Serious Discussion Passkeys - Pros and Cons Discussion

[Ink]

My recent feature on passkeys attracted significant interest, and a number of the 1,100-plus comments raised questions about how the passkey system actually works and if it can be trusted. In response, I've put together this list of frequently asked questions to dispel a few myths and shed some light on what we know—and don't know—about passkeys. This FAQ will be updated from time to answer additional questions of merit, so check back regularly. This author will not be monitoring or responding to comments going forward but can still be contacted through email.

Here are a few Q&A from the article. Visit Passkeys may not be for you, but they are safe and easy—here’s why to read more.

Q: I don’t trust Google. Why should I use passkeys?

A: If you don’t use Google, then Google passkeys aren’t for you. If you don’t use Apple or Microsoft products, the situation is similar. The original article was aimed at the hundreds of millions of people who do use these major platforms (even if grudgingly).

That said, passkey usage is quickly expanding beyond the major tech players. Within a month or two, for instance, 1Password and other third parties will support passkey syncing that will populate the credential to all your trusted devices. While Google is further along than any other service in allowing logins with passkeys, new services allow users to log in to their accounts with passkeys just about every week. In short order, you can use passkeys even if you don’t trust Google, Apple, or Microsoft.

Q: Why is Ars pushing passkeys so hard?

A: Based on conversations I’ve had with numerous people specializing in account authentication, I see great promise in passkeys because I think they will be easier and, on the whole, more secure once people develop the same kind of muscle memory they have now with passwords. Only time will tell, but I see no reason that people, including skeptics, shouldn’t at least try them. There's nothing to lose. If you don’t like passkeys, you can delete them (with the exception of passkeys Google automatically created on Android devices) and fall back to passwords at any time with no penalty.

Q: Can you back up your passkeys?

A: Not yet. But per this note from an engineer elbow-deep into the implementation of passkeys, import/export capabilities across devices and passkey managers are in the works.

 

[MuzzMelbourne]

I used to have an Authentication Token on my keys for my bank account access.

It was a right royal pain in the arse and I binned it ASAP.

Can't see these things taking-off at a personal level myself. Corporate stuff, no problem, but personal? Not my cup of tea.

 

[Ink]

I used to have an Authentication Token on my keys for my bank account access.

It was a right royal pain in the arse and I binned it ASAP.

Can't see these things taking-off at a personal level myself. Corporate stuff, no problem, but personal? Not my cup of tea.

Passkeys are not for everyone.

 

[MuzzMelbourne]

Passkeys are not for everyone.

True, but I wonder if they will ever reach critical mass adoption or be forced upon us by a, 'gun shy', defrauded banking system and we'll lose any choice.

 

[Trident]

True, but I wonder if they will ever reach critical mass adoption or be forced upon us by a, 'gun shy', defrauded banking system and we'll lose any choice.

I think it’s too early for mass adoption but in the coming few years it will be the preferred format of log-in. I am curious to see what ways will be developed to snatch passkeys from users.

The philosophy that this will stop password exfiltration is too good to be true.

 

[MuzzMelbourne]

...I am curious to see what ways will be developed to snatch passkeys from users...

A Glok accompanied by a "Pretty Please..." has potential...

 

[FoxtrotCZ]

I already saw someone saying that passkeys must be bad because Google endorses them.
I mean, people already use SSH keys and they work great. This is similar, so I dont understand what is bad about it.

 

[Trident]

I already saw someone saying that passkeys must be bad because Google endorses them.
I mean, people already use SSH keys and they work great. This is similar, so I dont understand what is bad about it.

This is nothing more than unjustified hate. Google is “very bad” yet billions of devices run Android and millions of people use other products of theirs. Majority of browsers (all except few”) run on Chromium.
And it’s not just Google pushing these keys, Apple and Microsoft are on the same path. They are working together.

 

[MuzzMelbourne]

... so I dont understand what is bad about it.

Its yet another burden. First passwords, then bio-metrics, then 2FA, now this... the ultimate solution is a DNA sample, and I wouldn't put it past them.

Its not my data being stolen... its bloody great corporations who should know better getting hacked.

 

[FoxtrotCZ]

Yeah, we should just save all data in plaintext. We have nothing to hide so we don't need encryption

 

[MuzzMelbourne]

The future is passkeys, not passwords: Google accounts are the latest to make the switch, following similar moves by Apple and Microsoft over the last couple of years (with other smaller names also making the switch). It means more convenience and more security for your account, and no need to have to remember dozens of lengthy passwords.

Essentially, a passkey means that the device you’re using (typically your phone or laptop) proves your identity with whatever screen lock is in place—PIN, facial recognition, fingerprint sensor—proving that you are who you say you are. In simple terms, the tech you use to unlock your phone becomes the tech you use to get into your digital accounts, too. They replace two-step verification as well as the password, and they work with hardware keys.

How To Switch to Using Passkeys With Your Google Accounts

We won't have to put up with passwords for all that much longer.

gizmodo.com

 

[Ink]

Most people are going to use their phone as a passkey, though.

Ask yourself, though, might you ever lose your phone? That's where things aren't as easy.

Theoretically, all you need to do to reenable your secure key is sign into your Google account with a new phone. Even the "passwordless future" will still need a password I guess. While I haven't been able to test this, I will say it probably works as intended because it's the least complex part of the system — keep a backup of the important, but useless on its own, part in the cloud to retrieve if you ever need it.

Hopefully, you aren't locked out of your Google account and can remember the actual password you were told you no longer need, and you have a way to get an SMS from Google or sign in to an authenticator app. All without your phone in your hands. Lord help you if your phone was stolen and someone hosed your account by trying to get into it too many times.

These are real issues that we hear about every day. It's already horrible to not be able to help someone get back into their account where years of photos are stored. Having their logins for things from Netflix to their bank inaccessible while everything gets sorted out is a nightmare.

Soon enough we'll all be using passkeys because we will have no choice. Before that happens I sure hope someone is thinking about making the system more user-friendly.

The problem with Passkeys

We're not ready to make the move.

www.androidcentral.com