Passkeys: is this finally the solution to the password problem?

Every so often, I rant about the problems with passwords. (Don’t believe me? Here’s the proof.) Passwords are a real problem because they go against human nature. If they’re complex enough to be unhackable, they’re not simple enough to be memorized. If you have enough complexity and don’t reuse passwords, there’s no hope you’ll ever remember which password goes with which account.

The latest solution being floated is the idea of a passkey. This idea isn’t new, but for some reason they stopped calling it “authenticator apps” and started calling it “passkeys.” But, it’s the same idea. You put an app on your phone and instead of you logging in with a password, a web site sends a message to your phone. You can approve or deny the login at that point.

How it all works, as far as I can see​


So, the idea here is that there isn’t a stored password which could be guessed or hacked. There’s an “authentication token” which is a largely unhackable piece of code. When you respond on your device, it negotiates some sort of secure transaction which enables that token to log you into that app.

The backbone of it is incredibly secure. This is essentially the same tech that lets you pay with your phone or even use a chip on a credit card. The codes that are passed back and forth are such long and complex strings of numbers that even the most powerful computing devices available today would take years to decode them.

This technology is already baked into both Apple and Google phones and it’s getting more popular. After all, your phone already has advanced biometrics built into it so it seems unlikely that someone would be able to use it if they stole it. But I have to say, I’m having a problem completely buying into the idea of passkeys and it’s because of two big problems.

Problem 1: What if you are browsing on your phone?​


So if you’re browsing on your phone, then when you log in, the authentication messages are going to the same device you’re browsing on. This is the problem with two-factor authentication in general. It doesn’t do a whole lot of good if someone has your phone and is able to get into it. There’s a definite window of opportunity if you’re using your phone and someone swipes it. No, they can’t turn biometrics off but they can do a lot of damage especially if they’re able to inject some bad code onto your phone before it locks.

Problem 2: What if you lose your phone?​


Our phones are already our wallets, our rolodexes, our calendars, and our mailboxes. For some of us they’re our car keys. For a smaller group, your phone might control some piece of medical equipment like a hearing aid or insulin pump. All of that is great until you begin to wonder what happens if you lose that phone. All of a sudden you could be in a serious pickle. If you’re lucky enough to have a few dollars or a good credit rating, you can pick up another phone. If your phone backs up to the cloud, you can be back up and running in, maybe an hour?

But what I don’t get yet, is what happens if you lose your phone and it’s also your passkey authenticator. So you get a new phone, how do you tell it that it’s really you? And if all you need is a master password like a Google password or Apple ID, how can you get back in? I mean you’ll put in the password and it will send an authentication message to the phone you don’t have.

I think there’s a way to nominate a backup person and probably authenticate through their phone but what if you stopped trusting that person? What if you’re just naturally solitary? I can see a lot of issues with this.

I can see a case where you lose access to everything including your bank accounts and credit cards just because you lost one device. And I’m not even sure how you would go about re-establishing access. If you go to the bank, they’ll tell you to use your phone to authenticate so they can re-open your accounts. The same is probably true for credit cards. It can end up being a massive problem, all because you accidentally dropped that phone in the river.

The problem is, there’s still no good answer.​


There’s no bulletproof way of proving that you are you. There’s way too much that’s already being entrusted to your phone. It’s still way too easy for someone to steal your device and as I said if they nab it while you’re using it, that’s enough time for them to do some serious damage.

But I will say, that it’s a better solution than people just using their kid’s birthday for their password for everything. And, it’s really better than having to type an unmemorable string of 20 letters and numbers using the tiny keypad on your phone. I think we all agree that this method isn’t working, period.

So, passkeys are a good start. They’re not perfect. But, sometimes you have to adopt something imperfect. Sometimes you do it because you have to. It’s an interim solution that is better in a lot of ways. It’s also very much worse in a few ways. But short of going back to keeping all our money in our mattresses and reading nothing but newspapers, it may be the best we get right now.

The post Passkeys: is this finally the solution to the password problem? appeared first on The Solid Signal Blog.

Continue reading...
 
In that passkeys can be approximated with tools other than phones (much as TOTP has been incorporated into password managers), it has a future.

The problem, as always, will be maintaining backups.
 

The best articles on marine technology, all in one place

weBoost Memorial Day SALE Starts NOW

Users Who Are Viewing This Thread (Total: 0, Members: 0, Guests: 0)