Do you people trust companies with passkeys?

I feel like big tech have started pushing for passkeys really hard lately. Microsoft has been asking me if I want to switch to passkeys pretty consistently. Google just automatically brings up the passkey registration fingerprint scan system dialogue every single time I’ve been signing in on Android. Without even asking if I want a passkey or not, it just does it without saying anything. I think the intention is pretty clear, an unknowing person sees the completely random fingerprint scan dialogue, doesn’t think much of it, scans their fingerprint, a passkey gets created automatically.

Well, I fell for their trick. I’ve been avoiding the passkey dialogue pretty consistently for a while now, but just now I was signing in while distracted and accidentally tapped my finger on the scanner by reflex on the prompt. I guess I have a passkey now. Yay.

I did some digging on my Google account settings and the internet, and I couldnt find a way to completely remove the passkey. It seems you can only disable the use of passkeys, but the passkey itself remains. There is also a setting called “Skip password when possible”, which is clearly what has been causing the non-stop passkey prompts. It’s on by default. It’s a shame I’m only aware of it now that its too late.

Theoretically, the passkey standart itself should be private and secure. Throughout the process, the biometric information used for the cryptographic challenges never leaves the device, and the server only gets access to a signature that has been signed with the client’s private keys that it can use to authenticate but can’t derive the private keys back from because of complicated math I didn’t spend enough energy to understand. Google automatically syncs the passkeys with its private keys with E2EE in the Google Password Manager tied to the account, which is where I start to get uncomfortable because I can’t bring myself to trust Google with E2EE.

What do you people think?

  • xylogx@lemmy.worldEnglish
    2·
    14 hours ago

    When you use biometrics with passkey, they are stored on-device. In that sense they respect privacy.

  • dropdrip@lemmy.ml
    31·
    23 hours ago

    From what you’ve written you’ve conflated separate things. Passkeys are not related to biometrics. Google wants your biometrics. Full stop. Google is a surveillance mega-corp. Full stop. Why are you still using Google? or Microsoft, which you clearly are uncomfortable with? That’s rhetorical. Don’t answer that. No one’s interested in your pissing and moaning for why you can’t leave this abusive relationship. Passkeys say nothing about biometrics. They’re unrelated.

    The surveillance corps implementation of passkeys will always be in their interest. Hardware passkeys are superior to device-locked passkeys that are stored in a TPM. Such schemes are nothing but vendor-lock ins. Oh, I don’t want to buy a new phone; all my logins are stored on this phone. It’s too much hassle. I can’t leave Google’s Android, it contains all my credentials securely. Hardware passkeys have no such friction. I can use them on any hardware.

    The surveillance corps software-implementation is dodgy too. They’ve opted not to use some of the spec, which objectively weakens security. They’ll claim it’s for user-ease and whatever else they want to spout. The ease of silently using passkeys to access data they shouldn’t, or to migrate the users passkeys to their new Google android phone–only Google android can migrate you to a new Google android device. You need Google android. Hit me harder daddy.

    I mean, really, what are you trying to ask? You clearly don’t trust these surveillance-companies. Passkeys are a good. Just like cryptography is just maths. There’s no issue with the maths or passkeys. The issue lies in these mega-surveillance-corps that parasitically extract value from your computers–whether that’s a desktop, laptop, server, smartphone or some other mobile-computer. You pay for the hardware, electricity, data-connection and you labour on them and these corps take everything from you. That’s why Alphabet, Facebook and whatever other shit software-company has valuations in the billions or trillions.

    Security is something they want. They want to be the sole holder of your information. They want a market monopoly. Strong cryptography helps them do that. Much like how a serial rapist and the police both like steel bars: one to keep their victims locked up in, the other to keep their victims locked up in too… huh… point is everyone likes strong cryptography.

  • monovergent@lemmy.ml
    2·
    1 day ago

    As much as I trust them with passwords. Which is not too much trust. Implementations of passkeys also tend to be frustratingly bad.

  • utopiah@lemmy.ml
    2·
    2 days ago

    Yes precisely because I don’t rely on Microsoft or Google to handle that.

    I have my own physical keys. I started like most with YubiKey, including a YubiKey Bio, then learned about NitroKey https://www.nitrokey.com/ thanks to NLNet https://nlnet.nl/project/Nitrokey-3/ so now I have passkey that I could verify https://certification.oshwa.org/list.html?q=nitrokey as they are certified and audited https://www.nitrokey.com/news/2015/nitrokey-storage-got-great-results-3rd-party-security-audit

    That being said… IMHO your doubt raises an interesting question, why? Why do you NOT trust them? Do you imagine they have your data? Do you think an interactive explanation where one exchange data would help to understand why no trust is required or maybe better, where it matters?

    • trilobite@lemmy.ml
      1·
      15 hours ago

      I’ve been wanting to get more into this nitrokey business but haven’t done my research. Are you using it for all your day to day authentication? Can it be used for websites? Logging onto laptops, etc?

    • dropdrip@lemmy.ml
      2·
      23 hours ago

      I’m also in favor of hardware passkeys & 2FA. They help alleviate vendor-lock in and are more secure.

      Usually only YubiKey is mentioned. I do prefer NitroKey’s aims of transparency. If other users know of other vendors please list them.

  • BakedCatboy@lemmy.mlEnglish
    11·
    3 days ago

    I don’t which is why I use my selfhosted vaultwarden instance to store mine. I refuse to add passkeys to any service if they don’t properly invoke the standard passkey prompt in a way that’s compatible with bitwarden, otherwise I love passkeys and use them everywhere possible as long as I have complete control over them.

  • nate3d@lemmy.world
    7·
    3 days ago

    I think your problem is more to do with how shitty google is anymore more than the technology of passkeys. From a cryptography perspective passkeys are much more secure than simple username/password authentication as there’s no effective way to brute force or acquire through tools like key-loggers. Like another commenter said, start looking at self hosting your own services like Vaultwarden or the like and de-Google first and foremost. One other massive benefit with passkeys is the fact that they are cryptographically unique so even if an attacker acquires one, it’s only able to be used to access a single site/account.

  • ☂️-@lemmy.ml
    2·
    2 days ago

    don’t mention it. back when this was new, i told everyone this was gonna happen and got downvoted and laughed at.

    who is laughing now? well not me because it sucks anyway.

  • normonator@lemmy.ml
    31·
    3 days ago

    In theory yes, but in practice no. Most companies have implemented them in the dumbest ways and have not used them to increase security. They can pretty much all be worked around with your phone number or email. It should also be a choice not trying to trick users into using it.

    Amazon can fuck right off with their prompt to save on every single login. Microsoft will still try to save passkeys even when you turn it off in windowsso you can use a password manager. They are just creating a fucking mess.

    Password + Passkey as 2fa would be nice.