I’m highly skeptical of Passkeys/Webauthn as it would seem to not have the same legal protections that a password has in the US. Maybe this is me becoming a conspiracy theorist.
I’m in the same boat. Using Passkeys gives the user less control. The last thing I need is another layer of complexity when dealing with credentials. This seems like a solution created for people too lazy to generate and track secure secrets (using a password manager).
It also seems like a way companies like Google would lock people into their browser.
Well, passkeys come with another very interesting property: they make it entirely useless to obtain the database of user credentials from services. It only contains public keys specific to a single service, so you cannot use them anywhere else. Additionally, private keys are stored on secure storage in client devices (or need to be decrypted themselves using a second factor), so there’s pretty much 0% risk of mass credential leakage.
> they make it entirely useless to obtain the database of user credentials from services. It only contains public keys specific to a single service, so you cannot use them anywhere else.
This is also the case for anyone using unique passwords per site, which is the standard for password vault users. Not much of a win there.
> Additionally, private keys are stored on secure storage in client devices (or need to be decrypted themselves using a second factor)
Also exactly the same as password vaults, but we still stress about Lastpass losing their encrypted vault DB.
I agree that Passkeys appear to bring the benefits of Password Vaults to people not currently using them in a fairly easy way. However, I worry about access to those passkeys when access to the Passkey provider is lost/revoked.
No, you misunderstood me. Passkeys remove the incentive to attack auth infrastructure in the first place, because a database of WebAuthn credentials isn’t useful to criminals compared to a database full of password hashes. This isn’t about the handful of tech-savvy users who know how to protect their privacy anyway, but all the others which constantly reuse their insecure passwords and won’t use password managers.
This is conspiracy theorist talk until it isn't and that date will be not long after this is more commonly used. (I think this is a rational concern, btw)
The current legal climate is mixed but we have court cases that claim biometrics are not covered by the 4th and 5th. We also have the opposite. The reasoning being that producing biometrics is not testimonial. Until decided by the Supreme Court, I'll assume that anything that can be produced without my mind is not covered and that includes this.
It also seems like a way companies like Google would lock people into their browser.