Why PassKEYS are Replacing PassWORDS

One thing to note about biometrics in general.. law enforcement (in the USA) can *_NOT_* force you to give them the PIN to your phone or passwords for devices or accounts .. but they *_CAN_* legally force you to open or access something using your finger, face, etc. To be clear, I'm saying they are allowed to literally grab your hand and forcefully push your finger onto the device with the express intent of opening / accessing it .. against your will. They can't force you to give them a password or PIN.

THE-X-Force

In the US, you can be compelled by the police/courts to log into any account using your biometrics; i.e. face or finger print, regardless of your 5th Amendment right against self incrimination. They cannot, however, force you to reveal a password or pin.

ryan

This is not technically wrong, but also a dangerous misrepresentation of biometric access. A lot of biometric access does not use a passkey in the way described here, but stored it in a local server that can be hacked, and the data stolen. Things like paying for your groceries with your handprint, or scanning into work with a fingerprint. If a password gets hacked you can change it, but you can't change your face or handprint so easily. Biometrics are not always the best option.

The_Cyber_System

I really don't like biometrics as a basis for authentication. The scanned biometric value that gets compared is essentially just a really strong password, but if it gets leaked somehow, you can't change it. I'd rather change my password than change my fingerprint.

scifino

Recently a vulnerability was discovered in the fingerprint scanners on some Dell, Lenovo, and Microsoft Surface devices. Knowing that I'm a little skeptical that this is totally secure.

If i suspect a password is compromised I can change it. Not sure what would happen if the same happened with a passkey.

I also wonder what happens if the device they are stored on dies or is lost/stolen. Is there a way to recover one's credentials?

Until I recieve satisfactory answers to these questions I'll stick with my password manager.

artos

Just to note, passkeys can work without needing any input of your username or email. Once they are tied to your account, it just needs you to verify on your device.

Mr.DarrenGriffin

The sites promoting passkeys aren't exactly doing a great job explaining to normies why a 1234 PIN is better than a 123456 password.

Ryzza

The thing that annoys me is when sites require a capital letter and/or a symbol when creating an account. It's even more annoying when they don't tell you this until AFTER you fill everything out and click "Create Account".

SnugglesPrime

Isnt American law that biometrics are something that can't be withheld from authority's seizure but passwords are protected?

deleted-blank

Considering the implications with the US 5th amendment and the fact that you can't change your biometrics if they somehow get leaked, it seems like this should remain strictly a second factor of authentication and not replace passwords entirely.

pchris

The issue I have with these kinds of authentication is that, I'm giving the keys to my accounts whenever I interact with anything in this world.
A password is only in my brain (and in that plain text document that I have easyly accessible at all time), but my fingerprints are everywhere I go, same with my damn face, why would I want to downgrade to what is practically a public key?

YOEL_

I can't believe you shared my password to the whole world.

AlbertHoltsclaw

Kinda sad there is no mention of the elephant in the room here: vendor lock-in.
It might seem like there is no real difference between passkeys and just using a password manager in this regard but there is and if left unattended will be a huge problem in the future.

MeLlamoChopa

Oh yes! More stuff to make it impossible to be anonymous! I sure do love the future where being tracked is a necessity and dissent is the gravest possible sin.

navienslavement

If only they kept our passwords in a plain text document…

wobblysauce

What I want to know about Passkeys that NO ONE EVER TALKS ABOUT and is ABSOLUTELY CRUCIAL is: What happens when you lose your device? coz the private/public key is generated from your device right? So if you lose it, don't you lose the private key as well? and also don't you need a service to synchronize your keys anyway?

Plus there's the whole "hey, what if I need to log in on a device WITHOUT biometric hardware?" like.... at work. or at school. Which can be QUITE OFTEN

unrealed

Honestly would like a more tutorial like video on this topic. Can you use this for any website? I don't I've ever seen a website with this option.

Souchirouu

3:44 Ahh yes, good ol' password #63, can't say I've used it as a password myself, but it sure is fun to say!

skullman_plays

Public key cryptography combined with multifactor authentication (preferably OTP—to heck with biometrics) has been around for decades. The fact that it's only just now becoming prominent is honestly a disgrace.

GSBarlev

A sufficiently knowledgeable and prepared attacker can get into just about anything, but putting more layers and more security in front of them to slow them down might cause them to stop. If they really want in, they will find a way, but at that point, we're talking about black hat guys being paid by mafia men to hunt you; random user five doesn't have to worry about that.

Atsumari