📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

Passkey confusion

Options
2»

Comments

  • km1500
    km1500 Posts: 2,790 Forumite
    1,000 Posts Second Anniversary Name Dropper
    edited 8 June at 10:19AM
    Vitor said:
    - What happens if your phone is lost or stolen?- 

    You login with your credentials, satisfy the 2FA with the backup method and regenerate the passkey to store on your new phone. 
    so a passkey does not replace the password and 2fa, it is just used instead ? (unless you need to regenerate it because of a lost device for example, in which case the password and 2fa are still available)
  • flaneurs_lobster
    flaneurs_lobster Posts: 6,594 Forumite
    Sixth Anniversary 1,000 Posts Photogenic Name Dropper
    km1500 said:
    Vitor said:
    - What happens if your phone is lost or stolen?- 

    You login with your credentials, satisfy the 2FA with the backup method and regenerate the passkey to store on your new phone. 
    so a passkey does not replace the password and 2fa, it is just used instead ? (unless you need to regenerate it because of a lost device for example, in which case the password and 2fa are still available)
    Sort of. I have no passwords set for my main Google and Outlook accounts, just passkeys. I could have chosen to have both but that rather negates the additional security that passkey access provides.

    I'd like to replace my Bitwarden password access too, but it's not clear yet (at least to me) if that's fully supported.
  • km1500
    km1500 Posts: 2,790 Forumite
    1,000 Posts Second Anniversary Name Dropper
    edited 8 June at 2:38PM
    So how would you regain access to your main Google and Outlook accounts if for some reason you no longer had the devices that the passkey was on?

    Why would you not have a strong password as back up?
  • flaneurs_lobster
    flaneurs_lobster Posts: 6,594 Forumite
    Sixth Anniversary 1,000 Posts Photogenic Name Dropper
    edited 8 June at 4:02PM
    km1500 said:
    So how would you regain access to your main Google and Outlook accounts if for some reason you no longer had the devices that the passkey was on?
    The passkeys live on two phones, a tablet and two laptops. Agreed that I'm in trouble if I need to access the accounts when without any of the devices but when does that ever happen, I cannot remember the last time I needed to access these accounts outwith my own devices. I would have to revert to account recovery with Google/MS if it was required.
    km1500 said:
    Why would you not have a strong password as back up?
    It's a weakness. Passwords stored on providers servers can be compromised (although you'd hope MS and Google would be safer than most); Password managers ditto. TBF, most passwords stored on servers are encrypted but I bet a fair few are not.
     Passwords can be copied as you enter them into your device, eyeball, camera, key logging malware.
  • Vitor
    Vitor Posts: 663 Forumite
    500 Posts First Anniversary Photogenic Name Dropper
    edited 8 June at 4:14PM

    Even in a “passwordless” scenario, Google expects you to have at least one alternative way of proving who you are. If you haven’t set up any recovery options (such as a recovery email or phone number), account recovery can become very difficult or even impossible. That’s why Google strongly recommends setting up a recovery email and phone number, even if you’re using passkeys.

    If you’re especially concerned about security, avoid syncing passkeys through cloud services like Apple iCloud Keychain, Google Password Manager or BitLocker and instead use a FIDO-compliant hardware key (such as a YubiKey). This way, the passkey remains securely stored on the hardware key and never leaves the device’s secure enclave.

  • flaneurs_lobster
    flaneurs_lobster Posts: 6,594 Forumite
    Sixth Anniversary 1,000 Posts Photogenic Name Dropper
    Vitor said:
    Even in a “passwordless” scenario, Google expects you to have at least one alternative way of proving who you are. If you really haven’t set up any recovery options, account recovery can become very difficult or even impossible, that’s why Google strongly recommends setting up a recovery email and phone, even if you’re using passkeys.
    Yes, this. Ditto for Outlook/Hotmail. I make the recovery email to be on a different provider, not just another account on eg gmail. Just feels more resilient.

    You'd hope that the other email providers encourage/insist on same.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 351.1K Banking & Borrowing
  • 253.2K Reduce Debt & Boost Income
  • 453.6K Spending & Discounts
  • 244.1K Work, Benefits & Business
  • 599.1K Mortgages, Homes & Bills
  • 177K Life & Family
  • 257.5K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.