- Jan 2, 2023
- 20
Hi folks,
A question for security experts who are knowledgeable about passkeys.
So, Microsoft, Google, Amazon, Ebay all support passkeys, right? They continually tout about going passwordless, and the benefits of a passkey's use against a password.
I'm new to using passkeys, but I'm beginning to think they are useless, at least at the present time, and I'm not talking about the method they use to authenticate in itself, but rather in the way websites implement them by still providing the password method to log-in once you've set up the passkey. To clarify, they say go passwordless, but you're not actually passwordless.
For example, I just created a passkey on my desktop PC for Amazon, yet when I go to sign in, even though the passkey method is provided underneath, the password is still the default sign in!!!! Ebay also offers password log-in alternatives when a passkey has been set up, as does Google. Surely this means in the event that someone did know your password, they could just bypass the whole passkey method?
Is it just a simple case of passwords still being offered by websites because it's still early days for passkeys?
Is there any benefit to using passkeys now, even though the password method is still provided? I've heard there is always a chance at interception when you use a password to validate entry into a website, whereas with a passkey the validation method is more secure. I don't know if that is true or not.
I've heard some people say 2FA via authentication app is not required with passkeys, but surely that would only be valid in a case where it is truly passwordless. Any website that can implement passkeys that still offers passwords as other methods of authentication I would say it is still required.
Thoughts, please.
A question for security experts who are knowledgeable about passkeys.
So, Microsoft, Google, Amazon, Ebay all support passkeys, right? They continually tout about going passwordless, and the benefits of a passkey's use against a password.
I'm new to using passkeys, but I'm beginning to think they are useless, at least at the present time, and I'm not talking about the method they use to authenticate in itself, but rather in the way websites implement them by still providing the password method to log-in once you've set up the passkey. To clarify, they say go passwordless, but you're not actually passwordless.
For example, I just created a passkey on my desktop PC for Amazon, yet when I go to sign in, even though the passkey method is provided underneath, the password is still the default sign in!!!! Ebay also offers password log-in alternatives when a passkey has been set up, as does Google. Surely this means in the event that someone did know your password, they could just bypass the whole passkey method?
Is it just a simple case of passwords still being offered by websites because it's still early days for passkeys?
Is there any benefit to using passkeys now, even though the password method is still provided? I've heard there is always a chance at interception when you use a password to validate entry into a website, whereas with a passkey the validation method is more secure. I don't know if that is true or not.
I've heard some people say 2FA via authentication app is not required with passkeys, but surely that would only be valid in a case where it is truly passwordless. Any website that can implement passkeys that still offers passwords as other methods of authentication I would say it is still required.
Thoughts, please.
Last edited: