..Starting today, you can use a passkey to access your Microsoft account using your face, fingerprint, or device PIN on Windows, Google, and Apple platforms. Your passkey gives you quick and easy access to the Microsoft services you use every day, and it will do a much better job than your password of protecting your account from malicious attacks…
|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
-
Microsoft introduces passkeys for consumer accounts
- This topic has 11 replies, 7 voices, and was last updated 1 year ago.
AuthorViewing 4 reply threadsAuthor-
-
-
The idea behind “passkeys” is: If users don’t use passwords, their passwords can’t be stolen.
Now their passkeys can be stolen instead
If you’re wondering why having a passkey stolen is any better than having a password stolen, you’re thinking more thank the average user. Users who use the same password for multiple devices/services could theoretically benefit as each device/service would have a different passkey that would need to be stolen (vs. steal one password and you can access anything)
A passkey in the real world (formerly known as a master key before political correctness struck) allows a single key to open multiple locks that otherwise would require distinct keys to open. Ironically (or not so ironically?) copies of passkeys are stored in the cloud, encrypted. Once decrypted, whoever has a copy effectively has your passkey
Publicly, this is being promoted by the FIDO crew for various purposes.
Personally, I think once people begin to understand the underlying implementation they will wake up and see the obvious. For those who prioritize security, unique passwords and keys are not going away anytime soon.
-
Now their passkeys can be stolen instead
Please explain how.
From the original linked article:
Passkeys work differently than passwords. Instead of a single, vulnerable secret, passkey access uses two unique keys, known as a cryptographic key pair. One key is stored safely on your device, guarded by your biometrics or PIN. The other key stays with the app or website for which you create the passkey. You need both parts of the key pair to sign in, just as you need both your key and the bank’s key to get into your safety deposit box.
1 user thanked author for this post.
-
-
Now their passkeys can be stolen instead
There are billion articles about passkeys yet you managed to post this fake conspiracy ?
Passkeys can’t be hacked or stolen.
1 user thanked author for this post.
-
What exactly are “passkeys” and why are they an improvement over passwords?
A passkey is an alternative method of user authentication that eliminates the need for usernames and passwords. It was hoped to be more secure and easier to use.
Regarding @Rogers choice not to use bio-metric log ins or pins to access his personal devices, I don’t use them, either. I’m not ignorant. I’ve reviewed my personal risk assessment having reviewed EFF’s (Electronic Frontier Foundation) Surveillance Self Defense and assessing my personal risk and needs. Respect for individual choices is something missing all too often in tech discussions.
Although touted as a great leap in security, the problems with Passkeys are becoming evident. There are those of us that having been trained by Microsoft to be wary of the next best thing that were expecting this. It was reasonable to allow others to be guinea pigs. Caution is still advisable.
There are billion articles about passkeys yet you managed to post this fake conspiracy ?
Security expert, Steve Gibson, reviews the current problems in his podcast, Security Now, Passkeys, A Shattered Dream?. I regret this isn’t an article I can quote, but reading is increasingly difficult for me, personally, and so I tend to enjoy podcasts.
One of the main problems with Passkeys is that the original vision of them being universal, has been stymied by Google’s failure to incorporate the needed standard in Chrome. This is yet another example how lack of competition results in a monopoly making unilateral decisions, disregarding the well thought out standards. Instead of interoperability, the current implementation uses Vendor lock, without portability by the end user. Windows, Google, and Apple are all examples of how vendor lock in results in enshittification… where end user experience is made worse so vendors can extract more money.
Devices themselves have limits as to how many Passkeys they are capable of creating and using. End users may have failure of Passkey creation, and/or authentication, due to problems in the current system.
Another problem is that your Passkeys can be unilaterally erased by (for example) Apple, if you are using an IPhone. End consumers are left to figure out how to fix a problem they didn’t make… sometimes at quite inopportune times.
Passkeys are a technology still in development. That technically skilled first adopters are having problems with them, problems that remain unresolved, points to their being unsuitable for regular consumers. That has never stopped big tech from forcing things onto their locked in users…
Passkeys could be useful for Corporate Security, so that passwords cannot be hacked, and the employee who encounters a problem and readily turn to their corporate IT security department to quickly resolve issues. Would that normal end users have such expertise readily available in a timely matter!
I believe @Roger has asked valid questions, and this site is dedicated to answering just those kind of questions. He deserved a better, more thorough and balanced response. Passkeys had promised a more secure, less hackable, tool for authenticating the end user. They are still in development, and another tool in our security tool box… but definitely not a cure all.
Non-techy Win 10 Pro and Linux Mint experimenter
-
-
1) The EFF quote is about Passkeys as compared to two factor authentication. They have excellent recommendations, but are up front about assessing risks, and assessing what is available to counter risks. Elimination of risk is not possible, and they have tools and recommendations for multiple levels of risk. My quoted comment is about my personal risk assessment. The two are not equivalent or related. I do find EFF to keep up on changes in a fairly timely matter, and respect their recommendations. They do not look down on people for making particular risk choices, but inform as to what is available.
2) Steve Gibson includes current data, sources of date, and analysis of what that data means for end users, including aspects which big tech would prefer to hide… I find him credible, and he documents where his information comes from.
3) Using Passkeys on Chrome or Safari will lock you into that platform. Your credentials are not exportable or extractable.
4) Android wont activate your security key if a website sends you the set of options for Passkeys, denying you choice. Thus the identity provider chooses what device to use, without your input. Developer examples only show Google passkeys stored in Google Password Manager. Lock in.
5) GitHub pass key beta and GitHub pass key threads have instances of users whose security keys are not able to be enrolled as the resident key slots are filled, Android not creating pass keys due to platform bugs, some devices needing firmware resets to create pass keys, and Keys that can be saved on the client but not on the server, leading to duplicate account presence and credentials that don’t work on the server, Keys can be saved on the client but not on the server, leading to duplicate account presence and credentials that don’t work or, worse, lead users to delete the real credentials.
These problems exist for technical early adopters… and are not things that non techy end users could or should be forced into resolving on their own. Hm… not finding them in the billions of articles on the joys of Passkeys, either…
Non-techy Win 10 Pro and Linux Mint experimenter
-
1) The EFF quote is about Passkeys as compared to two factor authentication.
Yes; they recommend using two factor authentication for as many accounts as possible, and highlight that passkeys are more convenient and secure:
Like all security and privacy topics, the answer is “it depends.” But for most people, passkeys are a good idea. If you’re already using a password manager, generating long unique passwords for each website, and always using the autofill features to log in (i.e. not copy-pasting passwords), passkeys will provide a slightly higher level of security with significantly more convenience.
If you’re not already using a password manager, passkeys will be a tremendous increase in security (and will also require you to start using a password manager).
Should I use passkeys? [EFF — OCTOBER 26, 2023]
Conclusion
For most purposes, passkeys will represent a significant improvement in security at nearly zero cost to privacy. As described in the previous post, there are still significant growing pains in the passkey ecosystem, but they will likely be resolved in the near future.
Passkeys and Privacy [EFF — OCTOBER 26, 2023]
1 user thanked author for this post.
-
-
-
-
Hey Y’all,
FYI: if you try to create passkeys on your windows computer with a LOCAL Account you’ll run into problems unless you have set a PIN.
I tried setting up Google with a Passkey and it gave me errors as it wanted Windows Hello! I solved it by going into Settings and setting up Windows Hello with a PIN (my computers don’t have a finger print reader or Windows Hello capable camera).
In the end I came to the conclusion I’m, at least for now, just as safe using Authentication apps and/or text messages for 2FA and leaving PassKeys time to mature and standardize.
-
..Starting today, you can use a passkey to access your Microsoft account using your face, fingerprint, or device PIN on Windows, Google, and Apple platforms.
I don’t use a Microsoft account to access my devices.
In the end I came to the conclusion I’m, at least for now, just as safe using Authentication apps and/or text messages for 2FA and leaving PassKeys time to mature and standardize.
Until passkeys are an absolute requirement everywhere, and username/password are no longer accepted, I have neither reason nor need to go through the effort to set them up, no matter how small an effort that might be.
Always create a fresh drive image before making system changes/Windows updates; you may need to start over!We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.We were all once "Average Users".
-
Viewing 4 reply threads
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
Google’s Veo3 video generator. Before you ask: yes, everything is AI here
by 17 minutes ago
-
Flash Drive Eject Error for Still In Use
by 1 hour, 50 minutes ago
-
Windows 11 Insider Preview build 27863 released to Canary
by 19 hours, 9 minutes ago
-
Windows 11 Insider Preview build 26120.4161 (24H2) released to BETA
by 19 hours, 10 minutes ago
-
AI model turns to blackmail when engineers try to take it offline
by 11 minutes ago
-
Migrate off MS365 to Apple Products
by 3 hours, 20 minutes ago
-
Login screen icon
by 2 hours, 16 minutes ago
-
AI coming to everything
by 19 hours, 20 minutes ago
-
Mozilla : Pocket shuts down July 8, 2025, Fakespot shuts down on July 1, 2025
by 1 day, 10 hours ago
-
No Screen TurnOff???
by 1 day, 11 hours ago
-
Identify a dynamic range to then be used in another formula
by 1 day, 11 hours ago
-
InfoStealer Malware Data Breach Exposed 184 Million Logins and Passwords
by 1 day, 23 hours ago
-
How well does your browser block trackers?
by 1 day, 9 hours ago
-
You can’t handle me
by 9 hours, 36 minutes ago
-
Chrome Can Now Change Your Weak Passwords for You
by 1 day, 2 hours ago
-
Microsoft: Over 394,000 Windows PCs infected by Lumma malware, affects Chrome..
by 2 days, 10 hours ago
-
Signal vs Microsoft’s Recall ; By Default, Signal Doesn’t Recall
by 1 day, 14 hours ago
-
Internet Archive : This is where all of The Internet is stored
by 2 days, 11 hours ago
-
iPhone 7 Plus and the iPhone 8 on Vantage list
by 2 days, 11 hours ago
-
Lumma malware takedown
by 1 day, 23 hours ago
-
“kill switches” found in Chinese made power inverters
by 2 days, 20 hours ago
-
Windows 11 – InControl vs pausing Windows updates
by 2 days, 19 hours ago
-
Meet Gemini in Chrome
by 2 days, 23 hours ago
-
DuckDuckGo’s Duck.ai added GPT-4o mini
by 3 days ago
-
Trump signs Take It Down Act
by 3 days, 8 hours ago
-
Do you have a maintenance window?
by 1 day, 12 hours ago
-
Freshly discovered bug in OpenPGP.js undermines whole point of encrypted comms
by 2 days, 10 hours ago
-
Cox Communications and Charter Communications to merge
by 3 days, 11 hours ago
-
Help with WD usb driver on Windows 11
by 22 hours, 35 minutes ago
-
hibernate activation
by 3 days, 20 hours ago
Remembering Woody
