Skip Navigation

InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)E

Encrypt-Keeper

@ EncryptKeeper @lemmy.world

Posts
6
Comments
1467
Joined
3 yr. ago

  • Big Tech passkey implementations are a trap | Proton

    Jump

  • account is passkey locked, but I need to check my email from my friend's laptop. Would that require that I install passkey on their laptop

    Yes but you would not want to do that. I can’t imagine a scenario where you could make it to your friends house without your phone, and also need to check your email so bad that you borrow their laptop, but in that case you would not be able to log in. Unless your passkey for that service is stored in your password manager, in which case you’d have to log in to that first.

    Does that also mean that if I forget to log out of passkey, they can access all of my accounts correlated with my passkey account?

    There is no “Passkey account”, it’s not a service or an app. It’s a file stored either on your device or in your password manager.

    what happens if my passkey account is compromised? All of my accounts are linked to a single point of failure?

    I already brought up that you have no “passkey account” to compromise, but if your passkey was somehow stolen, the only thing compromised would be the service that passkey is for.

    A friend of mine had to break out some kind of USB dongle to log into his Google account on a new machine the other day. Is that a form of passkey?

    You can get hardware devices to store passkeys on, yes.

    What happens if that dongle gets lost/stolen/broken? Or what if you just forgot it at home? Are you SOL?

    If it’s lost or stolen you’d want to make new passkeys yes. If you forgot it at home, you wouldn’t be able to log in if the hardware device was the only thing you had a passkey stored on.

    I wonder how often you truly forget important every day articles at home, despite you needing to get connected to things at a moments notice. I don’t think I’ve forgotten my phone anywhere once in the last 15 years.

    The thing is, all these scenarios you’re coming up with are no different for passkeys than they are for complex, unique, secure passwords. It sounds like your usual MO is being able to recall your password (In the case you’ve forgotten your phone and are in a borrowed device), which means your passwords likely aren’t secure, and you’re probably reusing them, which is more of a “single point of failure” than passkeys ever could be.

    Honestly, my advice to you is before you even start considering passwords vs passkeys, you need to fix yourself up man. You need to get your shit together a lil bit.

  • Big Tech passkey implementations are a trap | Proton

    Jump

  • Well that’s great news, then you’ll like passkeys because you can use them without being locked into anything.

  • Big Tech passkey implementations are a trap | Proton

    Jump

  • Asymmetric cryptography has been ubiquitous and generally standardized by the time Google began letting you store Passkeys, so what’s your point?

    Is Google supporting a particular service or system a dealbreaker for you or not? Because Google has far more fingers in the public operation of email than it does passkeys. So if you’re still ok with having an email account, then you should be just as ok with using passkeys.

  • Big Tech passkey implementations are a trap | Proton

    Jump

  • Well you’re in luck, they’re currently established and working in practice.

  • Big Tech passkey implementations are a trap | Proton

    Jump

  • Yes. Any website that has implemented passkey authentication can be logged into by any Passkey provider. There are no websites that “Only accept Apple passkeys”

  • Big Tech passkey implementations are a trap | Proton

    Jump

  • Well no, their call to action isn’t to not give anyone else money. They didn’t have anything negative to say about their competition like 1Password. They’re just warning you about the shady things Google and Apple are doing specifically. And as an alternative they’re offering their own solution instead, which also doesn’t cost any money.

  • Big Tech passkey implementations are a trap | Proton

    Jump

  • Proton enabled passkeys in their free tier. So ultimately, yes by using their free tier and being safe in the thought that you can always leave if you want, that might drive you to pay for a paid plan.

    But companies trying to earn your business by offering you a good honest product is not at all the same as a company using anti-consumer practices to keep you from leaving lol.

  • Big Tech passkey implementations are a trap | Proton

    Jump

  • They’re the private half of a public/private key pair, much like how you make encrypted connections to websites.

    The gist of passkeys are that the secret you’re using to login to your accounts is stored on your device (Or in your password manager) and is never sent to or stored on the server. So if a website you have an account on is breached, unlike with a password, your passkey can’t be stolen, because they don’t have it.

    Similarly, your passkey can’t be phished. If a malicious actor directed you to a fake login page and you didn’t notice and entered your password into the fake login form, they now have stolen your password. But because your passkey is not sent to the server like a password, the fake login page wouldn’t get anything.

    And because your passkey isn’t something you have to remember, you can’t create an insecure one like with a password, and you can’t reuse the same one for different accounts.

  • Big Tech passkey implementations are a trap | Proton

    Jump

  • Google pushed email accounts to you, do you not have an email address either?

  • Big Tech passkey implementations are a trap | Proton

    Jump

  • No one is suggesting that you secure your online accounts with the billionaire owner class. They’re suggesting you secure them with passkeys.

  • Big Tech passkey implementations are a trap | Proton

    Jump

  • Not sure what Google has to do with passkeys besides the fact that they’ve implemented them. Google implemented passwords too but I’m guessing you’re fine with those?

    Passkeys are not exclusively controlled by oligarchs so I guess by your own admission you should consider them.

  • Big Tech passkey implementations are a trap | Proton

    Jump

  • You still deserve those downvotes. There’s nothing to not trust about passkeys.

  • Deleted

    Permanently Deleted

    Jump

  • Actually the whole point of having a Roku TV is that it’s cheap. Unlike many other TV Os’ people don’t necessarily buy Roku TV’s on purpose. Roku has just cornered the market on providing cheap smart OS’ to the cheapest of TV manufacturers. Chiefly TCL, which became incredibly popular as a surprisingly good value TVs in the last five years. I’d imagine they did so by providing the OS for next to nothing to these manufacturers, with the intention to steal as much end user data to sell off as humanly possible.

  • Deleted

    Permanently Deleted

    Jump

  • I would assume that these ads still need an internet connection to play. Another great reason to use an external box to play your media and leave the smart TV offline.

  • OpenAI Adds Free Instant ChatGPT Access for Everyone. Here's Why That Matters

    Jump

  • That’s like firing an accountant because Excel can do what they do. Lol

  • Amazon Ditches 'Just Walk Out' Checkouts at Its Grocery Stores

    Jump

  • The state constables posted at the exit usually lol

  • Google now blocks spoofed emails for better phishing protection

    Jump

  • Is it though? Is your self hosted mail server sending 5,000+ emails to various Gmail inboxes daily? If not, this doesn’t seem like it would affect you. And even if it did, all they appear to be asking is that you enable DKIM and DMARC for your mail server, which is something both trivial to do and you should be doing anyway.

    I’m not going to claim that a company like Google wouldn’t love to make life harder for the consumer, but I don’t see how anything related to this change would do that.

  • New Discord TOS binds you to forced arbitration - Opt-Out Now

    Jump

  • If it was in the customers favor, they wouldn’t be doing it lol.

  • Proton Pass now supports passkeys on all devices and plans: Beating Bitwarden to mobile devices

    Jump

  • Passkeys theoretically hit a sweet spot of both qualities. But they come with a higher potential for a possible theoretical lockout.

    But they don’t. I think this is where your confusion is. I think you’re worrying over a problem that doesn’t exist.

    Now you are locked out of your entire digital life. This is not a rare occurrence, it happens everyday.

    It does not.

    If you’re scared of losing both your device and your recovery codes for TOTP, to the point that you store those in your password manager, and you’re happy with that solution, then just store your passkeys in your password manager. Thats literally what this post is about.

    And even if you store your passkeys on device for an iPhone for example, they’re stored in your iCloud Keychain which can be recovered if you lose your device. Theres also just nothing about Passkeys that prevent a service from offering an account recovery service.

    If you’re already using 2FA, then Passkeys do not pose any additional risk to being “locked out” of your accounts. They actually have less risk usually.

  • Proton Pass now supports passkeys on all devices and plans: Beating Bitwarden to mobile devices

    Jump

  • But, now the user is locked out of their digital life. How do you get back in? There's nothing you can use to authenticate yourself in with the server if all you had was a passkey.

    I’m still not sure what the question is. The same way you would with a password. Using an authenticator app also ties authentication to a single device and yet you don’t seem worried about that. Using “all security systems simultaneously” is not a solution to this problem you’ve suggested which I don’t think really exists. By using all security systems you’re just making your service less secure, not more.