| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by bobsoap 1136 days ago

Ok, Google. I'll bite.

So you send me an email today titled "[Update] Google passkey support will replace your built-in security key starting May 3, 2023". It was in my spam folder, but I digress.

This "update" kindly informs me that "Passkey support will be integrated because they're easier to use" [sic], that it's safer than most other forms of 2-SV, that this new method will work on any devices that have registered passkeys, which includes all phones on which I'm signed in, that I'll be able to sign in to my Google account with just a passkey, that no action is required from me to do this, and that you're here to help.

Yes, Google, I'd like some help. For starters, I'd like to know:

- What do you mean by "built-in security key"? Built-in suggests hardware, so my phone presumably has a hardware security chip and now passkey is a new type of hardware chip for authentication?

- What's 2-SV? Two Sievert? Dos El Salvador? Double Support Vector? Second Silicon Valley?

- What the heck is a passkey?

Luckily, you provide a link to your HC article [1], which I click on. It's titled "Sign in with a passkey instead of a password". It helpfully informs me that with a passkey, I can sign in to my Google account with my fingerprint/face scan/device screen lock like a PIN. There's a bunch of other valuable information in that article, like how it won't work in Firefox, won't work in incognito mode, that Bluetooth must be enabled, and that anyone who manages to unlock my device gets full access to my account. Needless to say, sounds totally awesome, I'm sold!!1

What the heck is a passkey?

Is it like the thing that sometimes uses my Android phone as a 2FA device to sign into Google properties, just... somehow different? What's the difference, except that I now need to enable Bluetooth and can't use it in Firefox? How is it more secure than [something I know + something I own] if it removes [something I know] from the equation and only leaves me with one of the two factors? How is it more secure than Dos El Salvador?

Who the heck wrote this email?

[1] https://support.google.com/accounts/answer/13548313