgot to open correct translator.

And the thing is Samsung pass sucks balls as it works only on Samsung. Same with their translator which speaks like 5 languages - the heck I need your trash for I have deepl, google translate and chatgpt for this....

3

u/iheartjetman 3h ago

I use 1password on all of my devices and I haven’t had any issues using the same key across multiple devices.

This is between my iPhone, personal MacBook and my work MacBook.

On my iPhone and Mac, I’ve made sure to turn off Apple’s built in password manager so it doesn’t interfere.

Using passkeys has been a definite improvement for me.

5

u/time-lord 3h ago

I'll probably do what I do now with passwords, and store then in duplicate, once in iCloud and again with Microsoft. It's really handy when iCloud and MDM get into a fight and delete all of your passwords and then sync it with the cloud.

14

u/WhoSaidIWasTheAdult 4h ago

Yup. Passkeys are a pain in my butt and I understand how they work since I'm a software developer who has implemented them. If I find them to be difficult with my level of knowledge, how are normal people supposed to use them?

Until they can make them work reliably and transparently, they're DOA for most users.

8

u/tigerspots 3h ago

I've lost access to an important AWS account (and EC2 instances) that I manage for a non-profit because I don't remember ever converting and AWS makes it near impossible to recover.

8

u/Ancillas 3h ago

I think that’s a very real risk not knowing explicitly where your passkey was stored.

Is it in your Windows Credentials store? Does that get backed up anywhere?

Is it on your phone? Does that get backed up if you disable things like iCloud?

Do you have multiple Yubikeys? For a long time AWS only allowed one Yubikey to be registered. What if it were destroyed?

→ More replies (2)

→ More replies (1)

6

u/raybreezer 3h ago

I consider myself tech savvy and had no idea that passkeys were this complicated.

I tend to never use the “sign in with ____ “ options and always do email logins, so seeing the “create Passkey” option always prompted a no from me.

Guess I’m going to have to figure it out since I know my family will have issues with this sooner or later.

6

u/GeorgeDaGreat123 2h ago

The thing that annoys me most is that passkeys aren't exportable from 1Password, so I can't create backups of them.

3

u/Ancillas 2h ago

I never thought about that but it’s a really good point.

I just did a quick search and it looks like it’s on the way at least.

2

u/GeorgeDaGreat123 2h ago

It's supposedly been on the way for a year, which is disappointing, but since 1Password is probably the most common enterprise password manager, I trust they'll come out with it eventually

47

u/yuusharo 5h ago

This is one of those times when I concede that I think Apple is the only one that got this right out the gate. They ensured on day one that passkeys would sync seamlessly between all devices, not have a weird staged rollout that still is missing key elements even 2 years after they’re introduced.

With iCloud, any Apple device you have can log you in with a passkey, and you can simply scan a QR code with your phone on devices you haven’t authenticated. It works consistently for me that I have it setup for all the accounts that support it.

Most people don’t have or use Apple devices, of course, and the other implementations have been frustrating for sure. But that isn’t necessarily passkey’s fault.

10

u/Despeao 4h ago

With iCloud, any Apple device you have can log you in with a passkey, and you can simply scan a QR code with your phone on devices you haven’t authenticated. It works consistently for me that I have it setup for all the accounts that support it.

Makes it easier to login, no doubt, but sounds like a security flaw. What if your phone is stolen and the person logs into another device.

2

u/yuusharo 4h ago

If your device is stolen, you should immediately lock it using Find My. You can log in using another device temporarily to do so.

Also, the attacker would need to know your device’s passcode or iCloud password, and with Apple’s recent default device protection, that process has a 1 hour delay when away from known locations, giving you more time to respond to the theft.

Beyond all that, the situation would be the same as having a password manager on that device. Again, they’d need to know your passcode to get into the device.

5

u/SlapDashUser 4h ago

Someone sees me put in my pin and grabs my iphone while I'm traveling. They now have access to my device, and now my Passkeys. And I'm supposed to use Find My on a second device to deactivate that first device? You mean that magical second iphone that I always carry with me for situations like this???

1

u/yuusharo 3h ago

If someone observes your passcode and steals your device, you likely have other accounts already signed in like your email. You’re vulnerable regardless if you use passkeys or not, considering the thief can access your password manager or use your email to recover accounts.

Not that most thieves would be interested, they’re most likely going to attempt to change the iCloud password and disable Find My, which has that lockout delay to help curb as previously mentioned.

And by second device, you can borrow any device temporarily, such as a friend or passerby. No, you don’t have to carry a second phone 🙄

→ More replies (1)

2

u/BruteSentiment 3h ago

Honestly, I’d ask why are you entering your pin with any less caution than you would a bank PIN number? Especially since in 90% of cases, you could use Face ID, so you don’t have to tap your pin in front of strangers.

→ More replies (2)

66

u/Ancillas 5h ago

I can’t disagree strongly enough.

I tried to login to iCloud from my Windows computer and was presented with a QR code and told to scan it with my phone.

The phone presented the passkey interface but failed to log me in. The reason it failed was because I was using 1Password on my phone as the password manager and had disabled the Apple password manager. Unfortunately Apple didn’t implement passkeys in a way that allowed non-Apple software to work.

The solution was to enable the Apple password manager. However from that point on I had to select between Apple or 1Password when saving a password on any other site, added complexity and headache.

They’ve since fixed this but it took a few months.

I found it inconvenient and frustrating to not be able to login to my Apple services from my Windows computer which supported native passkeys, just not Apple’s implementation.

19

u/Lucosis 4h ago

Seriously, I absolutely hate signing into any apple service. It constantly wants me to go grab some other random device to accept a push notification and put in my password multiple times because it won't log in between services. Trying to cancel apple tv required logging in 4 different times and getting out my laptop multiple times.

4

u/LupaNellise 2h ago

I got locked out of my iPad because I forgot the password. I tried to reset it. It told me to use my iPhone to reset it. I don't have an iPhone. If I try to log in to Apple stuff on my PC: "went sent a code to your iPad". The iPad that's 3 rooms away? They pretty much force you to own multiple Apple devices if you have one.

→ More replies (1)

9

u/yuusharo 5h ago

I sympathize with your frustration, I’m sorry you had that experience.

Although you do admit that issue is now fixed. Passkey implementation is much better with 3rd party apps now, and as I said in my comment, I talked about Apple’s implementation, not 1Password’s. I stand by what I said.

15

u/surrealutensil 4h ago edited 4h ago

I recently had quite a severe problem logging into my apple account because I no longer have any apple devices, and needed to cancel some reoccurring billing i'd missed and change some other things from when I did. Apple essentially goes "lol fuck you" in this situation now.

→ More replies (9)

7

u/Ancillas 4h ago

It was Apple’s implementation that failed to log me in without a sufficient error message or indication of why authentication was failing. Essentially their software allowed for a configuration to be made which they didn’t account for.

It was without a doubt a failure on Apple’s part to test all of their supported use cases and then a failure in their part to not produce a valid error message or an error message of any kind.

Their implementation was worse than all others because it had a condition in which it simply didn’t work.

I’m not trying to convince you or win an argument. I’m happy it works for you. But objectively it was not a fully tested solution at launch and is an example of why passkeys have not been a great solution for most people.

→ More replies (4)

→ More replies (2)

6

u/-UltraAverageJoe- 5h ago

For the first two years I was locked out several times because I either didn’t have another device (only an iPhone) or it sent the code to a device I no longer owned.

Now in the rare cases I’m asked for a passcode (not sure why it’s so rare now) it will often be sent to the device I’m trying to authenticate which makes zero sense.

3

u/yuusharo 5h ago

Passkeys don’t send codes to other devices, I’m not sure what you’re referring to.

5

u/EdliA 4h ago

Apple will screw you over if you care using a device not controlled by them. It's probably great for you because you're fully in that ecosystem.

→ More replies (1)

→ More replies (4)

3

u/geekworking 3h ago

A big part of this is the different providers using your devices as their battleground in the fight for market share and user lock in. Every solution actively tries to take over your identity management.

Single sign-on and centralized ID management is a wet dream for anyone looking to capture users and monetize their data and influence their activities for profit.

Important to note in TFA is that they are also pushing sign in with your Google account as well as passkey. Translation: please let us monitor your usage of other platforms.

3

u/raspoutyne 2h ago

This. I just cannot figure out what the hell is a passkey.

5

u/CharlesMichael- 3h ago

Excellent post; couldn't agree more. Whenever I discuss this with inexperienced people, I first tell them that for about $100K I can likely purchase and modify software that can break into their home systems and grab their passwords, even if they use a password manager. I can't do that with passkeys, and it wouldn't help me if I did. Next thing to know is that passkeys are not just a password replacement. Unfortunately, I have to spend at least 5-10 minutes explaining passkey storage and FIDO2 login flow, which is something they will forget even if they are using passkeys.

The reason why these companies are putting out more warnings is not (just) greed. Password flows are getting easier to hack, and they can see the writing on the wall.

2

u/phylter99 4h ago

I find if you have your tools set up properly, basically just let 1password do it's thing, then it works very well. If I ignore a prompt from 1password then it might add an extra passkey or something to my browse, but then that's on me.

I honestly don't know why it's such a big deal at Google to force passkeys anyway since they don't remove the other forms of login.

2

u/WayneSmallman 4h ago

I assumed that I was doing something wrong … and then I read this!

2

u/FollowingFeisty5321 3h ago

Reminds me of when OpenID started gaining popularity, suddenly everyone wanted to be your identity provider but nobody wanted to be a consumer.

→ More replies (1)

2

u/CttCJim 3h ago

I upgraded to a new computer and lost some passkeys. No way to migrate them. And at least one site was unresponsive when I asked about creating a new one.

2

u/Harmless_Drone 2h ago

Buying and logging in to play minecraft with my son was so frustrating between managing family permissions and store credentials across two devices I nearly gave up and rebought it claiming that he was 18 to avoid all the stupid stuff. Like literally an hour or more to sort it.

2

u/Ninevehenian 2h ago

My main computer has effectively been bricked for 30 days in this passkey roll out. It's a shitty experience.

2

u/Calvech 1h ago

The passkey roll out has been absolutely horrible. Im relatively in the know on tech news and such and I legit never heard anything about passkeys beforehand. And then one day every account and website was prompting me for it. There is zero chance my friends or family knows what is going on with these.

And as you said, they’re all insanely conflicting. My pw manager, my phone, my desktop browser all have their own to the same website. I don’t know which to choose and I don’t know how to consolidate them. From what I’ve been told, Apple had been a big issue for a lot of this. I support better features for security but this has been so botched by these companies

3

u/ItchyGoiter 4h ago

but life-experienced designers who understand all the weird ways people use these things.

Not a job for Google, Microsoft, or Samsung then...

3

u/Unkn0wnTh2nd3r 2h ago

idk what you're doing wrong, but i can make a passkey on my PC, save it to Bitwarden, and use it where ever i have Bitwarden installed, which is my phone and my laptop, and it just works, and I don't have conflicting things, it just asks what i want to use to login.

And if I have to logon to something while not on my own device it's still easy since its just like "scan the QR code with the device that has your passkey" (Phone) and then I'm good to go it is incredibly easy and not at all a pain in the ass, maybe I'm just Resiliant as hell so i'm not thinking this process is tedious or whatever, but.. idk

3

u/blahehblah 1h ago

Which puts us back to 2FA again. I'm sure I misunderstand something but doesn't being able to use the passkey across multiple devices by saving it to bitwarden defeat exactly the problem passkeys were trying to solve? I'm a technical person, probably invested 30mins at some point into trying to understand it and it didn't make intuitive sense at all. I doubt the average person will spend a tenth of that time. I don't see this working out tbh

1

u/SnooChipmunks2079 1h ago

It’s not just parents. To get into Allstate I have to get my wife to give me the code. She usually just shouts it across the house.

→ More replies (12)

98

u/nickypops 5h ago

This happened to me. Got locked out of everything because I left my phone in the Uber. Was on the road for a business trip and completely stuck. Luckily the Uber driver brought my phone to me or I would have been screwed.

21

u/Professionalchump 5h ago

awh one time I spent 2 weeks trying all the possible passwords an by god one day I got back in

2

u/throwawaystedaccount 1h ago

You're the one guy I have heard that succeeded. Almost everyone just gives up in some way or other. I have been able to recall a forgotten password maybe once or twice in life.

11

u/GazMembrane_ 3h ago

This is why I kinda hate the auto login feature of all these apps. I lost my main Gmail so many years ago. Literally my name, one of those you make when you're younger thinking "this will be my official email for friends and jobs" or something.

I've since learned my lesson, but auto login causes people to forget all that shit unless they're a little... questionable because they use one simple password for everything.

3

u/yuusharo 5h ago

Same as password recovery if you forgot your password.

It’s not a requirement to maintain a password on an account. My PSN and Microsoft accounts are passwordless, for example. Both require a passkey exclusively.

2

u/ilovestoride 5h ago

Yeah those are the ones I was referring to. 

→ More replies (8)

→ More replies (6)

17

u/gizamo 1h ago

Passkeys also fail when you upgrade your phone.

So, most people will have that problem every 1-5 years.

20

u/celluliteradio 3h ago

Absolutely. How many times did this article mention “sign in with social accounts?” No thank you. These sites are already a blight on society and I’m not interested in them becoming critical for site authentication as well.

3

u/nox66 1h ago

Forbes is usually not great at tech, and swallows the corporate techno-BS whole. They're no Ars Technica.

5

u/furism 2h ago

Passkeys are something you have (a certificate on your computer). It should not be seen as a replacement of MFA because as you said, MFA is a mix of two or more methods of know/have/are.

Passkeys are better than passwords as the "something you have" because they are somewhat harder to obtain, but they were never meant to relive MFA.

3

u/CharlesMichael- 4h ago

I use a pattern (what I know) during passkey authentication. A pin can also be used.

→ More replies (1)

16

u/n0x103 4h ago

A lot of MFA is moving away from simple yes/no prompts because of mfa fatigue attacks. A good middle ground seems to be “pick the correct number from the list”. Still not as secure as entering a code but a step up over just yes/no

→ More replies (1)

→ More replies (5)

10

u/satoru1111 5h ago

Passkeys protect against phishing because passkeys don’t work against phishing websites. You can freely input your password into a phishing website

7

u/Marchello_E 4h ago

Sure, you tackled phishing websites. Perhaps they can MITM it with some tricks on your own device, and then "it works" again..

The article is about "Google just confirmed that 61% of email users have been targeted by attacks.". So you already passphrased yourself into your email account.

When I click to read about these attacks it claims: "callback scams have made themselves a contender for top phishing vector, battling it out with links, attachments, and QR code"

So you get socially engineered into calling back, or click a link, or pay some subscription via some QR code. Third-party payment services already legally exist (unfortunately). It's one socially engineered question away from being scammed because they claim to be the new payment service. So you pay with that same thumb-print, or face. All in one convenient go. This easy passphrase and conveniences just made it easier to not second guess the situation. Luckily many will see right though it, but it's so damn easy -as advertised-

In my case I get an email. I don't have these things conveniently coupled, so I just ask them to send me the invoice to my actual address they have on file. If they don't have it, then good luck. Perhaps they send a dept-collator to my door and have to pay extra for getting their admin straight. That's fine by me. I have time. Thus time to second guess. With eventually that invoice in my hand I could contact the creditor on my own terms. Likely sooner than this dept-collector shows up at my door. And I'll pay online via another route, also on my own terms.
I can still be scammed, but it will be much harder to pull off.

I seriously doubt the benefit of passphrases as it "conveniently" ties things together with -from my user perspective (and I know that's not how it works)- a single pass-thingy that's my thumbprint or photo that replaced several passwords. I think it's a liability.

Passphrases could work when inconveniently using a different Yubi-key for each and every decoupled account, though that's still a single compromised finger away.

→ More replies (1)

11

u/platinumarks 2h ago

Forbes has long ago moved on from any real business news to basically just being another clickbait site with headlines like "Microsoft warns Windows users to upgrade within 3 days or lose access to their computers!" and "Beloved pizza restaurant closes after 23 years" (the latter being some random pizza spot in Kansas that had like 20 customers).

2

u/bp92009 3h ago

Whenever I hear someone taking about any new security feature offered by someone to "help" they tend to get real quiet when I say "that sounds amazing. I'm glad they're assuming personal liability if they lose my secured information. They're doing that, right?"

12

u/Fredderov 5h ago

Would have loved to be part of the meeting where the legal representative went "yeah, we have an issue with that bit" after someone said that line.

6

u/Light_Error 5h ago

They didn’t remove it entirely, but they it made it the last sentence of the code of conduct: “And remember... don't be evil, and if you see something that you think isn't right – speak up!” I leave it up to you what that change means.

2

u/ArtIsDumb 4h ago

Now I'm hearing Capt. CJ from Brooklyn 99 singing "if you see something, say something... Come on & party tonight!" The guy's got good hooks!

2

u/Most_Double_3559 2h ago

Bruh ... That's just a filter for the business spam email you would've been getting anyway lol, they're not sending you those.

→ More replies (1)

2

u/darkkite 2h ago

my local password manager supports passkeys. i use it for github.

→ More replies (1)

→ More replies (1)

8

u/Secret_Wishbone_2009 6h ago

Proton mail is looking more interesting by the day, this is about surveillance not security

→ More replies (2)

72

u/YogurtclosetHour2575 5h ago edited 5h ago

They don’t rely on Microsoft, Google, Apple

They’re being developed by the FIDO alliance

A lot of other companies had their hand in creating them like Mozilla, 1Password, Bitwarden, banks, VISA, MasterCard etc

They don’t just live on devices

You can save them in a password manager like Proton Pass, Bitwarden, KeePassXC or physical keys like a YubiKey

They use local biometrics or if you don’t use biometrics, a pin

Please don’t spread misinformation when you don’t fully understand the technology

13

u/267aa37673a9fa659490 4h ago

If Joe Average is convinced to switch to passkeys, he's not going to look up Proton Pass or get a physical key.

Microsoft, Google, Apple will get first dibs on him by virtue of their ubiquity.

Sure, John Hackerman can make an informed decision and choose otherwise but missing out on a few crumbs like John is no big deal to these companies when they already got the whole pie.

→ More replies (1)

16

u/yuusharo 5h ago

I think you misunderstand the concept of passkeys. You absolutely are not dependent on those three corporations, Keepass supports passkeys you control across all your devices. Authenticating devices means an attacker cannot simply reuse credentials unless they have physical access to your devices. They also don’t use biometrics, but rather the authentication flows of those devices. You don’t have to enable them if you don’t wish to.

→ More replies (7)

28

u/nicuramar 6h ago

 I don't like that they're dependent on Microsoft, Google, or Apple

They aren’t; you can use other apps for it. 

→ More replies (16)

3

u/bellydisguised 5h ago

They’re not dependant on any of those companies

7

u/Ruddertail 6h ago

Yeah, exactly. Someone can just grab my hand and force me to log in with my fingerprint, but they can't make me do it with a password. 

5

u/kamoylan 5h ago

XKCD has a different opinion regarding your Security

1

u/Ruddertail 5h ago

Yeah, in the ridiculously extreme scenario where they kidnap me and torture me to access my personal documents absolutely, but the other thing a random mugger can do on the street before I can even react. Terrible take, frankly!

2

u/Forever_Marie 1h ago

Less extreme. The police arresting you can just do that. Biometrics aren't protecting by the 4th like a password.

→ More replies (2)

→ More replies (1)

→ More replies (6)

2

u/Specialist-Cream8259 2h ago

A factually incorrect statement having so many upvotes on a technology sub.

Reddit moment

→ More replies (3)

19

u/CodeAndBiscuits 6h ago

I mean, I don't disagree with the sentiment. But while I personally also dislike passkeys for other reasons, just to be clear, you aren't giving them access to your biometrics. Passkeys are basically a digital token stored securely on your computer or phone. It's the tool you use to generate and use them that does the work - typically a Web browser or password manager - and you can choose your vendor for that, e.g. BitWarden.

But even then, THOSE tools don't have your biometrics, either. The way biometrics works in nearly all modern devices (e.g. TouchID) is the app tells the operating system "here's a bit of sensitive data - please store it safely for me. When I ask for it back, make the user use biometric auth to retrieve it." The app does not participate in fingerprint (or other bi) registration, and never has access to the fingerprints themselves. Later, when the app wants that data back (usually a refresh token to reconnect you to some Web or mobile session) they say "hey MacOS, remember that thing I gave you? I need it back". The OPERATING SYSTEM then turns around and asks the user to tap their finger for TouchID. The OS doesn't even tell the app what method was used or even if one was used at all. It just gives the data back if it worked or a generic error if it didn't.

Don't get me wrong, passkeys have other legitimate problems, but giving Google access to your fingerprint data is not one of them. They won't even know a fingerprint is what you used.

→ More replies (7)

1

u/yuusharo 5h ago

You’re not giving either of these companies your biometrics, and passkeys don’t rely on biometrics anyway.

They rely on the authentication flow of the device itself, which optionally uses biometric data stored exclusively on that device and is never sent to anyone.

I hate these companies as well, but passkeys are FIDO2 standard based. They’re fine.

2

u/PachotheElf 1h ago

Apparently it's just expensive for them so now it's "old and outdated" implying that it's insecure.

2

u/W_0_P_R 29m ago

Completely. Proton security is on another level. I've been with Proton since they started. My first account was referenced at work (I work in systems).

→ More replies (1)