Conversation

Notices

1. Embed this notice
   jcoglan (jcoglan@mastodon.social)'s status on Monday, 13-Jan-2025 13:50:40 JST jcoglan

   I see the great history of educating users on security continuing as a website offers to save a "passkey" on my computer with no explanation of what a passkey is

   • Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     jcoglan (jcoglan@mastodon.social)'s status on Thursday, 16-Jan-2025 02:25:58 JST jcoglan

     in reply to

     passwords are very problematic but people do understand what they are and what it expected from them. asking the user to adopt passkeys without explaining their obligations if they want to retain account access is just offering to lock them out of their account

   • Embed this notice
     jcoglan (jcoglan@mastodon.social)'s status on Thursday, 16-Jan-2025 02:25:59 JST jcoglan

     in reply to

     you're replacing passwords with "the user has to retain a set of private keys or else they lose access to their accounts", which implies stealing a physical device with said keys gets you into the victim's accounts

   • Embed this notice
     jcoglan (jcoglan@mastodon.social)'s status on Thursday, 16-Jan-2025 02:25:59 JST jcoglan

     in reply to

     I actually don't understand how you can look at the ux and security problems with passwords and conclude that making users retain a set of private keys, a concept that is completely opaque to most people, will help at all

   • Embed this notice
     jcoglan (jcoglan@mastodon.social)'s status on Thursday, 16-Jan-2025 02:25:59 JST jcoglan

     in reply to

     given the opaque nature of the essential state, it requires a ux solution that boils down to "the user must retain a particular physical device, or access to a vault where the keys are stored, which is secured with a password"

   • Embed this notice
     jcoglan (jcoglan@mastodon.social)'s status on Thursday, 16-Jan-2025 02:25:59 JST jcoglan

     in reply to

     my current password scheme: has no essential state, requires storing nothing, cannot be breached by stealing my phone, its keys can be written down on paper, I cannot be physically compelled to reveal any of it

     passkeys+biometrics: the opposite of all these

     Joël 🍵 and GreenSkyOverMe (Monika) repeated this.
   • Embed this notice
     jcoglan (jcoglan@mastodon.social)'s status on Thursday, 16-Jan-2025 02:26:00 JST jcoglan

     in reply to

     e.g. are biometrics an essential part of passkeys, and if so: A. that is really silly and B. how does this work when I am not using a phone

   • Embed this notice
     jcoglan (jcoglan@mastodon.social)'s status on Thursday, 16-Jan-2025 02:26:00 JST jcoglan

     in reply to

     do they replace passwords, do they perform some auxiliary function, am I responsible for retaining them, what happens if they get lost, how do they work across devices

     I am finding them absolutely impenetrable to understand which bodes poorly for them actually helping users

   • Embed this notice
     jcoglan (jcoglan@mastodon.social)'s status on Thursday, 16-Jan-2025 02:26:00 JST jcoglan

     in reply to

     replacing passwords with biometrics is a terrible idea, sorry

   • Embed this notice
     jcoglan (jcoglan@mastodon.social)'s status on Thursday, 16-Jan-2025 02:26:00 JST jcoglan

     in reply to

     ok now I've remembered the rest of how passkeys work and they're *really* stupid

   • Embed this notice
     jcoglan (jcoglan@mastodon.social)'s status on Thursday, 16-Jan-2025 02:26:01 JST jcoglan

     in reply to

     I am a software developer with some understanding of security and cryptography and *I* have found passkeys hard to understand from existing available information