|
|
|
|
|
|
by michaelt
1086 days ago
|
|
|
From a certain perspective, passkeys are a lot like using "Sign in with Google/Apple/Microsoft account" Because if this passkey stuff takes off with normal people, 98% of passkeys will be stored in cloud accounts with those providers. The weakest link in the security chain is the procedure for when the user forgets their password / loses their phone / gets a rootkit / gets phished / has their e-mail compromised. You can transfer that problem from your site to a cloud provider and hope they do a good job - but the problem doesn't go away. |
|
|
They will also (and primarily) be stored in the individual devices, and don't need cloud access to the providers in order to be used.
In this sense, it solves one of the main issues with third-party sign-in, i.e. that if the provider decides to lock your account, you get locked out of any linked services.
> You can transfer that problem from your site to a cloud provider
With passkeys? How so? Are passkeys not just cryptographic key pairs? If your service associates a certain account to a certain public key, there's nothing an external cloud provider can do to solve the issue you describe.
It's possible I've missed something, like I said before I'm still wrapping my head around the whole thing.