this post was submitted on 28 Feb 2025
549 points (93.5% liked)

memes

12777 readers
3322 users here now

Community rules

1. Be civilNo trolling, bigotry or other insulting / annoying behaviour

2. No politicsThis is non-politics community. For political memes please go to !politicalmemes@lemmy.world

3. No recent repostsCheck for reposts when posting a meme, you can only repost after 1 month

4. No botsNo bots without the express approval of the mods or the admins

5. No Spam/AdsNo advertisements or spam. This is an instance rule and the only way to live.

A collection of some classic Lemmy memes for your enjoyment

Sister communities

founded 2 years ago
MODERATORS
Tenthrow@lemmy.world
The_Picard_Maneuver@lemmy.world
The_Picard_Maneuver@startrek.website
549
Take your passkey and shove it where the sun don't shine (lemmy.world)
submitted 1 week ago by cm0002@lemmy.world to c/memes@lemmy.world
177 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] hemko@lemmy.dbzer0.com 62 points 1 week ago (4 children)

What's wrong with passkeys? I'm in love with passwordless sign-in with yubikey, so much easier and faster than password + totp

[–] deegeese@sopuli.xyz 54 points 1 week ago (3 children)

It’s shitty user experience when forced to dig out my phone to authenticate myself to a site I barely give half a shit about.

Like I wouldn’t even have an account if it wasn’t forced, and now you assholes want my phone too?

[–] hemko@lemmy.dbzer0.com 44 points 1 week ago (1 children)

I think you're describing SMS passcode, totp or other such factors.

Passcode doesn't require phone necessarily, but you can use it too

[–] Kusimulkku@lemm.ee 15 points 1 week ago* (last edited 1 week ago) (2 children)

A lot of the stuff that has implemented passkeys so far are on mobile. And I mean the apps serving them out, not things you authenticate to.

[–] 4am@lemm.ee 13 points 1 week ago (1 children)

BitWarden has a desktop extension and it also handles 2FA. No reason to be using a password, which is way less secure and can be extracted from a website DB via a hack.

[–] Kusimulkku@lemm.ee 4 points 1 week ago (2 children)

Doesn't the 2FA protect users still, if they only got the password?

[–] perfectly_boiled_pizza@lemmy.world 3 points 1 week ago* (last edited 1 week ago) (1 children)

In practice, yes. IF IMPLEMENTED PROPERLY it would be extremely unlikely for an attacker to get in.

For example with a proper implementation of TOTP it would require an attacker to guess the correct number between 0 and 999999 in less than half a minute. Most services make you wait a little bit (often less than humans notice) between attempts and don't allow infinite attempts, so an attacker would have to be unimaginably lucky.

There are sadly lots of huge companies that DON'T IMPLEMENT 2FA PROPERLY. Sony Entertainment (account for PlayStation) for example. So a unique and long password is still important.

[–] Natanael@infosec.pub 2 points 1 week ago

TOTP can be phished remotely, passkeys / hardware security keys can't (need to get malware into the users' computer instead)

[–] vonbaronhans@midwest.social 0 points 1 week ago

It does, but not everyone sets up their 2fa, or uses the least secure forms. Then passwords get hacked, and those lists get shared so when the next hack comes along, they have that many more tools to try and break the encryption (assuming there is any) on a bigger site, compromising even more people.

It's a whole systemic shit bag. Passkeys were meant to solve a lot of these problems, and they would, but Big Tech is botching the execution in favor of yet another thing locking you into their ecosystem.

[–] Ulrich@feddit.org 1 points 1 week ago

Well that's not a problem with Passkeys, that's a problem with implementation. The ones I use are saved to a password manager and can be used anywhere that password manager is installed.

[–] dohpaz42@lemmy.world 15 points 1 week ago (1 children)

In store my passkeys in my password manager, which has a desktop app to access passkeys. What are you using that you have to always use your phone?

[–] Natanael@infosec.pub 2 points 1 week ago

Google Chrome on PC can let you verify from the phone to unlock passkeys

[–] henfredemars@infosec.pub 10 points 1 week ago (3 children)

I don't like how there isn't a nice, cross-platform and secure way to sync my keys. Not all services allow multiple keys to exist at once.

[–] AtariDump@lemmy.world 14 points 1 week ago

Bitwarden syncs passkeys.

[–] semperverus@lemmy.world 14 points 1 week ago (1 children)

The syncing of keys allows for much greater attack surface.

Its being worked on right now but the standard hasn't been finalized yet.

[–] Kusimulkku@lemm.ee 11 points 1 week ago

Until exporting and syncing keys is properly implemented, passkeys can go kick rocks.

[–] hemko@lemmy.dbzer0.com 7 points 1 week ago

I mean I'm just using my yubikey for the keys, it's traveling in my pocket everywhere and use it on any platform

[–] marcos@lemmy.world 7 points 1 week ago

Until sites start disallowing youbikeys because it doesn't make it impossible for you to backup your keys...

What is planned to happen.

[–] Chocrates@lemmy.world 2 points 1 week ago (1 children)

Shouldn't you still need 2fa, and use the passkey as the second auth?

[–] hemko@lemmy.dbzer0.com 6 points 1 week ago* (last edited 1 week ago)

The passkey is still protected with another factor, such as pin code or biometrics

Like when I login to my account, I put the yubikey to usb port, then browser asks me to unlock it using pin code, then I'll touch the yubikey to confirm I'm in physical access to it, and only then it allows the authentication

In practice this takes about 2 seconds