Passkey confusion

Monanore

Looks like they're going to make our life even more difficult.  Apparently I won't have a password, but an ID tied to a specific device. It can be a PIN.  But I can only use it on one device !  Or I'd have to set up syncing or some such nonsense which I don't understand.  So, suppose I want to do an important transaction on my laptop and the laptop isn't working.  I'm stuffed !

flaneurs_lobster

Can you be more specific? Who is "they"? Don't think you are quite understanding how passkeys work but tell us which service you are referring to and we might be able to help.

I'm not aware of any of the major (or any other) service that is insisting that their users switch to passkeys exclusively. they all have more traditional (and less secure) access methods available.

DullGreyGuy

Monanore said:

Looks like they're going to make our life even more difficult.  Apparently I won't have a password, but an ID tied to a specific device. It can be a PIN.  But I can only use it on one device !  Or I'd have to set up syncing or some such nonsense which I don't understand.  So, suppose I want to do an important transaction on my laptop and the laptop isn't working.  I'm stuffed !

It's not tied to a specific device but a private key. If you use "syncing or some such nonsense" then the key can replicate across all your devices. 

For most its a convenience and with all you can fall back to using a password etc if your laptop isnt working and you haven't figured out syncing

Vitor

Passkeys are an alternative, potentially more secure alternative to logging in with passwords which can be keylogged etc., but they don't replace passwords so you can always login from a new device. NB If you are really concerned about security, the passkey is stored in a USB device such as a Yubikey that is portable between devices. 

Say Goodbye to Passwords: Passkeys Explained Simply

PHK

Monanore said:

Looks like they're going to make our life even more difficult.  Apparently I won't have a password, but an ID tied to a specific device. It can be a PIN.  But I can only use it on one device !  Or I'd have to set up syncing or some such nonsense which I don't understand.  So, suppose I want to do an important transaction on my laptop and the laptop isn't working.  I'm stuffed !

The fact that you don't understand it doesn't make it nonsense or your life more difficult. 

If your laptop wasn't working then you wouldn't be able to use it whether you had a password or passkey. 

The point with a passkey is you have two things, a device and a key. So even if someone gets your key then it won't work without the device and vice versa. The Key can be biometric, a password or a device like a Yubikey.

If you want to log in elsewhere then the passkey prompt will still appear on the device. 

For example, if your phone and fingerprint form the passkey. Suppose you want to log in on a tablet. The tablet will display a QR code, you scan that with your phone authorise the login with you fingerprint and that logs you in on the tablet. Mich more secure and easier to use than a password.  

Vitor

- The Key can be biometric, a password... -

I think you're conflating 2FA techniques in general and passkeys, the later are based on public key cryptography

Monanore

Sorry, I was annoyed at reading about passkeys for the first time so I wasn't clear.    It seems that when they are brought in, and tied to a specific device you would not be able to access the same website on a different device.  You would have to set up different passkeys for each website on each device, or get more technical and start getting syncing set up, all wrapped up in Google or whatever - it's all so confusing.  A lot of inconvenience for those who understand and a nightmare for those who don't.  

And, mark my words, when it's made compulsory ( and it will be ), the scammers will be ahead of it and turn it to their advantage - just like they have done recently with Captcha.  Me? Cynical?

km1500

PHK said:

Monanore said:

Looks like they're going to make our life even more difficult.  Apparently I won't have a password, but an ID tied to a specific device. It can be a PIN.  But I can only use it on one device !  Or I'd have to set up syncing or some such nonsense which I don't understand.  So, suppose I want to do an important transaction on my laptop and the laptop isn't working.  I'm stuffed !

The fact that you don't understand it doesn't make it nonsense or your life more difficult. 

If your laptop wasn't working then you wouldn't be able to use it whether you had a password or passkey. 

The point with a passkey is you have two things, a device and a key. So even if someone gets your key then it won't work without the device and vice versa. The Key can be biometric, a password or a device like a Yubikey.

If you want to log in elsewhere then the passkey prompt will still appear on the device. 

For example, if your phone and fingerprint form the passkey. Suppose you want to log in on a tablet. The tablet will display a QR code, you scan that with your phone authorise the login with you fingerprint and that logs you in on the tablet. Mich more secure and easier to use than a password.  

What happens if your phone is lost or stolen? (genuine question)

Vitor

- What happens if your phone is lost or stolen?- 

You login with your credentials, satisfy the 2FA with the backup method and regenerate the passkey to store on your new phone. 

PHK

Vitor said:

- The Key can be biometric, a password... -

I think you're conflating 2FA techniques in general and passkeys, the later are based on public key cryptography

No I am not, it's the combination of the device + method (biometric, password or PIN) that makes it a passkey

Vitor

It’s actually the public key cryptography that defines a passkey, not the device unlock method. The PIN or biometric simply authorises the device to use the private key securely stored on it. This distinction is important, because it’s what makes passkeys resistant to phishing and different from typical two-factor authentication.