Post AVHZ9Xe8W1IZthOrp2 by atanas@mastodon.cloud
 (DIR) More posts by atanas@mastodon.cloud
 (DIR) Post #AVHXU9ps2RyWDrajBI by lauren@mastodon.laurenweinstein.org
       2023-05-03T15:22:50Z
       
       0 likes, 0 repeats
       
       **** Questions I'm getting about Google's "passkeys" announcement ****All, I'm getting a pile of (many confused) questions about #Google's new "passkeys" announcement. Since I wrote "Passwords Must Die!" many years ago, I cheer these advances ... however ... there are implications in the implementation that really need to be fully understood by users, and frankly, given the difficulty in getting users to use 2-factor authentication, I suspect passkeys adoption will be complex unless users are forced to use them, which has its own implications.Bottom line, I would not urge use of them immediately, unless you are absolutely convinced that you understand the details, some of which are a bit opaque right now.My intention is to blog in some detail on this (and the new Google Authenticator cloud issues I mentioned previously) as soon as possible.Please take care. Best, L
       
 (DIR) Post #AVHY9ZXZNDCFokmNBQ by Vmarks@mastodon.social
       2023-05-03T15:30:18Z
       
       0 likes, 0 repeats
       
       I just signed into cvs.com in safari on Mac. It offered to create a passcode for me. I clicked yes. And that was it.  No further steps. If it’s confusing, it’s because there was a small amount of explanation about how this replaces passwords and no additional steps.
       
 (DIR) Post #AVHYaWwr7RInb4Sf5c by lauren@mastodon.laurenweinstein.org
       2023-05-03T15:35:10Z
       
       0 likes, 0 repeats
       
       @Vmarks I don't recommend using them yet. But your choice. Have fun.
       
 (DIR) Post #AVHYfWhJTj4AGdZcu0 by Vmarks@mastodon.social
       2023-05-03T15:36:05Z
       
       0 likes, 0 repeats
       
       @lauren I’m going slow. I did one. I don’t know that im ready to risk it with Google yet. CVS, I can wait on hold and get a person on the phone in the worst case. Google...
       
 (DIR) Post #AVHZ9Xe8W1IZthOrp2 by atanas@mastodon.cloud
       2023-05-03T15:41:24Z
       
       0 likes, 0 repeats
       
       @lauren Wasn't the AT& T network recently compromised and users' passkeys leaked? Poor timing on Google's part to release this feature now.
       
 (DIR) Post #AVHZKPQzO7GFc6Qsu8 by lauren@mastodon.laurenweinstein.org
       2023-05-03T15:43:31Z
       
       0 likes, 0 repeats
       
       @atanas That was (AFAIK) a more conventional leak of user data, not involving passkeys (which I don't think AT&T is using yet anyway).
       
 (DIR) Post #AVHZTqMGeg55irisGO by atanas@mastodon.cloud
       2023-05-03T15:45:11Z
       
       0 likes, 0 repeats
       
       @lauren Maybe I did not understand or do not remember the incident correctly. I think it was something similar to passkeys but just for email. But same concept, basically passwordless login.
       
 (DIR) Post #AVHZfbfd5bjBe1O89Y by lauren@mastodon.laurenweinstein.org
       2023-05-03T15:47:15Z
       
       0 likes, 0 repeats
       
       @atanas Passkeys can't leak the same way passwords (often) can.
       
 (DIR) Post #AVHaAGgPActBWvN5mq by atanas@mastodon.cloud
       2023-05-03T15:52:51Z
       
       0 likes, 0 repeats
       
       @lauren It was "mail keys"."The vulnerability revolves around mail keys, which are meant to allow users to log into AT&T email accounts via clients like Outlook or Thunderbird."https://www.theverge.com/2023/4/28/23702176/att-email-accounts-crypto-stolen-hack-api-mail-keys
       
 (DIR) Post #AVHaH0EshtF0Ybi0v2 by mtomczak@qoto.org
       2023-05-03T15:54:02Z
       
       0 likes, 0 repeats
       
       @lauren Details from the blog post at https://blog.google/technology/safety-security/the-beginning-of-the-end-of-the-password/ are a little thin on the ground; I'm going to have to seek out an implementation explanation.I think my biggest question is "If Google, being a private company and not beholden to government oversight regarding its account use policies, arbitrarily decides one day that I've violated their ever-changing terms of service and deactivates my account, am I now screwed vis-a-vis every single company I only have a passkey-based login with?"Because that alone should give pause.
       
 (DIR) Post #AVHb6QNzFkmKQ2UIiW by Vmarks@mastodon.social
       2023-05-03T16:03:22Z
       
       0 likes, 0 repeats
       
       @lauren this part is good news: https://hachyderm.io/@rmondello/110305415120557105 - using Passcodes doesn’t break the password, so low risk.
       
 (DIR) Post #AVHbaT9BYEttfctHnM by lauren@mastodon.laurenweinstein.org
       2023-05-03T16:08:48Z
       
       0 likes, 0 repeats
       
       @Vmarks But it can *bypass* the password AND 2FA, which is problematic in specific situations.
       
 (DIR) Post #AVHbk9M1zlgZBDW17Q by Vmarks@mastodon.social
       2023-05-03T16:10:35Z
       
       0 likes, 0 repeats
       
       @lauren I’m having difficulty seeing how. Can you say more?
       
 (DIR) Post #AVHdEf6mbBieIyUphw by lauren@mastodon.laurenweinstein.org
       2023-05-03T16:27:17Z
       
       0 likes, 0 repeats
       
       @Vmarks Device stolen in public place. Either already unlocked or by someone who spied the pin then stole it. Happens all the time. Game over for all passkey accounts, it appears, if the culprit moves quickly. Google briefly mentions the issue of device physical security, but glosses right over it.
       
 (DIR) Post #AVHdYYguAUEyC3sah6 by Vmarks@mastodon.social
       2023-05-03T16:30:54Z
       
       0 likes, 0 repeats
       
       @lauren ok, then we need to all use Fido keys. Seems unlikely though.
       
 (DIR) Post #AVHfIxVyJ3zmSRSGGG by Vmarks@mastodon.social
       2023-05-03T16:50:21Z
       
       0 likes, 0 repeats
       
       @lauren thinking about this, I’m not sure it can bypass authentication. It still uses Face ID/touch id/ fingerprint before logging in with passcode. If you had my unlocked phone, and were prompted for login, you’d have to defeat the biometric. Unlike normal Face ID where you fail enough times it asks for a pin-passcode, here it just fails.
       
 (DIR) Post #AVHfizFoSi53NiJ99c by Vmarks@mastodon.social
       2023-05-03T16:55:03Z
       
       0 likes, 0 repeats
       
       @lauren interestingly you can get into the stored passwords on the phone with the passcode, and can see the passkey and password. But trying to just use the passkey won’t work because there’s no passcode option to get around the biometric.
       
 (DIR) Post #AVHfkj0HqrphYpsGwq by lauren@mastodon.laurenweinstein.org
       2023-05-03T16:55:18Z
       
       0 likes, 0 repeats
       
       @Vmarks Again, Google's own words: "When you create a passkey on a device, anyone with access to that device and the ability to unlock it, can sign in to your Google Account."
       
 (DIR) Post #AVHg0CPGoYdd61wGX2 by lauren@mastodon.laurenweinstein.org
       2023-05-03T16:58:17Z
       
       0 likes, 0 repeats
       
       @Vmarks Many people don't use biometrics. I haven't seen anything to suggest passkeys require biometrics to function. Stolen PINs and simple passwords are common.
       
 (DIR) Post #AVHg7q8fUP06LnohSi by Vmarks@mastodon.social
       2023-05-03T16:59:38Z
       
       0 likes, 0 repeats
       
       @lauren I wonder if that’s how it works on android. Again, iOS prevents someone from using the passkey directly unless you have the finger or face. But they do let you into passwords with a passcode if biometric fails, and you can launch the url in the browser to get in. CVS’s implementation in the browser on mobile used the old password instead of passkey. (Browser on computer used passkey.)