Microsoft adopts passkeys in Windows 11 — death to passwords!

Topic

New Reply

[B. Livingston]

PUBLIC DEFENDER By Brian Livingston When Microsoft enhanced Windows 11 in a September 2023 update to support “passkeys” — a more secure form of authentication [See the full post at: Microsoft adopts passkeys in Windows 11 — death to passwords!]

UPDATE 2023-11-21:

I’d like to thank everyone who’s commented in this thread. In my two-part column on passkeys, I’m just trying to give you a heads-up about a big change that’s coming.

If Microsoft, Apple, Google, Amazon and others all agree to support passkeys for authentication, it’s going to happen. (In the same way, most legitimate websites recently transitioned from http to https when the Web giants deemed it necessary.)

Last year alone, “At least 79 U.S. financial services companies reported data breaches … and the largest breaches affect millions of consumers each.” —AmericanBanker.com, December 22, 2022

Your passwords are not safe. The attacker has the advantage. Banks have to defend against thousands of possible attacks. A hacker needs to find only one way in that works.

I can’t say this enough: Your passkey is not sent back and forth. If you’re able to sign in to your device, you can then access websites that recognize that device. Only a CHALLENGE is sent by the server to you. If your device can send back the correct RESPONSE (i.e., public/private key encryption), you’re in.

Don’t want to carry your phone? Put a $15 FIDO2 mini-stick on your key ring, just like you take your house keys, ID, and debit card with you today. If your passkey-enabled phone is ever stolen, your mini-stick (on any PC) or any of the other devices you previously signed in on will let you recover.

The FIDO Alliance has worked on this for more than 10 years. There are acknowledged implementation details, but they will settle out. I ask everyone to read the FAQs at the FIDO website, and read columns about passkeys in other tech journals (not just mine).

For sure, people will have to learn to understand passkeys. But the concepts will some day be second nature to us. Get ready to be done with passwords. We don’t use rotary phones any more, either. (The switch from rotary to Touch-Tone took 25 years, so I think you’ll still be able to use your passwords for a while!) —BL

• This topic was modified 1 year, 3 months ago by B. Livingston.
• This topic was modified 1 year, 3 months ago by B. Livingston.

11 users thanked author for this post.

Rob F, ArtHendrickson, Norio, LH, fisher75, Sky, Alex5723, rc primak, windbg, lmacri, DLivesInTexas

Reply | Quote

Replies

B. Livingston wrote:

The whole point of passkeys is that they should free you from credential hell. Who needs the headache of remembering all the username-password formats that each server required you to conform to? (A password must be eight characters or more, include a symbol, and so forth.)

But I have already created all those passwords that each server requires.  I have them safely stored in a password-protected file on my daily driver.  Every site I use incorporates HTTPS, so my user id and password are encrypted end-to-end.  The financial institutions with whom I have dealings plant a fresh cookie with every connection, and if that cookie is missing, 2FA is automatically triggered, meaning that a Bad Actor must know my cell phone number and possess my cell phone to get past 2FA.

And there is also the simple stuff.  My son lives with me.  He uses my Netflix, Amazon Prime, Paramount+ and Disney+ passwords to stream movies and series.  Is it that easy to share passkeys?

B. Livingston wrote:

At this writing, more than 80 participants are listed.

80.  That’s a decimal point and a bunch of zeros before the number representing the percentage of internet sites appears.  Not one of the financial sites I use are on that list.  HTTPS is already in use everywhere I go.  At present I find no compelling reason to entertain the idea of using passkeys.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

4 users thanked author for this post.

tjm1963, WSbobby-p, Average-Jane, KevSpa

Reply | Quote

Wouldn’t a passkey be able to be moved from one device to another with the same OS, as stated in the article? Would any further setup or verification be needed?

-- rc primak

Reply | Quote

rc primak wrote:

Wouldn’t a passkey be able to be moved from one device to another with the same OS, as stated in the article?

Are you asking about a physical passkey?

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

I go one better — I been using password safe for a long time and it makes proper, strong passwords easy to deal with — no need to mess around with dongles and such.  I have 300+ passwords in pwsafe, all random characters 25 characters long, and all different for every site.

I sure hope we can disable this new stuff so I can go back to safe, secure passwords

Reply | Quote

I have added  my new windows 11 laptop to my home network, including my Windows 10 desktop. I can see the laptop on the network from the desktop, but when I want to access it, I’m prompted for the password of the laptop — which, of course, being a win 11 computer, doesn’t have one. Any suggestions on how to access the laptop from the desktop?

Reply | Quote

Steven Jeffrey Lee wrote:

… when I want to access it, I’m prompted for the password of the laptop — which, of course, being a win 11 computer, doesn’t have one.

I have four Windows 11 installations, and all of them have passwords.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

I’m not convinced this is a good idea on several levels. I am immediately repulsed by the requirement of carrying a smartphone everywhere. We should be actively figuring out ways to decouple mankind from these wretched devices. And the thought of using a third-party passkey credential provider, which (as you wrote) is similar to an online password manager, seems ludicrous when most, if not every, online password management service has been breached already. The reality is that any digital entity of any size or importance will be breached at some time. It is never a matter of “if”, but of “when”.

I’ve always believed using any method involving biometrics was already dead before it even started because no authentication method should relay on any component that can’t be changed. Last I looked, resetting your fingerprints, voice, retinas, or face was not a viable option for most people.

I know how much I’ve enjoyed changing an email address and then having to notify everyone, change the email address in every service I use, re-authenticate everywhere, and so on. And I especially enjoy that special Hell one is trapped in when a little used entity using a two factor authentication method relies upon an email address or cell phone that has been retired months ago. What’s going to happen when we change phones every two or three years. Regardless of the hype and assurances, I’m betting it will turn out to be a despised experience.

But at the most basic level, this is just another type of challenge/response system. You can be sure a method of compromising it will be found because there is no such thing as, nor will there ever be, a perfectly secure system. And when that happens, instead of the compromising agent having access to only one protected entity (such as you have when using different passwords for each entity requiring one), it will have access to all the supposedly protected entities you secured with that single security token.

I’ll admit we have problems with passwords, and a new, usable, well thought out methodology for authentication would be welcome, but this is not that solution.

8 users thanked author for this post.

wavy, Propje, WSbobby-p, Spiral, Simon_Weel, fisher75, Average-Jane, bbearren

Reply | Quote

KevSpa wrote:

What’s going to happen when we change phones every two or three years. Regardless of the hype and assurances, I’m betting it will turn out to be a despised experience.

Nothing will happen. You delete the current passkey on the old device and create a new passkey on the new device. You better create passkeys on two devices. Passkeys aren’t saved or compared on servers like passwords do.

Reply | Quote

Alex5723 wrote:

You delete the current passkey on the old device and create a new passkey on the new device.

As any number of articles have pointed out, not all of the kinks have been worked out of the implementation of passkeys and uptake is still quite slow.  I’ll just keep using passwords.  I’ve never had an issue using passwords, don’t see any reason to fix what ain’t broke.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

5 users thanked author for this post.

ComputerOwl, wavy, Propje, WSbobby-p, Average-Jane

Reply | Quote

Generally the advice on this website is “wait for the kinks in the patches to get worked out by guinea pigs”.  But for this it’s “PASSKEYS NOW!!” ???  Whiskey Tango Foxtrot.

No.

2 users thanked author for this post.

wavy, WSbobby-p

Reply | Quote

Another problem involves losing your device.

There’s the rub.

3 users thanked author for this post.

WSbobby-p, Spiral, Average-Jane

Reply | Quote

Alex5723 wrote:

Nothing will happen. You delete the current passkey on the old device and create a new passkey on the new device. You better create passkeys on two devices. Passkeys aren’t saved or compared on servers like passwords do.

I’m under the impression that passkeys are unique for each user/device combo, so if you get a new phone, you have to create a new key and then register it everywhere you’d use it again.  Sounds like a process most won’t look forward to doing each time a device changes.

With the “key” now being stored on the device instead of on the server; if I can grab that key off your device and mimic the “complicated communications taking place under the covers between your device and a server that you don’t need to know anything about”, then can’t I compromise you everywhere that key is used?

I think this is just shifting the attack vector and exploits will be found once there is a critical mass of usage with this method.

3 users thanked author for this post.

Propje, WSbobby-p, Average-Jane

Reply | Quote

KevSpa wrote:

With the “key” now being stored on the device instead of on the server; if I can grab that key off your device and mimic the “complicated communications taking place under the covers between your device and a server that you don’t need to know anything about”, then can’t I compromise you everywhere that key is used?

No.

Reply | Quote

KevSpa wrote:

then register it everywhere you’d use it again.

You don’t register passkeys. Every time you connect to a site that support passkeys your device exchange private/public keys. Nothing is saved anywhere except the encrypted passkeys on your device.

Reply | Quote

Alex5723 wrote:

You don’t register passkeys.

The new phone is not going to be recognized anywhere without creating a new passkey for the new phone, is it?

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

3 users thanked author for this post.

WSbobby-p, Average-Jane, KevSpa

Reply | Quote

I like the concept, somewhat, but I’m still skeptical of the implementation.  Too many unanswered questions for my liking (granted, this article and last week’s are the extent of what I’ve seen).  They’ve just provided a broad-brush overview, as one would expect at this point, and I haven’t had time (nor enough inclination) to investigate further.

Windows users probably don’t have the same operating system on both their computers and their phones.  What about shared computers?

USB devices?  My phone’s only USB interface is for the charger, and none of my computers has the same port.  Besides, a USB device is even easier to lose than a computer or a phone; just this morning I discovered a thumb drive in my jacket pocket that I didn’t remember was there (at least I am 99.9% confident it’s mine; it’s my brand, and I probably used it to bring data back from a client site).

Last week I commented that I don’t trust biometrics because they do change and I don’t know the technological limits for dealing with minor differences (cuts on a finger, eye tumors, etc.).

I’m looking forward to seeing how this all turns out.  I’m hopeful, but I’m not sure it’s ready for prime time.

2 users thanked author for this post.

Propje, KevSpa

Reply | Quote

I’m trying to follow Brian Livington’s Passkeys articles.  In the second articles, he says to create a passkey on your device.  OK, How do I do that?  There’s no “Passkey” app on my new laptop, but it came with Windows 11 and I’m sure it has the TPM chip.  So what do I click on to create a passkey?

Reply | Quote

KingGeorgeN wrote:

I’m trying to follow Brian Livington’s Passkeys articles. In the second articles, he says to create a passkey on your device. OK, How do I do that?

Note: the website or application you’re trying to sign into must support passkeys in order for them to work. The good news is that the industry is quickly adopting passkeys as an authentication mechanism, so more and more websites and applications are beginning to offer this feature.

Not so quickly.  So far, there are only 85 sites that use passkeys, per the link in Brian’s article.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

1 user thanked author for this post.

WSbobby-p

Reply | Quote

You create a passkey by visiting a site which uses passkeys, as he said;

To create a passkey, you simply use whatever method unlocks your devices: a character-based PIN, your face, a fingerprint, or what have you. You then visit any website or other remote service that’s passkey-compatible.

Previously saved passkeys can be viewed at Settings, Accounts, Passkey settings (although all you can do with one there is delete it).

Clicking Details for a site in the passkeys.directory may be the best way to get started so far.

Reply | Quote

This follow-up article is not impressing me any more than the last.  We should not be tethering ourselves to devices ever-more permanently.  Biometrics is a fraught method of authentication, and I’m pretty sure Livingston would have addressed that at some point in his illustrious career as a security researcher.  Biometrics are not legally protected from searches.  Tying identity and authentication to a device with a unique IMEI is essentially the end of journalists being able to conduct research anonymously, without fear of execution.  If the big problems with passwords are social engineering and database breaches, then improve education and database security.  To say nothing of the excerpts below:

As the FIDO Alliance describes it, “When a user creates a passkey on any of their devices, it gets synced to all the user’s other devices running the same OS platform which are also signed into the same user’s platform account.”

Another problem involves losing your device. Smartphones and laptops are stolen all the time. If your passkey is in the device — which is now gone — how do you re-establish access to all the websites where you’ve enjoyed a passwordless sign-in? …Passkey recovery needs to be included in a company’s thinking. Google solved part of the problem when it released Android 14 for smartphones last month. The new version of the mobile OS allows users to select a third-party passkey credential provider, which is similar to an online password manager (but more secure). Credential providers enable passkeys to be synchronized across different ecosystems…

You know what both of the above sound like?  Transmitting the information over the Internet.

3 users thanked author for this post.

windbg, Propje, WSBulldog

Reply | Quote

Passkeys can use a PIN (or pattern) instead of biometrics.

Passkeys are securely encrypted on-device before being synced, and require decrypting on new devices.

Passwordless login with passkeys

1 user thanked author for this post.

Norio

Reply | Quote

B. Livingston wrote:

I have already created all those passwords that each server requires.  I have them safely stored in a password-protected file on my daily driver.

I’ve also been using an AES-256 ENCRYPTED password-protected file on my daily driver.  Opening this encrypted file with a HEX editor reveals nothing.  Opening the same file when it’s not encrypted with a HEX editor is a different story.

I use a long and different PW for every site.    No way can I memorize any of them, but I don’t have to.  I can easily and safely wait out the startup bruhaha around passkeys.

I do believe passkeys will eventually be widely adopted.  It’s still quite early and the naysayers are plentiful, but that is always case.

Desktop Asus TUF X299 Mark 1, CPU: Intel Core i7-7820X Skylake-X 8-Core 3.6 GHz, RAM: 32GB, GPU: Nvidia GTX 1050 Ti 4GB. Display: Four 27" 1080p screens 2 over 2 quad.

Reply | Quote

TechTango wrote:

B. Livingston wrote: I have already created all those passwords that each server requires. I have them safely stored in a password-protected file on my daily driver.

That was me, not Brian.

TechTango wrote:

I use a long and different PW for every site. No way can I memorize any of them, but I don’t have to. I can easily and safely wait out the startup bruhaha around passkeys.

I also will wait.  I’m not in the target audience for passkeys; I have had no issues with user id and password, nor do I expect any.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

1 user thanked author for this post.

Propje

Reply | Quote

That was me, not Brian.

Whoops.  I knew it was you.  Got in a sloppy hurry.   Thanks for letting me know.

Desktop Asus TUF X299 Mark 1, CPU: Intel Core i7-7820X Skylake-X 8-Core 3.6 GHz, RAM: 32GB, GPU: Nvidia GTX 1050 Ti 4GB. Display: Four 27" 1080p screens 2 over 2 quad.

Reply | Quote

Average-Jane wrote:

Transmitting the information over the Internet.

No. Passkeys never leave your device and are never transmitted over the Internet. They maybe shared with your other devices connected to your home network.

Reply | Quote

So if you have *only* one device, and for some reason you lose access over it (lost, stolen, destroyed), you are, in fact, locked out of your accounts permanently because you don’t have the only device capable of authenticating you?

1 user thanked author for this post.

Propje

Reply | Quote

So if you have *only* one device, and for some reason you lose access over it (lost, stolen, destroyed), you are, in fact, locked out of your accounts permanently because you don’t have the only device capable of authenticating you?

No, you would not be locked out:

How you are expected to recover from this, some choices:
* Use a cloud based password manager that supports passkeys. Recent example: 1Password in their browser extension. The cloud service will synchronize passkeys across multi-platform devices.
* Use the services of the platform. Examples: Microsoft, Google, Apple. Passkeys are synchronized across devices from the same OS family.
* Put two devices close together from different OSes and use Bluetooth Low Energy to synchronize passkeys.
* Use a FIDO2 hardware security key.

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

Reply | Quote

I’m not sure if I’m not explaining clearly or if everyone is misunderstanding me.  All those other options involve passwords or other devices and therefore there is some continuity of devices involved.  I’m talking about starting from zero.

Example.  The year is 2080, and for reasons called This Is A Hypothetical Situation, the world is exactly the same as in 2023 except the password-to-passkey conversion is complete across the entire world of computers and the internet and passwords no longer exist.

At 2am your house is consumed in a five-alarm fire.  The only material you possessions you have are the clothes you ran out in.  Every computer, laptop, phone, token-generating dongle, and FIDO/USB key you had that had been “synced” and ever had your passkeys for your accounts stored on them is a puddle of melted plastic and silicon.  While you get back on your feet, you’ll be making ample use of your local library’s computers, even though you haven’t set foot in your local library in a decade and they’ve swapped out all their hardware in that time.

How do you log into your email, your bank, and AskWoody in this specific scenario?

2 users thanked author for this post.

windbg, Propje

Reply | Quote

While certain design aspects of passkeys are more secure than passwords, passkey security and usability issues remain unresolved.

A passkey database should be independent of platform. Right now we have passkey islands offered by Microsoft, Google, Apple, etc: the fragmentation problem. A solution to this problem is to choose a passkey implementation from a third-party vendor that supports multiple platforms.

Do passkeys solve the stolen, or broken or lost or forgot device problem?

A passkey database should be portable to multiple devices on different platforms. The last thing you want, is to tie yourself to a specific cloud platform or an operating system or a specific device, with respect to how you authenticate to web sites.

An end-user should be able to export and import a passkey database. Can you backup your passkeys to an encrypted file you control?

You still need a long and complex master password to lock your passkey store. If you fall for the six digit pin charade, you remain insecure. With biometrics, you can still be forced to open the passkey store.

A better passkey architecture is a local portable OS independent and device independent passkey store that can be opened and closed as desired. We have this design already with a local password manager. Do you want an open key store when you are not 100% sure what you just clicked on?

Wait for passkey design improvements and/or better passkey implementation?

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

7 users thanked author for this post.

Propje, Average-Jane, WSbobby-p, RetiredGeek, NaNoNyMouse, KevSpa, bbearren

Reply | Quote

windbg wrote:

You still need a long and complex master password to lock your passkey store. If you fall for the six digit pin charade, you remain insecure.

Why?

It would take 19 years to try every possible combination of a 6-digit PIN:

The TPM protects against various known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
PIN is backed by hardware

For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every 10 minutes.
TPM 2.0 anti-hammering

 

windbg wrote:

With biometrics, you can still be forced to open the passkey store.

Does anyone except a criminal need to be concerned by that?

 

windbg wrote:

Do you want an open key store when you are not 100% sure what you just clicked on?

A passkey can only be used with the genuine site which created it.

 

1 user thanked author for this post.

Alex5723

Reply | Quote

oldfry wrote: With biometrics, you can still be forced to open the passkey store. b replied: Does anyone except a criminal need to be concerned by that?

What happens if you are the victim and your body is used by a criminal or bad government to force open your credential store?

oldfry wrote: Do you want an open private key store when you are not 100% sure what you just clicked on? Then b replied: A passkey can only be used with the genuine site which created it.

Ok, but: The general idea is to layer your security as follows: Do not tie your credential store to an OS logon. Open the credential store only when you need to log into a web site. Why? If you click on a bad link, and your security provider fails to block the trojan in real time, you have left your credential store(s) exposed. (Normally our password/passkey managers are locked. When unlocked, our browsing behavior gets conservative. When re-locked, we can return to our web research.)

oldfry wrote: You still need a long and complex master password to lock your passkey store. If you fall for the six digit pin charade, you remain insecure. b replied: Why? It would take 19 years to try every possible combination of a 6-digit PIN…

Ok, but: Not all of our devices are running Windows 11 and have a TPM. We use the same password manager sync’ed across different platforms / OSes.

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

Reply | Quote

I do not login to a Microsoft account on my Windows computer, I use a local account.  Will adopting passkeys force me to log into a Microsoft account each time I start Windows 10 or 11?

1 user thanked author for this post.

Propje

Reply | Quote

windbg wrote:

A passkey database should be independent of platform. Right now we have passkey islands offered by Microsoft, Google, Apple, etc: the fragmentation problem.

There is no passkeys data base nor fragmentation.
passkeys are created and stored on your device. Nothing is transmitted anywhere.

Reply | Quote

Your passkey is not sent back and forth. If you’re able to sign in to your device, you can then access websites that recognize that device. Only a CHALLENGE is sent by the server to you. If your device can send back the correct RESPONSE (i.e., public/private key encryption), you’re in.

Real world, no scenario.  I have four Visa credit cards with three banks and one credit union.  User ID and strong passwords have long been established.  All four use very similar algorithmic routines for login.  I enter my ID and password via HTTPS, the institution checks for the last cookie they placed in my device during my last transaction.  If it is there, they issue a fresh cookie and proceed with login.

If that last-used cookie is not there, “a challenge is sent by the server to [me]”.  That challenge is “This device is unfamiliar to us.  How shall we confirm that this is you?  Text, or call?”  Even if the institution has been hacked (to date, that hasn’t happened) and a Bad Actor has bought my ID, password and phone number from some dark site, said Bad Actor doesn’t have my phone.  The window of opportunity (to enter the passcode) is short, and if it closes, the account is locked.

Visa fraud protection protects me from any and all illicit purchases.  My credit union will not transfer any money to any account or bill-pay for at least three days, but will email me a notice within a couple of minutes of any pending transactions, allowing me plenty of time to cancel.  I know the cookie thing works because every time I restore a drive image, it pops up for me; the cookie on my PC is not the latest one.

All these protections are already in place, tried and true, known good.  What incentive do I have for jumping through multiple series of new hoops (everybody in the field is not yet playing nicely with others) for something that is not particularly going to work any better?  In my experience, all I’ve seen so far is just FUD.  I’ll “be done with passwords” when passwords are no longer accepted.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

6 users thanked author for this post.

NaNoNyMouse, rick41, WSraysig, Propje, WSbobby-p, RetiredGeek

Reply | Quote

Passwords (read: “sequences of ascii bytes” that I can remember without external tools) have always worked well for me. Use distinct, sufficiently long sequences and you’re fine.

Anytime some other system gets involve, chaos ensues.  Case in point:  in in Taiwan for a couple weeks. I go to login to my personal Outlook account and Microsoft is sounding alarms because my user/password was used successfully on the first attempt to login to my account (which is typically accessed from US regions)  To verify it’s me,  I’m to login to another account I’ve designated (another Outlook or gmail account) — but oh no! Those accounts are now being logged into by someone in Taiwan…coincidence?  Nah.  Finally a few accounts upstream, I was able to resolve the concerns by using WiFi calling to receive authentication text message codes from Microsoft & Google… because we all know those can’t can’t be easily spoofed…

Sure, there may be some hacker that can’t grasp the concept of vpn/proxy for hacking my account, but really? If someone is able to provide my user/password in a single attempt (and even for multiple accounts) then I have bigger problems than that.

 

Most of these new “security solutions” are merely “feel good” measures that are trivial to defeat for a real hacker, but waste tons of time for legitimate users. A good password that is properly protected by the service is still the best route in almost every situation.

2 users thanked author for this post.

Average-Jane, rick41

Reply | Quote

I’ve reviewed FIDO’s FAQs and the comments posted here and have not found my concern addressed. What happens/how does the passkey system work when one person wants to access two or more accounts at the same site? For example, using a smartphone—a one user device—access account “A” and later—using the same smartphone—access account “B” at the same site? And, how does my spouse using her smartphone perform the same multiple account accesses at the same site?

1 user thanked author for this post.

Average-Jane

Reply | Quote

Same as password. Passkey still belongs/corresponds to an account.

2 users thanked author for this post.

ArtHendrickson, Alex5723

Reply | Quote

https vs http wasn’t needed for the bulk of sites, but alas the world that loves to fret about “man made climate change” decides to mandate https and burn more cpu cycles. Worst decision in the world? Not by a long shot, but still very resource wasteful in many instances.

FIDO, FIDO2 are not secure. The world’s technology is moving BACKWARDS by mandating these foolish changes.

Reply | Quote

Scott R wrote:

FIDO, FIDO2 are not secure

Why not? Please explain.

Reply | Quote

All this new authentication sounds great. We all know some people are just stupid about creating good passwords. Mainly because they have to remember so many. But I am also always skeptical when any one starts telling me something is better and safer. I hear and read this all the time until someone figures out how to breach it. We all know eventually Passkey will become another target and someone will find a way. I always say use what you feel comfortable with and just like 2 step authentication if it creates more hassle for people they will simply avoid it.

1 user thanked author for this post.

Average-Jane

Reply | Quote

Looks like more people are using passkeys than expected

The initial projections for the new passwordless technology were less than half the current figure.
…
“it will still take at least 5 years for passkey-only authentication to be adopted more broadly.”

1Password sees passkeys exceed 700k

Reply | Quote