• hemko@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    1
    ·
    14 days ago

    What’s wrong with passkeys? I’m in love with passwordless sign-in with yubikey, so much easier and faster than password + totp

    • deegeese@sopuli.xyz
      link
      fedilink
      arrow-up
      1
      ·
      14 days ago

      It’s shitty user experience when forced to dig out my phone to authenticate myself to a site I barely give half a shit about.

      Like I wouldn’t even have an account if it wasn’t forced, and now you assholes want my phone too?

        • deegeese@sopuli.xyz
          link
          fedilink
          arrow-up
          1
          ·
          14 days ago

          Security for who exactly?

          If I don’t even want an account, it’s the “security” of the sites ad targeting data that IDGAF.

      • hemko@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        0
        ·
        14 days ago

        I think you’re describing SMS passcode, totp or other such factors.

        Passcode doesn’t require phone necessarily, but you can use it too

        • Kusimulkku@lemm.ee
          link
          fedilink
          arrow-up
          0
          ·
          edit-2
          14 days ago

          A lot of the stuff that has implemented passkeys so far are on mobile. And I mean the apps serving them out, not things you authenticate to.

          • 4am@lemm.ee
            link
            fedilink
            arrow-up
            0
            ·
            14 days ago

            BitWarden has a desktop extension and it also handles 2FA. No reason to be using a password, which is way less secure and can be extracted from a website DB via a hack.

              • perfectly_boiled_pizza@lemmy.world
                link
                fedilink
                arrow-up
                1
                ·
                edit-2
                10 days ago

                In practice, yes. IF IMPLEMENTED PROPERLY it would be extremely unlikely for an attacker to get in.

                For example with a proper implementation of TOTP it would require an attacker to guess the correct number between 0 and 999999 in less than half a minute. Most services make you wait a little bit (often less than humans notice) between attempts and don’t allow infinite attempts, so an attacker would have to be unimaginably lucky.

                There are sadly lots of huge companies that DON’T IMPLEMENT 2FA PROPERLY. Sony Entertainment (account for PlayStation) for example. So a unique and long password is still important.

    • henfredemars@infosec.pub
      link
      fedilink
      English
      arrow-up
      0
      ·
      14 days ago

      I don’t like how there isn’t a nice, cross-platform and secure way to sync my keys. Not all services allow multiple keys to exist at once.

      • Semperverus@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        14 days ago

        The syncing of keys allows for much greater attack surface.

        Its being worked on right now but the standard hasn’t been finalized yet.

        • Kusimulkku@lemm.ee
          link
          fedilink
          arrow-up
          1
          ·
          14 days ago

          Until exporting and syncing keys is properly implemented, passkeys can go kick rocks.